// on 2011-02-20.
VLC Player (highly recommended) - play lots of different video formats, including avi, mpeg, rm, rmvb, wmv, dvd, vob, and more!
// on 2011-02-20.
Adium - a free instant messaging application for Mac OS X that can connect to AIM, MSN, Jabber, Yahoo, and more.
// on 2011-02-20.
Google Chrome - Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.
// on 2011-03-26
witch - Command-Tab is great…if you only ever have one window open in each of your applications. With more than one window, though, it's a hassle to find the one you want. Witch solves that problem by taking you directly to the window you want to reach.
// on 2011-03-26
Navicat - Navicat for MySQL is a powerful Database administration and development tool for MySQL. It works with any MySQL Database Server from version 3.21 or above, and supports most of the latest MySQL features including Trigger, Stored Procedure, Function, Event, View, and Manage User, etc.
//
teamviewer - is our solution for easy and friendly desktop sharing. You can remote control a partner’s desktop to give online assistance, or you can show your screen to a customer - all without worrying about firewalls, IP addresses and NAT.
//
Chicken of the VNC - is a VNC client for Mac OS X. A VNC client allows one to display and interact with a remote computer screen.
//
JollysFastVNC - is a secure ARD and VNC client. Its aim is to be the best and most secure VNC client on the Mac. TaoofMac actually thinks it already has reached this goal.
Monday, October 31, 2011
Separate your users from each other using FreeBSD MAC (Mandatory Access Control)
Imagine you have thousands of users on your FreeBSD server and for some reason you don’t want them to see each other’s files under any circumstances.
Normally you’d use complicated ACLs and/or nested groups to solve this problem but there’s a much simpler approach to all of this.
Normally you’d use complicated ACLs and/or nested groups to solve this problem but there’s a much simpler approach to all of this.
Using the MAC security framework you can initialize the BSDEXTENDED module which will give you access to a very handy tool called ugidfw. This software module is basicly a file system firewall, the system interates through the list as a certainsubject is trying to access an object.
Firstly, you have to compile MAC support into the kernel by adding the
option to your kernel config file, after recompiling and rebooting you should be able to load the mac_bsdextended module using the
command.
Let’s add
After that we can load firewall rules by starting up the /etc/rc.d/ugidfw script, which is going to read the default rules set in /etc/rc.bsdextended.
option MAC
option to your kernel config file, after recompiling and rebooting you should be able to load the mac_bsdextended module using the
kldload mac_bsdextended
command.
Let’s add
ugidfw_enable="YES"
to /etc/rc.confAfter that we can load firewall rules by starting up the /etc/rc.d/ugidfw script, which is going to read the default rules set in /etc/rc.bsdextended.
Let’s assume that users which need complete separation from the rest of the bunch are between uid 3000 and 4000 with the sole exception of the www user, which is going to access all the files as their owners define it in the other permission field. To spice it up a little, I wanna handle group permissions as well, 2 different users in the same primary group should be able to practice their group rights on a shared file.
And the winner is:
sysctl -w security.mac.bsdextended.firstmatch_enabled=1
${CMD} set 99 subject uid 3000:4000 object gid_of_subject mode arswx
${CMD} set 100 subject not uid www object uid 3000:4000 mode n
The first rule says everyone with the uid 3000..4000 shall only access group owned files without further restrictions. If you don’t want to allow group access replacegid_of_subject to uid_of_subject
Since we enabled first match, subjects between 3000 and 4000 are not staying for the second rule, which is set for everyone except the www user.
This rule says that they have no access on objects owned by users between 3000 and 4000. Fortunately we set up the firstmatch directive and users between 3000 and 4000 will not be punished with this rule as they exit from the chain at their first match, rule 99
This rule says that they have no access on objects owned by users between 3000 and 4000. Fortunately we set up the firstmatch directive and users between 3000 and 4000 will not be punished with this rule as they exit from the chain at their first match, rule 99
Reference:
http://bsdbased.com/2009/11/06/separate-your-users-from-each-other-using-freebsd-mac
FreeBSD 8 VIMAGE + epair howto
The following text is about to show you how to use the new feature of FreeBSD 8:VIMAGE in a multi-jail environment.
- Compile VIMAGE support into your kernel
Add the “option VIMAGE” to your kernel config and make sure to remove theSCTP support. Lack of SCTP support is one of the reasons VIMAGE is still considered to be experimental.
If you don’t know how to build your own custom kernel image, follow the detailed instructions of the corresponding FreeBSD Handbook chapter .
- Reboot with your new kernel
- First let’s create a pair of epair interfaces then quickly start two VIMAGE jails. I’m using the same fs root to make it simple, but you should create your jails as you always do, you can even use ezjail to it. The only difference is the “vnet” jailparam which is passed as a command line argument to the jail binary.
