
FreeBSD 11.0 Now Available - eatonphil
https://lists.freebsd.org/pipermail/freebsd-announce/2016-October/001760.html
======
zackelan
For anyone else curious about this strange and seemingly out-of-place command
in the upgrade instructions:

# : > /usr/bin/bspatch

See [https://www.freebsd.org/security/advisories/FreeBSD-
SA-16:29...](https://www.freebsd.org/security/advisories/FreeBSD-
SA-16:29.bspatch.asc)

> Because this vulnerability exists in bspatch, a component used by freebsd-
> update, a special procedure must be followed to safely update. First,
> truncate bspatch to a zero byte file.

> FreeBSD-update will fall back to replacing bspatch, rather than applying a
> binary patch. Proceed with FreeBSD-update as usual.

------
thijsvandien
This would be a good moment to be "that guy" and kindly remind you to donate:
[https://www.freebsdfoundation.org/donate/](https://www.freebsdfoundation.org/donate/)

------
tete
I think the highlights don't mention the release's best bits. The full release
notes are way larger and it really depends on what you do, what you might
consider the most interesting part.

Also I am happy to see a bunch of "Sponsored by..." Netflix, Yandex, NGINX
Inc, Netgate, Citrix, Juniper Networks, Microsoft, Dell, Multiplay,
ScaleEngine, etc. in there.

[https://www.freebsd.org/releases/11.0R/relnotes.html](https://www.freebsd.org/releases/11.0R/relnotes.html)

~~~
kev009
As a full time developer, you are correct that the relnotes don't capture all
the great stuff. It is difficult to keep track of all that is going on. The
only way I know how is to continuously read the commit logs. But distilling
that down into a useful document for end users is quite hard, especially
retroactively.

I will say that the release has non-trivial improvements in TCP performance
(Mike Karels, Matt Macy, Netflix crew).

VNET jails also should be safe to tear down, and SysV SHM can be
jailed/virtualized which should be interesting to many users.

~~~
voltagex_
>I will say that the release has non-trivial improvements in TCP performance

For your average home / small business user? Or do you need to be at Netflix
scale to see the benefits? (that's not a bad thing).

~~~
kev009
It matters most for people doing 10-100gbps throughput, CPU usage will be
lower and more stable in all cases though.

There has been a lot of improvement to many network card drivers in 11, and I
am helping to push/fund the final integration of Matt Macy's "iflib" for the
common intel em/igb/ixgbe drivers.

There are a lot of goodput improvements coming soon, which will affect all TCP
users. I had Matt Macy upgrade TCP CUBIC to match 2016 RFC and most Linux
behaviors (HyStart). Hiren Panchasara has been working full time for almost 2
years to address many other goodput and correctness issues in the TCP stack.
Some of these are in 11, but the majority will hit in 11.1.

Another company is working on the recently announced BBR congestion control
from Google and a TCP stack with RACK/PRR
[https://wiki.freebsd.org/DevSummit/201606/Transport](https://wiki.freebsd.org/DevSummit/201606/Transport).
The end result of all this will be a more tightly integrated and coherent TCP
implementation, which should make FreeBSD have the best network stack again in
2017 after falling behind for a while.

~~~
gonzo
We did a lot of work on IPsec as well.

------
nickysielicki
A couple things HN users might be excited about:

* Docker via ZFS and jails (...running Linux x84-64 binaries): [https://wiki.freebsd.org/Docker](https://wiki.freebsd.org/Docker)

\--- (See also,
[https://github.com/3ofcoins/jetpack](https://github.com/3ofcoins/jetpack) )

* Add support for trackpads found in Apple MacBook products: [https://svnweb.freebsd.org/base?view=revision&revision=26126...](https://svnweb.freebsd.org/base?view=revision&revision=261260)

* CloudABI executable support: [https://nuxi.nl/cloudabi/freebsd/](https://nuxi.nl/cloudabi/freebsd/)

This is an awesome release.

~~~
lucaspiller
Is anyone using FreeBSD on their development machine? Are there any gotchas
compared to Linux?

