We recap FOSDEM 2019, FreeBSD Foundation January update, OPNsense 19.1 released, the hardware-assisted virtualization challenge, ZFS and GPL terror, ClonOS 19.01-RELEASE, and more.
##Headlines
###FreeBSD Foundation Update, January 2019
Dear FreeBSD Community Member,
Happy New Year! It’s always exciting starting the new year with ambitious plans to support FreeBSD in new and existing areas. We achieved our fundraising goal for 2018, so we plan on funding a lot of work this year! Though it’s the new year, this newsletter highlights some of the work we accomplished in December. We also put together a list of technologies and features we are considering supporting, and are looking for feedback on what users want to help inform our 2019 development plans. Our advocacy and education efforts are in full swing as we prepare for upcoming conferences including FOSDEM, SANOG33, and SCaLE.
Finally, we created a year-end video to talk about the work we did in 2018. That in itself was an endeavor, so please take a few minutes to watch it! We’re working on improving the methods we use to inform the community on the work we are doing to support the Project, and are always open to feedback. Now, sit back, grab a refreshing beverage, and enjoy our newsletter!
Happy reading!!
Deb
For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
The 19.1 release, nicknamed “Inspiring Iguana”, consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over 12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.
These are the most prominent changes since version 18.7:
fully functional firewall alias API
PIE firewall shaper support
firewall NAT rule logging support
2FA via LDAP-TOTP combination
WPAD / PAC and parent proxy support in the web proxy
P12 certificate export with custom passwords
Dpinger is now the default gateway monitor
ET Pro Telemetry edition plugin[2]
extended IPv6 DUID support
Dnsmasq DNSSEC support
OpenVPN client export API
Realtek NIC driver version 1.95
HardenedBSD 11.2, LibreSSL 2.7
Unbound 1.8, Suricata 4.1
Phalcon 3.4, Perl 5.28
firmware health check extended to cover all OS files, HTTPS mirror default
updates are browser cache-safe regarding CSS and JavaScript assets
collapsible side bar menu in the default theme
language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat and Dnscrypt-proxy plugins
Here are the full changes against version 19.1-RC2:
ipsec: add firewall interface as soon as phase 1 is enabled
ipsec: phase 1 selection GUI JavaScript compatibility fix
monit: widget improvements and bug fix (contributed by Frank Brendel)
ui: fix regression in single host or network subnet select in static pages
plugins: os-frr 1.7 updates OSFP outbound rules (contributed by Fabian Franz)
plugins: os-telegraf 1.7.4 fixes packet filter input
plugins: os-theme-rebellion 1.8.2 adds image colour invert
plugins: os-vnstat 1.1[3]
plugins: os-zabbix-agent now uses Zabbix version 4.0
src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
src: update sqlite3-3.20.0 to sqlite3-3.26.0[4]
src: import tzdata 2018h, 2018i[5]
src: avoid unsynchronized updates to kn_status[6]
ports: ca_root_nss 3.42
ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
ports: sudo patch to fix listpw=never[7]
##News Roundup
###The hardware-assisted virtualization challenge
Over two years ago, I made a pledge to use NetBSD as my sole OS and only operating system, and to resist booting into any other OS until I had implemented hardware-accelerated virtualization in the NetBSD kernel (the equivalent of Linux’ KVM, or Hyper-V).
Today, I am here to report: Mission Accomplished!
It’s been a long road, but we now have hardware-accelerated virtualization in the kernel! And while I had only initially planned to get Oracle VirtualBox working, I have with the help of the Intel HAXM engine (the same backend used for virtualization in Android Studio) and a qemu frontend, successfully managed to boot a range of mainstream operating systems.
###ZFS and GPL terror: How much freedom is there in Linux?
ZFS is todays most advanced filesystem. It originated on the Solaris operating system and thanks to Sun’s decision to open it up, we have it available on quite a number of Unix-like operating systems. That’s just great! Great for everyone.
For everyone? Nope. There are people out there who don’t like ZFS. Which is totally fine, they don’t need to use it after all. But worse: There are people who actively hate ZFS and think that others should not use it. Ok, it’s nothing new that some random guys on the net are acting like assholes, trying to tell you what you must not do, right? Whoever has been online for more than a couple of days probably already got used to it. Unfortunately its still worse: One such spoilsport is Greg Kroah-Hartman, Linux guru and informal second-in-command after Linus Torvalds.
There have been some attempts to defend the stance of this kernel developer. One was to point at the fact that the “ZFS on Linux” (ZoL) port uses two kernel functions, __kernel_fpu_begin() and __kernel_fpu_end(), which have been deprecated for a very long time and that it makes sense to finally get rid of them since nothing in-kernel uses it anymore. Nobody is going to argue against that. The problem becomes clear by looking at the bigger picture, though:
The need for functions doing just what the old ones did has of course not vanished. The functions have been replaced with other ones. And those ones are deliberately made GPL-only. Yes, that’s right: There’s no technical reason whatsoever! It’s purely ideology – and it’s a terrible one.
ClonOS is a turnkey Open Source platform based on FreeBSD and the CBSD framework. ClonOS offers a complete web UI for easily controlling, deploying and managing FreeBSD jails containers and Bhyve/Xen hyperviser virtual environments.
ClonOS is currently the only platform available which allow both Xen and Bhyve hypervisor to coexist on the same host. Being a FreeBSD base platform, ClonOS ability to create and manage jails allows you to run FreeBSD applications without losing performance.
Features:
easy management via web UI interface
live Bhyve migration [coming soon, roadmap]
Bhyve management (create, delete VM)
Xen management (create, delete VM) [coming soon, roadmap]
connection to the “physical” guest console via VNC from the browser or directly
Real time system monitoring
access to load statistics through SQLite3 and beanstalkd
support for ZFS features (cloning, snapshots)
import/export of virtual environments
public repository with virtual machine templates
puppet-based helpers for configuring popular services
ClonOS is a free open-source FreeBSD-based platform for virtual environments creation and management. In the core:
FreeBSD OS as hoster platform
bhyve(8) as hypervisor engine
Xen as hypervisor engine
vale(4) as Virtual Ethernet Switch
jail(8) as container engine
CBSD Project as management tools
Puppet as configuration management
##Beastie Bits
##Feedback/Questions