FreeBSD 9.0 introduces many new security, compiler, filesystem, networking, and other features. Key additions include the Capsicum security framework, LLVM/Clang compilers, ZFSv28 with deduplication and triple parity RAIDZ, resource accounting and limits, IPv6 support improvements, and performance enhancements to SSH, USB 3.0, and NFS.
Just as the roles of CIOs and CTOs have needed to rapidly evolve along with the pace of technology, it is now becoming critically important for lawyers to understand emerging software security challenges.
Just as the roles of CIOs and CTOs have needed to rapidly evolve along with the pace of technology, it is now becoming critically important for lawyers to understand emerging software security challenges.
Scaleable PHP Applications in KubernetesRobert Lemke
Kubernetes is also called the "distributed Linux of the cloud" – which implies that it provides fundamental infrastructure, which can solve a lot of challenges. Let’s see how PHP applications fit into this picture. In this presentation, we are going to explore when Kubernetes is a good fit for operating your PHP application and how it can be done in practice. We’ll look at the whole lifecycle: how to build your application, create or choose the right Docker images, deploy and scale, and how to deal with performance and monitoring. At the end you will have a good understanding about all the different stages and building blocks for running a PHP application with Kubernetes in production.
History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019kanedafromparis
Lors de cette présentation, nous allons dans un premier temps rappeler la spécificité de docker par rapport à une VM (PID, cgroups, etc) parler du système de layer et de la différence entre images et instances puis nous présenterons succinctement kubernetes.
Ensuite, nous présenterons un processus « standard » de propagation d’une version CI/CD (développement, préproduction, production) à travers les tags docker.
Enfin, nous parlerons des différents composants constituant une application docker (base-image, tooling, librairie, code).
Une fois cette introduction réalisée, nous parlerons du cycle de vie d’une application à travers ses phases de développement, BAU pour mettre en avant que les failles de sécurité en période de développement sont rapidement corrigées par de nouvelles releases, mais pas nécessairement en BAU où les releases sont plus rares. Nous parlerons des diverses solutions (jfrog Xray, clair, …) pour le suivie des automatique des CVE et l’automatisation des mises à jour. Enfin, nous ferons un bref retour d’expérience pour parler des difficultés rencontrées et des propositions d’organisation mises en oeuvre.
Cette présentation bien qu’illustrée par des implémentations techniques et très organisationnel
his workshop will shed light on a modern solution to solve application portability, building, delivery, packaging, and system dependency issues. Containers especially Docker have seen accelerated adoption in the web, cloud and recently the enterprise. HPC environments are seeing something similar to the introduction of HPC containers Singularity and Shifter. They provide a good use case for solving software portability, not to mention ensure repeatability of results. Not to mention their ECO system provides for the better development, delivery, testing workflows that were alien to most of HPC environments. This workshop will cover the Theory and hands-on of containers and Its ecosystem. Introducing Docker and singularity containers; Docker as a general-purpose container for almost any app, Singularity as the particular container technology for HPC. The workshop will go over the foundations of the containers platform, including an overview of the platform system components: images, containers, repositories, clustering, and orchestration. The strategy is to demonstrate through "live demo, and hands-on exercises." The reuse case of containers in building a portable distributed application cluster running a variety of workloads including HPC workload.
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Pushing the limits of ePRTC: 100ns holdover for 100 days
Lavigne bsdmag-jan2012
1. What’s New
in FreeBSD
9.0
This article provides an overview of some of the new
features available in FreeBSD 9.0.
F
reeBSD 9.0-RELEASE introduces many new permissions and mandatory access control policies.
features which benefit FreeBSD users, application However, they cannot protect the user when an
developers, and companies that use or base their application, such as a web browser, processes many
products on FreeBSD. This article provides an overview of potentially malicious inputs, such as HTML, scripting
some of these features, including references to additional languages, and untrusted images. Capsicum provides
information. It does not list all of the new features as the application developers fine-grained control over files and
FreeBSD 9.0 Detailed Release Notes, available from network sockets to provide privilege separation within an
freebsd.org, contains a summary of all the changes application, with minimal code changes. In other words,
introduced in 9.0. it provides application compartmentalisation, allowing
This article discusses features in the following the application itself to provide many different sandboxes
categories: security, compilers and testing frame- to contain its various elements. As an example, each
works, filesystems and storage, networking, and miscel- tab in the Chromium browser has its own sandbox; it is
laneous. also possible to contain each image in its own sandbox.
Creating sandboxes under Capsicum does not require
Security privilege, a key problem with current UNIX sandbox
Capsicum Framework approaches.