~~~
loeg
I use CURRENT on a Thinkpad X230. It works ok.

Main gotchas:

    
    
        * No SSL CA certificates out of the box.  FreeBSD security team has taken the
          curious posture of claiming that shipping no CAs is better than just
          shipping e.g. Mozilla's CA bundle.[0]
    
        * rc.d is like Linux init from 5 years ago.  Dynamic network configuration is
          not handled well.
    
        * Intel GPU driver support for anything above Haswell is still waiting to be
          merged.  But work is ongoing.[1]
    
        * No Xorg or session management out of the box.  You get dropped to a terminal
          console.  Good luck starting a session.
    
        * Some packages conflict with each other needlessly.  For  example, you cannot
          install gitk and git-svn at the same time.
    
        * Finally, the installer has some limited choices.  You can't enable full disk
          encryption for UFS with the installer (last time I checked, anyway).
    

Other than all that, it works well.

[0]:
[https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189811](https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189811)

[1]: [https://github.com/FreeBSDDesktop/freebsd-base-
graphics/wiki](https://github.com/FreeBSDDesktop/freebsd-base-graphics/wiki)

~~~
dTal
Hmph. I remember when "session management" was echo startx >> .loginrc

I sure miss being able to understand and control my machine...

~~~
voltagex_
I reached the point of not understanding my machine when mounting a disk on
Linux required udisks2/dbus and parts of Gnome.

FreeBSD can be pretty spartan, but I do feel like I'm more in control.

~~~
groovy2shoes
Is this a thing? I'm running Slackware and mounting a disk is still done with
good ol' `mount`, same as it ever was.

~~~
vacri
I've been in the linux world for less than a decade, and I miss 'mount' being
useful. It's full of spam now - so I've started using 'lsblk' instead...

    
    
        $ mount | wc -l
        32
        $ lsblk
        NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
        sda      8:0    0 698.7G  0 disk 
        ├─sda1   8:1    0   512M  0 part /boot/efi
        ├─sda2   8:2    0 690.3G  0 part /
        └─sda3   8:3    0   7.9G  0 part [SWAP]       # this was a mistake...
        sr0     11:0    1  1024M  0 rom

~~~
twr
> # this was a mistake...

That's not an unfixable mistake: sda3 is at the end of the partition table, so
if it's deleted, sda2 can be safely resized offline. For example,

    
    
      parted /dev/sda rm 3
      parted /dev/sda "resizepart 2 -0"
      resize2fs /dev/sda2 # for ext2/3/4
    

And then you can create a swap file or volume on sda2, so long as it isn't on
btrfs.

------
vbit
Often gets lost in the release notes - deploying on Google cloud is super
easy:

    
    
        % gcloud compute instances create INSTANCE --image freebsd-11-0-release-p1-amd64 --image-project=freebsd-org-cloud-dev
        % gcloud compute ssh INSTANCE

~~~
oskarth
Wow, nice. Do you know how straightforward it is to get it with ZFS?

~~~
djsumdog
Even the last release supports full ZFS+encryption with the default installer.

~~~
RJIb8RBYxzAMX9u
This is still geli+zfs, and not native zfs encryption that was recently
presented in OpenZFS Developer Summit [0].

[0]
[https://www.youtube.com/watch?v=frnLiXclAMo](https://www.youtube.com/watch?v=frnLiXclAMo)

~~~
mioelnir
Correct, it is full disk encryption instead of dataset encryption.

But on the other hand, if you install 11.0 from installer and chose Auto(ZFS)
with EncryptedZFS and MBR(GPT) then you will get a GeliBoot installation.
There is no boot pool anymore, instead the early boot stages decrypt the root
zpool to load the rest of the boatloader, which then decrypts the pool to load
the kernel. With bootloader-selectable boot environments.

~~~
mioelnir
...and I meant BIOS(GPT). Hmpf.