If you use rc.conf you could try adding the “vnet” parameter to your jail__flags variable for automatic startup.
test# ifconfig epair create epair0a test# jail -c vnet name=tibi1 host.hostname=tibi1 path=/ persist test# jls JID IP Address Hostname Path 1 - tibi1 / test# jail -c vnet name=tibi2 host.hostname=tibi2 path=/ persist test# jls JID IP Address Hostname Path 1 - tibi1 / 2 - tibi2 /
So we have two instances and an epair device. Let’s see the interface list on the host.
lo0: flags=8049metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 epair0a: flags=8842 metric 0 mtu 1500 ether 02:c0:64:00:04:0a epair0b: flags=8842 metric 0 mtu 1500 ether 02:c0:64:00:05:0b
Both sides of the pair is in the host system. Put one end into one of your jails with the ifconfig vnet command and verify the results by running ifconfig inside your jail.
test# ifconfig epair0b vnet 1 test# jexec 1 ifconfig lo0: flags=8008metric 0 mtu 16384 options=3 epair0b: flags=8842 metric 0 mtu 1500 ether 02:c0:64:00:05:0b
OK, we have a layer 2 connection. Let’s add some IPs and run a ping test
test# jexec 1 ifconfig epair0b 192.168.11.2 test# ifconfig epair0a 192.168.11.1 test# ping 192.168.11.2 PING 192.168.11.2 (192.168.11.2): 56 data bytes 64 bytes from 192.168.11.2: icmp_seq=0 ttl=64 time=0.576 ms 64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=0.081 ms ^C --- 192.168.11.2 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.081/0.328/0.576/0.247 ms
It works!
Let’s do the same with your other jail
test# ifconfig epair1b vnet 2 test# jexec 2 ifconfig epair1b 192.168.11.3
Oh wait, these are completely different set of epair interfaces, you can’t use the same IP subnet on them. In order to mash them together on the host side, you have to make a bridge.
test# ifconfig bridge create bridge0 test# ifconfig bridge0 addm epair0a addm epair1a up test#
The commands above will create a new bridge interface, and add the host side of both epair interfaces to the bridge.
You can see it with ifconfig as well:
lo0: flags=8049metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 epair0a: flags=8943 metric 0 mtu 1500 ether 02:c0:64:00:04:0a inet 192.168.11.1 netmask 0xffffff00 broadcast 192.168.11.255 epair1a: flags=8942 metric 0 mtu 1500 ether 02:c0:64:00:05:0a bridge0: flags=8843 metric 0 mtu 1500 ether a6:4b:75:2d:2b:9b id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair1a flags=143 ifmaxaddr 0 port 5 priority 128 path cost 14183 member: epair0a flags=143 ifmaxaddr 0 port 4 priority 128 path cost 14183
Let’s put the host IP we set for epair0a earlier on the bridge interface instead and bring UP the host side of epair1. (Note: If you assign an IP to an interface, its state should automatically change to UP)
test# ifconfig epair0a -alias test# ifconfig bridge0 192.168.11.1 test# ifconfig epair1a up test# ifconfig bridge0 bridge0: flags=8843metric 0 mtu 1500 ether a6:4b:75:2d:2b:9b inet 192.168.11.1 netmask 0xffffff00 broadcast 192.168.11.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair1a flags=143 ifmaxaddr 0 port 5 priority 128 path cost 14183 member: epair0a flags=143 ifmaxaddr 0 port 4 priority 128 path cost 14183
Running ping tests from the second jail, you can now ping your host and your other jail(s) too.
test# jexec 2 ping 192.168.11.1 PING 192.168.11.1 (192.168.11.1): 56 data bytes 64 bytes from 192.168.11.1: icmp_seq=0 ttl=64 time=0.193 ms ^C --- 192.168.11.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.193/0.193/0.193/0.000 ms test# jexec 2 ping 192.168.11.2 PING 192.168.11.2 (192.168.11.2): 56 data bytes 64 bytes from 192.168.11.2: icmp_seq=0 ttl=64 time=0.410 ms 64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=0.089 ms ^C --- 192.168.11.2 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.089/0.249/0.410/0.160 ms
Remember, now that you have separate networking stacks for each of your jails, the choice of topology is yours.
Reference:
http://bsdbased.com/2009/12/06/freebsd-8-vimage-epair-howto
VIMAGE - Better virtualization in FreeBSD 8
Now that FreeBSD 8 is out, among many changes we can find enhancements in the field of virtualization as well. A newly developed virtualization container calledVIMAGE has been implemented to enable virtualization of the FreeBSD network stack.
As you may know previous releases of FreeBSD had support only for jails with IP addresses of the main network stack; meaning once you configured IP/IPv6 addresses on your host system, a subset of those addresses could be associated to each one of your jails. As simple as it sounds, it actually doesn’t let you perform several networking related tasks inside of a jail, and you couldn’t separate your jails from each other with a firewall as there were no real interfaces present in your system.
With VIMAGE you have a jail with full instance of the host’s networking stack, including loopback interface, routing tables, etc. Network interfaces created on the host system can be moved to any VIMAGE jail to enable its connection to the outside world with a new option of ifconfig called “vnet”.
vnet jail
Move the interface to the jail , specified by name or JID. If the jail has a virtual network stack, the interface will disap- pear from the current environment and become visible to the jail.
Note: Option “-vnet” does the opposite.
As you might not have as many network interfaces as jails, you might need some workarounds to tunnel network traffic between two interfaces of your system.
Forget TUN/TAP and VPNs. FreeBSD 8 has a special network device called epair , which lets you create a pair of interconnected ethernet interfaces. If you move one of them to a VIMAGE jail you are basicly done. Feel free to bridge them or useVLANs, they will still work. I don’t know about the overhead of epair, but if all you care about is security, this might be the best choice for you on FreeBSD.
To enable VIMAGE you have to add “option VIMAGE” to your kernel configuration file and recompile/reinstall it.
Reference:
http://bsdbased.com/2009/11/27/vimage-better-virtualization-in-freebsd-8
What's cooking for FreeBSD 9?
This page will document changes that will be included in FreeBSD 9, including those that might end up being committed to earlier branches. In other words, it describes differences between 8.0 and 9.0, no matter what happens to the versions in between.
For information on the currently released 8-STABLE branch see What's cooking for FreeBSD 8 page.
Some of the more important low-level changes can be seen in the future release's UPDATING file.