Capsicum is a lightweight framework which extends a As an example, the insecure tcpdump application can
POSIX UNIX kernel to support new security capabilities be sandboxed with Capsicum in about 10 lines of code
and adds a userland sandbox API. It was originally and the Chromium web browser can be sandboxed
developed as a collaboration between the University of in about 100 lines of code. capsicum(4) provides an
Cambridge Computer Laboratory and Google, sponsored overview of the available system calls. More information,
by a grant from Google, with FreeBSD as the prototype including links to technical publications, projects, and a
platform and Chromium as the prototype application. mailing list, can be found at the Capsicum website: http://
FreeBSD 9.0 provides kernel support as an experimental www.cl.cam.ac.uk/research/security/capsicum/.
feature for researchers and early adopters. Application
support will follow in a later FreeBSD release and there Resource Limits
are plans to provide some initial Capsicum-protected rctl(8) has been added to the system, allowing the user to
applications in FreeBSD 9.1. display the current resource limits and to define what action
Traditional access control frameworks are designed will occur when a process exceeds it limits. Resource rules
to protect users from each other through the use of can be applied to processes, users, login classes, or jails.
6 01/2012
2. What’s New in FreeBSD 9.0
The racct API tracks per-process, per-jail, per-loginclass, providing a much better picture of what exactly is going on
and per-user resource accounting information. More behind the scenes.
information about resource limits and rctl can be found at http://wiki.freebsd.org/DTrace provides examples for
http://wiki.freebsd.org/Hierarchical_Resource_Limits. using both kernel- and user-level DTrace on FreeBSD, as
well as links to other DTrace resources.
Compilers and Testing Frameworks
LLVM Compiler Infrastructure Filesystems and Storage
LLVM is a BSD-licensed Highly Avaliable Storage (HAST)
compiler infrastructure with The Highly Available Storage framework allows for
similar capabilities to the synchronous, block-level replication of any storage media
GPL3-licensed GCC compiler across several physically separated machines connected
collection. Clang is the C, C++, by a TCP/IP network. HAST can be understood as a
Objective C, and Objective network-based mirror, similar to Linux DRBD. When
C++ front-end to LLVM combined with FreeBSD’s carp(4), HAST makes it possible
and provides an alternative to build a highly available storage cluster that is resistant to
programming environment for hardware failures.
developers and companies HAST is file system and application independent and
who prefer to use a BSD- can be combined with any existing GEOM class. In case
licensed toolchain. of a primary node failure, the cluster will automatically
In addition to being BSD- switch to the secondary node, check and mount the UFS
licensed, Clang improves developer file system or import the ZFS pool, and continue to work
productivity with significantly improved without missing a single bit of data.
error messages and a static code analyzer. The FreeBSD Handbook describes how to configure HAST:
The compiler is easily extendable to support research on http://www.freebsd.org/doc/handbook/disks-hast.html.
new language features or code instrumentation.
Beginning with FreeBSD 9.0, the FreeBSD kernel SU+J
and world can be compiled using Clang on most of the Journaled softupdates for UFS is now the default filesystem
supported architectures. Work is ongoing to migrate type. It adds a light version of journaling to soft updates as
the ports infrastructure so that any port can also be described in this technical paper: http://www.mckusick.com/
compiled with Clang. Details about architecture support, BSDCan/bsdcan2010.pdf. This significantly reduces boot
link time optimizations, automatic test generation, time after an improper shutdown as a background fsck only
and links to additional resources can be found at needs to be run if there is a corruption of the journal log.
http://wiki.freebsd.org/BuildingFreeBSDWithClang.
More information about Clang can be found at http:// ZFSv28
clang.llvm.org/ and more information about LLVM is FreeBSD 9.0 ships with ZFSv28. This version of ZFS
available from http://www.llvm.org/. adds the following features:
A video of Brooks Davis describing how the FreeBSD
Project has been actively working to incorporate tools from • deduplication: the process of eliminating duplicate
the LLVM project into the base system is available at http:// copies of data. When enabled on datasets with
www.youtube.com/watch?v=yVaNAm8jR_U. You can follow duplicate data (for example, virtual images or jails),
the status of the ports infrastructure with regards to Clang at deduplication saves space and increases performance
http://wiki.freebsd.org/PortsAndClang. because less data is written and stored.
• triple parity RAIDZ: RAIDZ3 offers three parity
Userland Ttrace drives and can operate in degraded mode if up to
DTrace is a general purpose, lightweight tracing three drives fail with no restrictions on which drives
framework that allows administrators, developers, can fail.
and users to investigate causes of system failure or • zfs diff: command which describes which file
performance bottlenecks. FreeBSD introduced kernel- system level changes have occurred between two
level DTrace support in FreeBSD 8.0. The addition of snapshots.
user-level DTrace suppport in 9.0 allows inspection of • zpool split: allows an administrator to extract one disk
userland software and its correlation with the kernel, thus from each mirrored top-level vdev and use them to
www.bsdmag.org 7
3. create a new pool with an exact copy of the data. The would otherwise be spent handling timer interrupts which
new pool can then be imported on any machine. have no work assigned to them. Tickless mode can be turned
• snapshot holds: permit users or applications to place off by setting the sysctl value of kern.eventtimer.periodic to
holds on snapshots to prevent them from being 1. Technical details about dynamic tick mode can be found
deleted. at http://permalink.gmane.org/gmane.os.freebsd.architecht
• zpool import -F: allows the administrator to rewind a ure/13276.
corrupted pool to an earlier transaction group.