------
protomyth
_EC2(TM) users are urged to read the Errata Notes for FreeBSD 11.0-RELEASE
regarding an issue discovered very late in the release cycle that may cause
the system to hang during the boot process when upgrading from previous
FreeBSD versions. New EC2(TM) installations are not affected, but existing
installations running earlier releases are advised to wait until the issue is
resolved in an Errata Notice before upgrading._

This is discussed on BSD Now 162 [https://www.youtube.com/watch?v=fJ-
mgwxhNvo](https://www.youtube.com/watch?v=fJ-mgwxhNvo)

------
tachion
FreeBSD is not 'just another OS out there' but an important piece of
technology powering lots of things we often use: from Sony's PlayStation and
WhatsApp, through Netflix and Yahoo, to Juniper and PFSense networking gear
and EMC storage and FreeNAS appliance - and many, many more!

So, have you donated yet? We need FreeBSD and FreeBSD needs your support!

[https://www.freebsdfoundation.org/donate/](https://www.freebsdfoundation.org/donate/)

~~~
ripdog
What really makes me sad is that the BSD license allows corporate leeches like
Sony to create incredibly successful and valuable products like the PS4
without ever having to give back to the project that produced the software
they rely on. It's obvious that Sony picked FreeBSD over Linux because they
don't have to publish their additions to FreeBSD, and can continue to
integrate new and improved code from upstream with no obligations whatsoever.

Yes, some corporate users contribute financially back to the project, and
we're thankful. But why should we have to be thankful? The GPL already
provides a tried and proven legal framework for requiring downstream users to
publish their improvements for others to use. Free software is an ecosystem
where everyone helps and everyone benefits. When the BSD license allows
parasites like Sony to benefit to the tune of billions of dollars without
giving a line of code (or a penny) back, that breaks the ecosystem.

I'm calling Sony out particularly because they are not included in the list of
corporate sponsors in the article. The Sony games division made $3.2 billion
in revenue in quarter 1 2016, this is unacceptable.

~~~
toast0
> It's obvious that Sony picked FreeBSD over Linux because they don't have to
> publish their additions to FreeBSD, and can continue to integrate new and
> improved code from upstream with no obligations whatsoever.

It's obvious that FreeBSD contributors picked FreeBSD over Linux because they
wanted to publish their software for people to use with no obligations
whatsoever.

If Sony is heavily modifying the FreeBSD code, eventually they'll start
contributing back, because maintaining a substantial fork is more effort than
upstreaming code. Either that, or they'll end up with a largely frozen code
base like Apple's copy of the FreeBSD userland, which is probably OK on a
console.

~~~
loeg
> Either that, or they'll end up with a largely frozen code base like Apple's
> copy of the FreeBSD userland, which is probably OK on a console.

I think this is what they've settled on and are quite happy with.

For PS5 they'll likely do another from-scratch adaptation of whatever the
then-current FreeBSD is.

------
ChuckMcM
It would be awesome if there were a cookbook for getting this on to the
Dragonboard 410c (its my only AArch 64 board ATM). The wiki page points to the
96boards site which has everything you need to put Ubuntu on but not FreeBSD
AFAICT. I just may not be reading it closely enough though.

[1]
[https://wiki.freebsd.org/arm64/DragonBoard410c](https://wiki.freebsd.org/arm64/DragonBoard410c)

~~~
zxombie
booting on the Dragonboard is unlikely to happen any time soon, I started
working on it, but don't have the time to get it into a usable state (and lack
hardware to test).

Source: I started & mostly work on the the FreeBSD arm64 port.

------
kimputin
> Wireless support for 802.11n has been added.

Wait, What?

~~~
stock_toaster
My guess is this part:

    
    
      The iwn(4) driver was added, providing support for the
      Intel® Centrino™ Wireless-N 105 and 135 chipsets. [r266770]
    

from:
[https://www.freebsd.org/releases/11.0R/relnotes.html#drivers...](https://www.freebsd.org/releases/11.0R/relnotes.html#drivers-
network)

~~~
asveikau
That driver was on OpenBSD for a long time. I put FreeBSD on a machine a year
or so ago and really missed that driver. Maybe now I can get rid of the USB
dongle I've been using instead.

~~~
loeg
iwn(4) has been present for a long time. I suspect you mean iwm(4)?