Also useful are the quarterly Status Reports:
Everyone is encouraged to download a snapshot CD image and try all the new features (as well as the old ones). Developers are very interested in bug reports. Note that FreeBSD 9.0 is not released yet and both the snapshots and the default source trees have debugging enabled by default (which results in dramatic slowdowns so don't benchmark them without removing the debugging options).
If you're interested in how FreeBSD gets developed, you're encouraged to read the mailing lists and developer blogs.
Overall system / architectural changes
Userland DTrace
Status: committed to -CURRENT.
Will appear in 9.0: sure
Author: Rui Paulo
Web: announcement, commit message
Will appear in 9.0: sure
Author: Rui Paulo
Web: announcement, commit message
The kernel parts of the DTrace system diagnostic framework were imported some time ago, but they are now completed with the support for userland tracing, making it usable in general userland software development and system administration. Userland DTrace is already used in some large well known software packages such as PostgreSQL and X.Org.
CLANG / LLVM compiler
Status: Committed to -CURRENT.
Will appear in 9.0: yes
Authors: Roman Divacky, Pawel Worach, Ed Schouten and many others
Web: LLVM, CLANG, FreeBSD wiki, mailing list announcement
Will appear in 9.0: yes
Authors: Roman Divacky, Pawel Worach, Ed Schouten and many others
Web: LLVM, CLANG, FreeBSD wiki, mailing list announcement
As the GCC compiler suite was relicensed under GPLv3 after the 4.2 release, and the GPLv3 is a big dissapointment for some users of BSD systems (mostly commercial users who have no-gplv3-beyond-company-doors policy), having an alternative, non-GPL3 compiler for the base system has become highly desireable. Currently, the overall consensus is that GCC 4.3 will not be imported into the base system (the same goes for other GPLv3 code).
The LLVM and CLANG projects together offer a full BSD-licenesed C/C++ compiler infrastructure that is, performance and feature-wise close to, or better than GCC. The LLVM is the backend and the CLANG is the front-end part of the infrastructure.
Recent development has shown that not only is it possible to start using LLVM+CLANG right away, it is also very stable. The probability of replacing GCC for the base system in the near future is high. LLVM/CLANG will also add benefits to the overall system such as better error reporting, Apple's Grand Central Dispatch system for developing multithreaded applications and possibly JIT compiling some internal structures like firewall rules.
Note that this mostly affects the base system. There is too much third party software (e.g. ports) that depends on GCC to completely replace it.
Update: To make this happen, PathScale has developed and donated the C++ runtime library under the BSD license. PathScale has some other tools and libraries which may in the future help the transition to a BSD-licensed toolkit: the assembler (pathas) and the debugger (pathDB).
Kernel & low level improvements
Large-scale SMP support
Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Atillio Rao and others
Web: commit message
Will appear in 9.0: sure
Author: Atillio Rao and others
Web: commit message
This work brings in support for large SMP systems, with more than 32 CPUs. Previously, the kernel structures were unable to account for such a large number of CPUs so the newest method implements extensible CPU accounting. This is not an improvement in scalability in itself but is a prerequisite for large-scale SMP work.
USB 3.0 support
Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Hans Petter Selasky
Web: commit message
Will appear in 9.0: sure
Author: Hans Petter Selasky
Web: commit message
The new wave of USB changes improves on the hugely successful USB development released in FreeBSD 8 and brings in support for USB 3.0.
Network kernel core dumps (netdump)
Status: In development
Will appear in 9.0: probably
Author: Attilio Rao and others
Web: announcement
Will appear in 9.0: probably
Author: Attilio Rao and others
Web: announcement
Netdump is a framework that aims for handling kernel coredumps over the TCP/IP suite in order to dump to a separate machine than the running one. That may be used on an interesting number of cases involving disk-less workstations, disk driver debugging or embedded devices.
Initial NUMA support
Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: John Baldwin
Web: Commit message, discussion
Will appear in 9.0: sure
Author: John Baldwin
Web: Commit message, discussion
As NUMA-like architectures have become almost ubiqutous, even in i386 / amd64 architectures, there are potentially big performance gains to be had in enabling its supports within operating systems. New development aims to adapt the physical page allocator to be NUMA-aware.
Modern event timer infrastructure
Status: Committed to -CURRENT
Will appear in 9.0: sure
Authors: Alexander Motin
Web: Commit message 1 Commit message 2
Will appear in 9.0: sure
Authors: Alexander Motin
Web: Commit message 1 Commit message 2
To better support the many sources of timer ticks present in todays system and to build the foundation for tickless kernel, a new unifying timer infrastructure was created. It currently supports LAPIC, HPETs, i8254, RTC.
Tickless kernel
Status: Under development
Will appear in 9.0: probably
Authors:Tsuyoshi Ozawa, Alexander Motin
Web: idea, new timer infrastructure
Will appear in 9.0: probably
Authors:Tsuyoshi Ozawa, Alexander Motin
Web: idea, new timer infrastructure
To improve performance in virtual machines and power usage in laptops, the "dynamic tick mode" (also called, a bit inappropriately, "tickless mode") can replace the classic, strictly periodic hardware timer interrupt ticking with one-shot variable-time ticks. This will save some CPU time which would otherwise be spent handling timer interrupts which have no work assigned to them.
Networking improvements
More SMP-scalable TCP/IP
Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Robert Watson
Web: commit message announcement
Will appear in 9.0: sure
Author: Robert Watson
Web: commit message announcement
Improvements to the networking stack introduce better scalability strategies based on thework by Alan Cox and others. With these changes, it is expected that the connections will have more clear CPU affinity, less cache line contention and better use of modern hardware flow detection and handling.
New NFS client and server
The new NFS client and server introduce the support for NFSv4 as their biggest features, with ACL support, byte range locking and delegation support. It should also be easier to maintain and later upgrate do NFSv4.1
Five new TCP congestion algorithms
Status: Partially committed to -CURRENT
Will appear in 9.0: sure
Author: Lawrence Stewart
Web: Commit message
Will appear in 9.0: sure
Author: Lawrence Stewart
Web: Commit message
This commit marks the first formal contribution of the "Five New TCP Congestion ontrol Algorithms for FreeBSD" FreeBSD Foundation funded project. More details about the project are available at: http://caia.swin.edu.au/freebsd/5cc/.
SIFTR - Statistical Information for TCP Research
SIFTR logs a range of statistics on active TCP connections to a log file, providing the ability to make highly granular measurements of TCP connection state. The tool is aimed at system administrators, developers and researchers.
Storage subsystems' improvements
A move to support 4K drives
Status: committed
Will appear in 9.0: sure
Authors: Kirk McKusick, Alexandar Motin, Andrey V. Elsukov and others
FreeBSD's GEOM and file systems have intrinsically supported large (or even arbitrary) sector sizes for a long time, but there is still the issue of detecting them and communicating this information across the layers. Some new development introduced SATA quirks to detect known 4K drives (with the ability for users to set their own quirks on non-detected drives), the gpart(8) utility will calculate the correct alignment or warn on misalignment, and the default fragment / block size for UFS was changed to 4K / 32K.
Generic GEOM IO schedulers
Status: Committed to -CURRENT
Will appear in 9.0: sure
Authors: Luigi Rizzo, Fabio Checconi
Web: commit message
Will appear in 9.0: sure
Authors: Luigi Rizzo, Fabio Checconi
Web: commit message
The new framework, integrated with GEOM, allows for multiple disk IO schedulers to be used, if necessary, on different IO providers (e.g. drives). The usage of some IO schedulers can increase responsiveness in certain kinds of IO workloads, for example a mix of sequential and random IO.
HAST - High Availability Storage
Status: Committed to -CURRENT, planned MFC
Will appear in 9:0: sure
Author: Pawel Jakub Dawidek
Web: FreeBSD wiki page
Will appear in 9:0: sure
Author: Pawel Jakub Dawidek
Web: FreeBSD wiki page
HAST is a userland-based (ggate) implementation of a distributed storage device concept, similar to Linux's DRBD. It allows over-the-network mirroring of any GEOM storage devices in a semi-synchronous way (writes suceed when the data is sent over the wire).
UFS SoftUpdates+Journal (SU+J)
A new feature added to existing UFS SoftUpdates code makes use of a small journal, technically an intent log, to keep track of metadata garbage collection which has upto now been left as a job for (background) fsck after an unclean shutdown. The intent behind this is to eliminate the requirement for fsck or background fsck on file systems with SoftUpdates enabled after unclean shutdown.
In effect, this feature combines the best of both worlds - the very fast operation of SoftUpdates with the removal of the need for fsck characteristic for journalling file systems. This is not a radical change - the well known SoftUpdates mechanism is still in its original form - but it completes the garbage collection step in a different way.
New driver for AHCI SATA drives
Status: Committed to -CURRENT, MFC-ed
Will appear in 9.0: sure
Author: Alexandar Motin & others
Web: commit message
Will appear in 9.0: sure
Author: Alexandar Motin & others
Web: commit message
The new driver supports native AHCI via the CAM (common access method for storage) subsystem. AHCI drives are manipulated by camcontrol and support for new features like NCQ and port multipliers has been integrated. Among other features, performance has been significantly increased, port multipliers and hot-plugging are greatly improved.
ATA CAM implementation
The ATA disk drivers have all been moved to the CAM system, improving some features of them along the way. This makes CAM a very real central point and foundation of disk interfaces and management of (S)ATA, SCSI, USB and Firewire drives. Some SCSI controllers still have drivers outside CAM.
Improvements include: transfer size increase, better support for port multipliers.
Security
Capsicum
Status: Basic functions committed to -CURRENT
Will appear in 9.0: sure
Author: Robert Watson and others
Web: commit message
Will appear in 9.0: sure
Author: Robert Watson and others
Web: commit message
Capsicum is a framework for security isolation of sensitive processes, which may prove useful in security strengthening the operating system.
AES-XTS encryption mode in kernel
Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Pawel Jakub Dawidek
Web: AES-XTS in kernel AES-XTS in GELI AES-XTS via AESNI
Will appear in 9.0: sure
Author: Pawel Jakub Dawidek
Web: AES-XTS in kernel AES-XTS in GELI AES-XTS via AESNI
The XTS block cypher mode is specially suited for encrypting disk drives and other block devices. It avoids some security problems arising with using plain CBC chaining with addressible-sector encryption.
AES with XTS mode is used in GELI and is also supported when implemented via the AES-NI.
NFSv4 ACLs for UFS
Status: Committed to -CURRENT, MFCed
Will appear in 9.0: sure
Author: Edward Tomasz Napierala
Web: commit message
Will appear in 9.0: sure
Author: Edward Tomasz Napierala
Web: commit message
The well known and loved UFS file system has for some time implemented POSIX.1e ACLs(access control lists) in addition to the classic Unix file permissions model. This file permission model greatly enhances the way files can be managed and allows new security models to be implemented. It is also a standard part of the FreeBSD kernel, ready to be used at any time.