~~~
asveikau
You're right. Also happy to report that machine is working way better now.

------
cm3
I still have hope some or all HardendedBSD features might get ported or
reimplemented in FreeBSD 12. Too much low hanging fruit, and now that linux
has been steadily closing the gap to grsec, the competition in mainstream
kernel branches is on.

~~~
kev009
HardenedBSD is one of the bigger jokes in the BSD community. If you really
care about the things it claims to do, I highly recommend using OpenBSD
because it actually has competent and sustainable development.

~~~
cm3
Are you saying that the measures listed here
[http://hardenedbsd.org/content/easy-feature-
comparison](http://hardenedbsd.org/content/easy-feature-comparison) do not
work properly?

~~~
loeg
I'm not GP, but yes. They do not work properly and likely introduce additional
vulnerabilities.

~~~
2trill2spill
Do you have any evidence for this? I've heard rumors here on HN and else where
that HardenedBSD's code quality is lacking and that they didn't incorporate
all the fixes and suggestions from the FreeBSD community during the various
code reviews. But none of that is definitive, do you have any proof or
evidence for this statement, "They do not work properly and likely introduce
additional vulnerabilities."

~~~
loeg
Here's an example of poor code quality:

[https://github.com/HardenedBSD/secadm/commit/3dd7584b70804cf...](https://github.com/HardenedBSD/secadm/commit/3dd7584b70804cf0bd3eb6f45d15b07851466ef2#diff-e4ccce5da8f7b4683a2f989b674e9d8aR80)

If this check did anything, it appears susceptible to time-of-check, time-of-
use attack.

See also [https://reviews.freebsd.org/D473](https://reviews.freebsd.org/D473)
, where Shawn pretty cleary does not incorporate feedback from the FreeBSD
community.

~~~
cm3
Fair enough. The more important part of my question: isn't there a focused
effort to complete FreeBSD's security feature checklist?

~~~
loeg
No one is paying for completion of checkbox security features in FreeBSD. So
the community is really only interested in effective mitigations and not
checkbox features.

We would love to merge in Konstantin's ASLR work. Reviewers have pointed out
performance issues and memory fragmentation issues, especially on 32-bit
platforms, but it's still better than nothing. I think we should just merge it
as is, maybe default to off on 32-bit platforms, and improve from there. With
the intent to have it polished for 12.0-RELEASE.

One such mitigation receiving community attention is Capsicum. The Capsicum
security sandbox is a viable way to constrain applications. Unlike OpenBSD's
pledge, rights are limited on a file descriptor basis. It has been ported to
Linux and DragonFlyBSD (although merged to neither). There has been a lot of
work in FreeBSD lately to restrict base programs, especially setuid programs,
using Capsicum.

------
2trill2spill
> A kernel panic triggered when destroying a vnet(9) jail(8) configured with
> gif(4) has been fixed. [r271917]

> A kernel panic triggered when destroying a vnet(9) jail(8) configured with
> gre(4) has been fixed. [r271918]

I see they fixed the kernel panics when destroying vnet jails but is vnet
enabled by default? Or do I have to compile a custom kernel like with FreeBSD
10.x

~~~
elcritch
I started using SmartOS partly because it has really nice VNIC support and you
don't have to recompile the 10.x FreeBSD kernels. :-) It'd be good to know if
11.0 changed that.

~~~
SSLy
Does linux have similar facilities yet?

~~~
caf
Yes, a "network namespace" is the Linux equivalent.
[http://man7.org/linux/man-pages/man8/ip-
netns.8.html](http://man7.org/linux/man-pages/man8/ip-netns.8.html)

------
ysleepy
TRIM support in GELI (disk encryption), awesome!

------
kchoudhu
Congrats to RE@ for the release.

Looking forward to that sweet, sweet IPSEC by default.

~~~
gonzo
You're welcome. :-)

~~~
kchoudhu
...we're missing IPSEC_NAT_T.