However, the POSIX.1e standard apparently never became trully widespread in practice. Through market share domination (but not completly without technical merit) the NTFS (Microsoft Windows file system) ACL security model has become widely popular and implemented, even so that it directly inspired the ACL model in the NFS (Network File System) version 4. The POSIX model is simpler and more Unix-like but the NTFS/NFSv4 model is more expressive.
The two ACL models are incompatible - security parameters set in NFSv4 model cannot always be directly translated to the POSIX model. Due to this and considering that NFSv4 ACLs are already directly implemented in ZFS, the introduction of NFSv4 ACLs in UFS is simply a feature-completness step which makes both file systems similarily usable from NFSv4 clients.
The POSIX model still remains in the implementation, but is mutualy exclusive (at the mount-point level) with the NFSv4 model.
Other changes
The following is a list of smaller and / or more obscure changes that nevertheless deserve a special mention since they will be of interest to certain users:
- Default UFS block & fragment sizes increased to 32 KiB / 4 KiB (mckusick)
- BSD licensed grep (obrien)
- Support for ATA/AHCI per-device write cache disable (mav)
- Syscall performance regression fixed (jhb)
- Resource accounting (a part of resource container work) (trasz)
- Improvements to CPU detection (jkim)
- Many bug fixes to hastd (pjd)
- ZFS updated to version 28 (pjd)
- Beginnings of process-kernel shared page infrastructure (kib)
- TRIM (BIO_DELETE) support for UFS (kib)
- MCA (Machine check architecture) logging enabled by default (jhb)
- usbdump kernel facility and tool (weongyo)
- New log rotation file system naming scheme with newsyslog, using timestamps(simon) [MFC-ed]
- GELI secure suspend/resume functionality (pjd)
- TPM driver (takawata et al)
- Increased read-ahead and write queue UFS buffers for better NCQ utilization (ivoras)
- AESNI (Nehalem CPU instruction) crypto(4) driver (kib)
- DAHDI (Digium/Asterix Hardware Device Interface drivers
- Resource containers (trasz)
- ZFS updated to version 15 and synced with modern performance improvements (mm)
- TLB shootdowns optimizations (alc)
- Important fixes to tmpfs memory use and stability (kib)
- Significant BSNMPD enhancements (syrinx)
- Default SYSV semaphore and SHM sizes increased (ivoras)
- Jails / virtual network stack / os-level virtualization improvements (bz)
- Import of xz and liblzma into the base system (mm)
- EFI boot loader (rpaulo)
- The FreeBSD logo integrated into syscon screensaver (jkim)
- ZFS performance and stability improvements (kmacy)
- Inter-process shared userland semaphores (davidxu)
- ZFS updated to version 14 (delphij) [MFC-ed]
- Implemented TRIM / ERASE (S)ATA commands for SSDs and similar drives, notifying them of unused disk space so it can be reclaimed (mav)
- Updated gmirror (software RAID-1) load balancing (mav) [MFC-ed]
- Solaris-like pwait(1) utility (jilles) [MFC-ed], refactored rc.d to use pwait(1).
- IPFW becomes VNET-aware (virtualized network stack, i.e. a firewall instance per jail/VNET) and gets more SMP performance. (luigi)
- Imported V4L (video 4 linux) support in the Linuxulator (aka Linux compatibility mode) (netchild)
- Better support for Machine Check Exceptions (jb)
- Reworked utmp system (ed)
- Open-source 3D hardware acceleration for Radeon HD cards (nork, rnoland)
As always, all features described here are, or will be, a part of the FreeBSD "base" system, available in every FreeBSD installation without patching or out-of-the-ordinary configuration.
For more information about development of FreeBSD (among other topics), see my blogwith daily and miscellaneous information.
Reference:
http://ivoras.net/freebsd/freebsd9.html
What's cooking for FreeBSD 8?
The next major release of FreeBSD, version 8, was intended to be an "evolutional" release with few exciting changes. Of course by now it is obvious this will be another in a series of releases with groundbreaking changes.
This page will document changes that will be included in FreeBSD 8, including those that might end up being committed to earlier branches. In other words, it describes differences between 7.0 and 8.0, no matter what happens to the versions in between.
FreeBSD 8 has been released! For information on the formerly developed 7-STABLE branch see What's cooking for FreeBSD 7 page.
Some of the more important low-level changes can be seen in the future release's UPDATING file.
Also useful are the quarterly Status Reports:
Everyone is encouraged to download a snapshot CD image and try all the new features (as well as the old ones). Developers are very interested in bug reports. Note that FreeBSD 8.0 is not released yet and both the snapshots and the default source trees have debugging enabled by default (which results in dramatic slowdowns so don't benchmark them without removing the debugging options).
If you're interested in how FreeBSD gets developed, you're encouraged to read the mailing lists and developer blogs.
Overall system / architectural changes
INET-less / IPv6-only kernel
Status: under development, mostly works
Will appear in 8.0: probably not
Authors: Bjoern Zeeb and others
Web: mailing list announcement
Will appear in 8.0: probably not
Authors: Bjoern Zeeb and others
Web: mailing list announcement
As IPv6 development and deployment is progressing, at its own pace, there is interest in making it possible to run a FreeBSD system as IPv6-only (instead of the default configuration which is dual-hosted IPv4+IPv6).
Historically, BSD is the progenitor of all TCP/IP implementations and the IPv4 code in FreeBSD was sprawled across the network layers of the kernel, from device drivers to the higher socket layers. A recent initiative aims at fixing the layering violations in preparation to, at first, build a kernel without INET (i.e. IPv4) support, then build an IPv6-only kernel. This change involves large kernel subsystems such as the firewalls, bridging, NFS and others.
CLANG / LLVM compiler
Status: Experimental, but works. Highly motivated.
Will appear in 8.0: no
Authors: Roman Divacky, Pawel Worach, Ed Schouten and others
Web: LLVM, CLANG, FreeBSD wiki, mailing list announcement
Will appear in 8.0: no
Authors: Roman Divacky, Pawel Worach, Ed Schouten and others
Web: LLVM, CLANG, FreeBSD wiki, mailing list announcement
As the GCC compiler suite was relicensed under GPLv3 after the 4.2 release, and the GPLv3 is a big dissapointment for some users of BSD systems (mostly commercial users who have no-gplv3-beyond-company-doors policy), having an alternative, non-GPL3 compiler for the base system has become highly desireable. Currently, the overall consensus is that GCC 4.3 will not be imported into the base system (the same goes for other GPLv3 code).
The LLVM and CLANG projects together offer a full BSD-licenesed C/C++ compiler infrastructure that is, performance and feature-wise close to, or better than GCC. The LLVM is the backend and the CLANG is the front-end part of the infrastructure.
Recent development has shown that not only is it possible to start using LLVM+CLANG right away, it is also very stable. The probability of replacing GCC for the base system in the near future is high, though it probably won't happen by default for the 8.x series.
Note that this mostly affects the base system. There is too much third party software that depends on GCC to completely replace it.
Parallel port builds
Status: Committed
Will appear in 8.0: sure
Authors: Pav Lucistnik and a cast of thousands
Web: mailing list announcement
Will appear in 8.0: sure
Authors: Pav Lucistnik and a cast of thousands
Web: mailing list announcement
The ports infrastructure is the part of the FreeBSD operating system that's responsible for making thousands (actually close to 20,000) of third party packages available to FreeBSD users. It enables everyone to install custom software from either source code (the traditional and preffered way) or from analogous binary packages.
The port infrastructure for source builds has been enhanced to allow parallel builds of individual ports. In the age of multi-core CPUs this means package build times will be drastically decreased. By default, all available logical CPUs will be used.
This enhancement is not tied to the 8.0 release and is available now on all recent versions of FreeBSD. Port dependancy graphs will still be built serially (i.e. only one port at a time will be built, but each individual port will be built in parallel).
Kernel & low level improvements
Better handling of mounted device removals
Status: Committed to -CURRENT, MFCedWill appear in 8.0: sure
Author: Edward Tomasz Napierala
Web: FreeBSD Foundation Projects
Panics on "hot" removal of devices with file systems mounted from them (the canonical example is the removal of USB flash memory keys while the file system was mounted) were the most commonly reported problem from end-users. New development, funded by the FreeBSD foundation, has solved this issue.
Jails v2
Status: Committed to -CURRENT, MFCed
Will appear in 8.0: sure
Author: Bjoern Zeeb and others
Web: commit message
Will appear in 8.0: sure
Author: Bjoern Zeeb and others
Web: commit message
The jails subsystem has been greatly enhanced and updated to support modern FreeBSD features. In addition to the support for multiple IP addresses per jail (or none), support for IPv6 and SCTP has been implemented, jails can be nested hierarhically and jails can now be restricted to certain CPUs. Jails are especially powerful when combined with ZFS, where system administrators can be allowed to create and manage their own file systems within the jails.
Xen dom-U support
Status: Committed to -CURRENT
Will appear in 8.0: experimental
Authors: Kip Macy, Doug Rabson
Web: wiki page, mailing list
Will appear in 8.0: experimental
Authors: Kip Macy, Doug Rabson
Web: wiki page, mailing list
Xen support has been integrated into FreeBSD, allowing it to be used as a 32-bit guest operating system on recent versions of Xen dom0 (not as a host!). A target for 8.0 is to make FreeBSD ready to be used on Amazon EC2. The project needs testing and sponsorship.
New USB stack
Status: Committed to -CURRENT
Will appear in 8.0: sure
Author: Hans Petter Selasky
Web: announcement, SVN message
Will appear in 8.0: sure
Author: Hans Petter Selasky
Web: announcement, SVN message
The USB stack received a significant overhaul and the new code fixes many standing problems. Some of the new features are full support for split transactions, isochronous transactions, removed dependency on Giant (MPSAFE), a new API and many more. See the SVN message for details.
The new USB stack will use old drivers' and kernel modules' names to increase backward compatibility.
MPSAFE TTY
The TTY layer is the traditional Unix interface to system users, providing them with interactive sessions to run shells, etc. The current TTY layer in FreeBSD is for the most part the traditional BSD TTY, which is integrated with the drivers and other layers in a way that, though efficient, makes it hard to maintain and extend. The initiative to rewrite the TTY layer aims to make it a true abstraction layer, operating on behalf of both sides of TTY. In addition, it will remove the TTY from the Giant lock, which will eliminate problems with lags and skippy user interface behaviour in the console and X.Org.
Kernel memory limit on AMD64 increased
Status: Committed to -CURRENT, MFCed
Will appear in 8.0: sure
Author: Alan Cox
Web: announcement, SVN commit
Will appear in 8.0: sure
Author: Alan Cox
Web: announcement, SVN commit
Some modern features (of which the most notable currently is ZFS) require a large amount of kernel memory (this has nothing to do with traditional disk caches or the amount of memory visible to the system). Up to now, it was only possible to allocate up to 2 GB forkmem_max, which is becoming a bit cramped. This limit has recently been increased to 512 GB. Together with backpressure improvements for the ARC, this will make the users of ZFS happy.