Brought to you from a custom compiled FreeBSD 11-p1 host :(

------
aphextron
Does anyone know if FreeBSD supports PHP-FPM 7+? I'm so ready to drop Ubuntu
if so

~~~
loeg
It is enabled by default in the php55, php56, and php70 ports. (See the "FPM"
OPTION in all three.)

Does that answer your question? (Sorry, I'm not familiar with PHP.)

------
panzerboy
Regarding the Vagrant image: I'm trying to use it on OSX (El Capitan) with the
latest VirtualBox.

When I do vagrant up, I see the following error:

No base MAC address was specified. This is required for the NAT networking to
work properly (and hence port forwarding, SSH, etc.). Specifying this MAC
address is typically up to the box and box maintainer. Please contact the
relevant person to solve this issue.

If I do vagrant up again, it seems to be working, but then I see a lot of:

default: Warning: Remote connection disconnect. Retrying...

and it eventually times out.

Any ideas on how to solve this issue?

Thanks!

------
duncan_bayne
Going to grab the 11.0 release image and try installing it on my ThinkPad.
Pre-release versions had issues with my Intel chipset that lead to boot loops.

------
voltagex_
I've got a 10.3 system that's running a "custom" kernel with VNET enabled for
my iocage jails. What am I in for when I upgrade? How do I keep my ZFS pool
safe through the upgrade?

~~~
mioelnir
Why would your zpool be in any danger from the upgrade?

If you upgrade via freebsd-update and have renamed your custom kernel (and not
named it GENERIC), then freebsd-update will tell you when to build and install
a new version of your kernel.

If you kept GENERIC as the name of your custom kernel, which is a really
really bad idea, then freebsd-update will probably still replace it with a
vanilla kernel, haven't checked that in a while. In that case either rebuild
your 10.3 kernel again with a fixed name, or upgrade to 11 from source.

------
eb0la
How much do you think it will take until Juniper JunOS and netApp will upgrade
their kernels to 11.0-p1?

~~~
kev009
Acknowledging this is somewhat inflammatory, both of those companies are
absent and incompetent when it comes to open source interaction when compared
to others like EMC Isilon and Netflix.

NetApp does tend to be one of the higher financial contributors to the FreeBSD
Foundation but this amounts to the salary of one full time engineer. I think
the bhyve code drop was a fluke, but a very fortunate one, and the two
developers left NetApp quickly after that happened. Outside of that,
especially during the formative '90s and '00 where it could have been
politically influential, continuing today there is almost no code
reintegration. It's hard to find business justification because NetApp is a
prime contributor to Linux, including the NFS server which could be argued has
allowed companies like PureStorage to eat their lunch.

Juniper has some storied history of many many-year projects to resync their
branch. They have their own TCP stack. Many of the influential FreeBSD devs I
know there have fled recently. I heard something about switching to Linux.
Sounds like a rudderless company, following a nice anti-pattern example set by
Yahoo. It is sad because JunOS and the HW was and is for now quite nice.

I work at a small but highly traditional/bureaucratic company and was able to
build a 4 person full time upstream BSD team in 2 years. I cannot fathom why
NetApp and Juniper would not have a 10-40 people upstream team.

~~~
X86BSD
Sigh, you know, the Juniper story is so sad. I even owned stock in it at one
time. It started out great, had such potential, and just imploded. Yeah I have
heard the rumor of them moving to Linux too. Good luck with that tire fire!
They do that and they are dead to me.

------
unluckier
No mention of ASLR. Helping to prevent memory corruption bugs apparently isn't
on their radar?

~~~
loeg
It's on their radar, but did not make it into 11.0. It's still under code
review here:

[https://reviews.freebsd.org/D5603](https://reviews.freebsd.org/D5603)

------
xtf
The image is from 29th september, is this the updated version?

------
youdontknowtho
Seems like they are releasing faster? Nice!

------
mankash666
"Wireless support for 802.11n has been added"

C'mon FreeBSD! We're in the 802.11ac era! As much as I love BSD, they're
always a couple of years behind the status quo

~~~
erikarn
Hi! FreeBSD wifi person here!