Kernel threads
Kernel threads upto now were actually "heavy weight" processes running in the kernel address space. This change introduces real light weight kernel threads which consume less low-level resources (process locks, memory maps). It also allows better grouping of threads for display purposes.
procstat(1): A process inspection utility
procstat combines functionality from the now-deprecated procfs(4) and adds several new functionalities. Some of the data procstat can provide are: process' command line arguments, file descriptor information, stacks of the kernel threads in the process, security credentials information from the process, thread information and virtual memory mappings. This is utility is mostly useful for debugging.
TextDumps: gathering information after kernel panic
Status: Committed to -CURRENT, MFCed
Will appear in 8.0: sure
Author: Robert Watson
Web: Q&A on textdumps
Will appear in 8.0: sure
Author: Robert Watson
Web: Q&A on textdumps
The usual thing that happens after a kernel panic is a kernel memory dump, either full or (in 7.0 and later) a "minidump". The new "textdump" feature doesn't store the actual kernel memory dump, but extracts commonly needed information from it, stores it into a tar archive of text files, and deletes the dump file. This significantly reduces the size requirements of collecting such information, speeds up development, and enables people to collect debugging information after a crash without kernel developer experience.
ULE 3.0: New version of the SMP-optimized scheduler
Status: Committed to -CURRENT
Will appear in 8.0: sure
Author: Jeff Roberson
Web: commit message, commit message, announcement
Will appear in 8.0: sure
Author: Jeff Roberson
Web: commit message, commit message, announcement
Evolution of the ULE scheduler resulted in support for fine-grained CPU affinity calculations, taking into account the physical topology of the CPUs (caches, cores, sockets) and much improved support for binding threads to CPUs. This results in additional functionalities (opens up the possibility of assigning individual CPUs to jails) and noticeable performance improvements.
Superpages
Status: Committed to -CURRENT, MFCed
Will appear in 8.0: sure
Author Alan Cox
Web: research paper, current status
Will appear in 8.0: sure
Author Alan Cox
Web: research paper, current status
Most general-purpose processors provide support for memory pages of large sizes, calledsuperpages. Superpages enable each entry in the translation lookaside buffer (TLB) to map a large physical memory region into a virtual address space. This dramatically increases TLB coverage, reduces TLB misses, and promises performance improvements for many applications. However, supporting superpages poses several challenges to the operating system, in terms of superpage allocation and promotion tradeoffs, fragmentation control, etc. The performance benefits are substantial, often exceeding 30%; these benefits are sustained even under stressful workload scenarios.
While they can be used on most x86 CPUs, benchmarking has shown that their greatest benefits are visible on quad-core and newer CPUs.
DTrace
Status: Committed to -CURRENT (kernel trace only)
Will appear in 8.0: sure
Author: John Birrell
Web: project web page
Will appear in 8.0: sure
Author: John Birrell
Web: project web page
DTrace is a tool and a language developed by Sun Microsystems to help debugging and profiling operating systems. It can aggregate information from different parts of kernel (userland tracing is not yet implemented) and analyze them in a ways that's meaningful to the user.
Networking improvements
802.11s D3.03 wireless mesh networking
A wireless mesh network, sometimes called WMN, is a wireless network using a mesh topology instead of more typical AP-client topology. These networks are often seen as special type of ad-hoc networks since there's no central node that will break connectivity (in contrast with common wireless networks where there's a central Access Point). 802.11s is an amendment to the 802.11-2007 wireless standard that describes how a mesh network should operate on top of the existing 802.11 MAC.
VirtNet / VIMAGE / Imunes / Network stack virtualization
Status: In final stages of development
Will appear in 8.0: sure
Author: Marko Zec
Web: project web page
Will appear in 8.0: sure
Author: Marko Zec
Web: project web page
The network stack virtualization project aims at extending the FreeBSD kernel to maintain multiple independent instances of networking state. This will allow for complete networking independence between jails on a system, including giving each jail its own firewall, virtual network interfaces, rate limiting, routing tables, and IPSEC configuration.
VIMAGE+Jails will be experimental in 8.0; the system might not work as advertised, especially with regards to security.
Multiple routing tables / FIBs
Support for multiple routing tables (forwarding information bases) allows advanced network topologies. The setfib utility can be used to select routing tables on per-process level.
Equal cost multipath routing
ECMP routing allows for multiple routes to be handled by the kernel, including default routes. It potentially offers substantial increases in bandwidth by load-balancing traffic over multiple paths.
Zero-copy BPF
Status: Committed to 8-CURRENT
Will appear in 8.0: sure
Authors: Robert Watson, Christian S.J. Peron
Web: BSDCan slides
Will appear in 8.0: sure
Authors: Robert Watson, Christian S.J. Peron
Web: BSDCan slides
BPF is Berkeley Packet Filter, facility used to capture raw network packets from the lower layers of the network stack according to user-defined filters and forward them to an application, as well as insert raw packets to the network stack.
This improvement to BPF reduces the number of memory copy operations between the kernel and the application which improves performance in some cases.
Kernel NFS locking support
Status: Committed to 8-CURRENT
Will appear in 8.0: sure
Author: Doug Rabson
Web: commit message, announcement
Will appear in 8.0: sure
Author: Doug Rabson
Web: commit message, announcement
NFS lock manager in kernel improves performance and behaviour of NFS locking (used to synchronize file access on remote machines). New features include multithreaded operation, deadlock detection, and transparent interaction with local file locks on the server.
NFSv4 support
NFSv4 is a major overhaul of the NFS protocol and brings many new features like a stateful protocol, performance improvements and stronger security (ACLs, strong authentication). Until recently, NFSv4 support in FreeBSD was partial (client-only) and somewhat unstable. New development aims to complete this support.
The introduced NFSv4 infrastructure also replaces the old NFSv2 and NFSv3 servers and clients with the new ones.
Storage subsystems' improvements
Experimental new driver for AHCI
Status: Committed to -CURRENT, experimental
Will appear in 8.0: sure
Author: Alexandar Motin, Scott Long & others
Web: commit message
Will appear in 8.0: sure
Author: Alexandar Motin, Scott Long & others
Web: commit message
The new driver, present but not enabled by default in 8.0, supports native AHCI via the CAM (common access method for storage) system. AHCI drives are manipulated by camcontrol and support for new features like NCQ has been integrated.
gvinum 2
Status: committed to -CURRENT
Will appear in 8.0: sure
Author: Ulf Lilleengen
Web: commit message, commit message
Will appear in 8.0: sure
Author: Ulf Lilleengen
Web: commit message, commit message
gvinum is a logical volume manager based on and compatible with vinum, the FreeBSD's long-standing and practically traditional volume manager. Its features include JBOD, RAID 0, RAID 1 and RAID 5 modes of combining storage devices into higher level volumes, and due to the new version's integration with GEOM it can use and be used by other GEOM devices and classes.
Gvinum 2 is significantly restructured version of gvinum and fixes many long-standing problems. The work done on gvinum makes it more usable and production ready, while maintaining compatibility with older versions. Gvinum exists in parallel with other GEOM classes like gmirror, gstripe and others.
GEOM_PART becomes the default slicer
Status: Committed to -CURRENT
Will appear in 8.0: sure
Author: Marcel Moolenaar & others
Web: commit message
Will appear in 8.0: sure
Author: Marcel Moolenaar & others
Web: commit message
GEOM_PART (gpart) is a new GEOM partition class (slicer) and utility that rolls up support for many partitioning formats (MBR, BSD, GPT etc.) into a single code base.
NOTE: Caveat when upgrading! GEOM_PART might interpret existing partition tables (especially if many operating systems are present - multi boot) differently than the previous classes. Your devices might get renamed.
NOTE: Some old utilities like bsdlabel may not work if the kernel doesn't include GEOM_BSD and other old slicer classes. In other words, bsdlabel et al don't work with GEOM_PART.
Boot support for GPT partitions
Support for booting from GPT partitions has been committed to -CURRENT. This support includes the boot sector and loader that enable common i386 machines with a generic BIOS to boot from GPT-partitioned drives.
bsdlabel gets extended to 20 partitions
bsdlabel is (finally!) extended to support more than 8 partitions. The new limit of 20 partitions comes from the number of entries that fit in a single sector.
To make use of this change, GEOM_PART needs to be used instead of GEOM_BSD (this is default in 8.0 but will not work with older kernels). Old utilities like "bsdlabel" will not work with GEOM_PART; the new gpart utility must be used instead.
Security
ProPolice SSP (stack-smashing protection)
Status: Committed to -CURRENT
Will appear in 8.0: sure
Author: Jeremie Le Hen
Will appear in 8.0: sure
Author: Jeremie Le Hen
ProPolice helps prevent exploits that use stack-based buffer overflows by setting a random integer (called the "canary") in the stack right before the return address. It is set in the function's prologue and verified during the epilogue; if it has changed, then a buffer overflow has occured and the program commits suicide by killing itself with SIGABRT (or panic() in case it's the kernel). Both userland and kernel may be protected.
Other changes
The following is a list of smaller and / or more obscure changes that nevertheless deserve a special mention since they will be of interest to certain users:
- User-controllable CPU/IRQ binding (jhb)
- User-controllable CPU-thread binding with support for CPU sets (jeffr)
- RDMA (Remote DMA) support for InfiniBand
- ZFS updated to at least zpool format 13 (from 6), with many fixed bugs and resolved problems; bringing ZFS out of the "experimental" status (pjd, kip), partially MFC-ed
- Increased the maximum number of groups a user may belong to (NGROUPS) to 1024 by default, in a way that allows further extension if needed. (brooks)
- Started upgrade of syscons renderer to support UTF-8 (ed)
- Imported new version of OpenBSM (rwatson)
- Support for more ARM / Xscale platforms
- Imported makefs utility from NetBSD (sam)
- Support for SYSVSHM segments larger than 2 GB on AMD64 (kib), MFC-ed
- Better support for Machine check exceptions
- New network ARP code
- SMP-targetted improvements to the routing code
- Wireless Virtual AP (aka VAP, aka "virtual WiFi") mode (sam)
- tcpdump updated to 4.0 (note: new output format) (rpaulo)
- Performance improvements, mostly for SMP scalability
- Support for the Intel Nehalem / Core i7 platform (jeffr), MFC-ed
- New import of ACPICA (jkim)
- Support for QLogic 8Gbit FC HBA-s (+target mode) (mjacob)
- VirtualBox 3.x support as VM host, with VT hardware extensions, network bridging, etc. (amd64 and i386)
- 64-bit (amd64) NVIDIA video drivers
- KDE 4.3, GNOME 2.28
- Google Chromium
As always, all features described here are, or will be, a part of the FreeBSD "base" system, available in every FreeBSD installation without patching or out-of-the-ordinary configuration.
For more information about development of FreeBSD (among other topics), see my blogwith daily and miscellaneous information.
Reference:
http://ivoras.net/freebsd/freebsd8.html
Subscribe to:
Posts (Atom)