* ath(4)'s 11n support is much, much better now. All the AR93xx/AR95xx PCIe devices are supported and STA/AP 11n should work great. * iwn(4)'s 11n is much, much better. It still has some warts, and I'd love some help in chasing them down. * urtwn(4) in -HEAD does 11n now. * rsu(4) in -HEAD does 11n now. * iwm(4) (intel 7260, etc) is getting better every day in freebsd and dragonflybsd. Thanks to another developer for that !I think we're almost ready for starting the 11n bits? once the 11n bits are done and working, we can start on the 11ac bits. * Another developer is working on urtwn/rtwn unification and support for 11ac USB devices from realtek. * I'm working on an ath10k port from Linux to FreeBSD - I have association working now and I'm about to start on normal data TX. Once that's done, I'll get crypto and 11n station mode operation working.

now, where's 11ac? It's mostly waiting for some stable like 11ac devices to
appear in the tree with 11n support. 11ac is partially revolution and
partially evolution - if 11n doesn't work, 11ac definitely won't work. So,
between iwm 11n work, the rtwn/urtwn 11n/11ac USB work going on and my ath10k
work, I think we're heading in the right direction.

I'm hoping that once I get ath10k up in monitor, STA and AP mode, with crypto,
QoS and 11n working, the 11ac bits will be trivial - at which point I can
start on the 11ac stack pieces. I know what those stack pieces are and I've
started writing them down -
[https://wiki.freebsd.org/WiFi/80211ac](https://wiki.freebsd.org/WiFi/80211ac)
.

All of this is non-commercial btw - no-one is sponsoring any work on BSD
wireless at the present moment. If you'd like to help or contribute, please
consider talking and donating to the FreeBSD foundation, or consider funding
someone to help in these efforts.

Thanks!

adrian@freebsd.org

~~~
crudbug
Thanks Adrian. I am not a device drivers person. But, quick query - do you
reuse the current Linux drivers work [0].

Looking at the current client device deployment, Intel owns around 80% of the
Wi-Fi modem market. Is anybody from Intel working on BSD wireless drivers as
well.

[0]
[https://wireless.wiki.kernel.org/en/users/Drivers](https://wireless.wiki.kernel.org/en/users/Drivers)

~~~
kev009
There is reuse, for example iwm(4) is based on the Linux driver and pulls from
it. But the process is manual, not like the Linux-KPI graphics and OFED stuff.

It would be great if Intel stepped up to the plate and helped.

~~~
crudbug
I was thinking about a common driver interface similar to POSIX standard would
solve the problem of multiple OS device support on a single hardware platform.

There was an effort for Uniform Driver Interface (UDI)[0], looks like it is
dormant.

[0]
[http://wiki.osdev.org/Uniform_Driver_Interface](http://wiki.osdev.org/Uniform_Driver_Interface)

~~~
kev009
People will probably wrinkle their forehead :) but NDIS is that and a lot of
operating systems support it
[https://www.freebsd.org/cgi/man.cgi?query=ndis&sektion=4&man...](https://www.freebsd.org/cgi/man.cgi?query=ndis&sektion=4&manpath=freebsd-
release-ports)

------
qwertyuiop924
Have they fixed the remnants of the update security hole? I haven't been
keeping up, so they might have done that already, but I thought I'd ask.

~~~
tete
Yes. They fixed the theoretical stuff and the things where you'd have required
to be root anyway.

~~~
loeg
In 11.0-RELEASE-p1, or just 11-STABLE? Do you have a link to the commits
landing in the RELEASE branch?

~~~
emaste
In 11.0-RELEASE-p1.

I merged them here:
[https://svnweb.freebsd.org/base?view=revision&revision=30637...](https://svnweb.freebsd.org/base?view=revision&revision=306379)

~~~
loeg
Great. Thanks, Ed.

------
ToTheLeft
[https://svnweb.freebsd.org/base?view=revision&revision=28719...](https://svnweb.freebsd.org/base?view=revision&revision=287197)

POLA violated.

Next FreeBSD will adopt ethX for wired networks and sdX for disks, and systemd
for init.