• the ability to import zpool as read-only. Networking
Five New TCP Congestion Control Algorithms
Generic GEOM I/O Scheduler Framework The Centre for Advanced Internet Architectures at
This framework supports scheduling disk I/O requests in Swinburne University of Technology, with the support of the
a device independent manner in order to support multiple Cisco University Research Program Fund at Community
disk I/O schedulers to be used on different I/O providers. Foundation Silicon Valley and the FreeBSD Foundation,
The framework provides a couple of sample scheduling delivered enhancements to FreeBSD’s TCP stack in order
algorithms that use the framework and implements two to support newer congestion control algorithms. These
forms of anticipatory scheduling. enhancements included a modular framework for adding
The ability to create different I/O schedulers allows future algorithms as well as new modular implementations
users to select the I/O scheduler best suited to the task. of the H-TCP, CUBIC, Vegas, HD, and CHD algorithms.
This can increase responsiveness in certain kinds of I/O Each congestion control algorithm is implemented as a
workloads, such as a mix of sequential and random I/O. loadable kernel module. Algorithms can be selected to suit
Examples of how to use the provided schedulers can be the application/network characteristics and requirements
found at http://svnweb.freebsd.org/base/head/sys/geom/ of the host’s installation. The modular framework makes it
sched/README?view=markup&pathrev=206497. much easier for developers to implement new algorithms,
allowing FreeBSD’s TCP stack to be at the forefront of
Changes to CAM and AHCI SATA advancements in this area, while still maintaining the
The new ATA/SATA driver supports AHCI-compliant stability of its network stack.
hardware, port multipliers, and NCQ (tagged queueing) Links to technical papers regarding the framework
for increased performance on modern SATA drives. and algorithms can be found at http://caia.swin.edu.au/
Performance has been greatly increased, larger data freebsd/5cc/.
transfers are supported, and hot-plugging support is
much improved. ATA/SATA drives can now can be “IPv6-Only”
enumerated and manipulated via camcontrol(8), just like FreeBSD has been on the leading edge of IPv6
SCSI drives. development ever since FreeBSD 4.0 was released in
The cam(4) subsystem is now modularized and the 2000 with the KAME reference implementation of IPv4/
addition of the ATA/SATA modules allows the CAM IPv6 networking support. In addition, the FreeBSD Project
subsystem to grow into a framework for arbitrary has been serving releases from IPv6-enabled servers for
transports and protocols. It also allows drivers to be more than 8 years and FreeBSD’s website, mailing lists,
written to support discrete hardware without jeopardizing and developer infrastructure have been IPv6-enabled
the stability of non-related hardware. since 2007.
Beginning with FreeBSD 9.0, no-IPv4 snapshots of
Changes to Event Timer Infrastructure FreeBSD are available. By completely decoupling IPv6
The new event timers infrastructure provides unified from IPv4, early adopters and developers can determine
APIs for writing event timer drivers and for choosing the if “IPv6-ready” applications really are ready for IPv6 or if
best possible drivers by machine independent code. It bugs were hidden due to the ability to fallback on IPv4.
provides support for both per-CPU and global timers in Providing an implementation of an IPv6-only kernel
periodic and one-shot modes for the i386 and amd64 without IPv4 support provides the FreeBSD Project
architectures. with the ability to test and fix such regressions while
To improve performance in virtual machines and power encouraging other software developers to improve their
usage in laptops, dynamic tick mode is enabled by default, code for true IPv6 readiness. More information about
replacing the periodic hardware timer interrupt ticking with no-IPv4 versions of FreeBSD is available from http://
one-shot variable-time ticks. This saves CPU time which www.freebsd.org/ipv6/.
8 01/2012
4. What’s New in FreeBSD 9.0
To support IPv6-only, rtadvd(8) and rtsold(8) were • sysinstall has been replaced with bsdinstall. Its features
completely overhauled to support RFC 6106. rtsold are described at http://wiki.freebsd.org/BSDInstall and
can now update /etc/resolv.conf using the openresolv its usage is detailed in the FreeBSD Handbook: http://
DNS management framework (http://roy.marples.name/ www.freebsd.org/doc/en_US.ISO8859-1/books/hand
projects/openresolv). An optional kernel module is book/bsdinstall.html.
available to provide Secure Neighbor Discovery protocol • the kernel now supports a new textdump(4) format
(SeND) support; SeND is described in RFC 3971. of kernel dumps. A textdump provides higher-level
Continuing earlier efforts, more global options can now information via mechanically generated/extracted
be controlled on a per-interface base, such as the ability debugging output, rather than a simple memory
to accept router advertisements on one interface while still dump. This facility can be used to generate brief
forwarding. This is needed to effectively run FreeBSD as kernel bug reports that are rich in debugging
an IPv6 CPE device. The single /etc/rc.conf option ipv6_ information, but are not dependent on kernel symbol
cpe_wanif will correctly set all sysctls and interface options tables or precisely synchronized source code.
to make creating a CPE as easy as possible. • FreeBSD 9.0 can be installed on the Sony Playstation
3 using the instructions at http://people.freebsd.org/
High Performance SSH (HPN-SSH) ~nwhitehorn/ps3/README.
OpenSSH is network performance limited by statically • call and return rule actions were added to ipfw(8):
defined internal flow control buffers. These buffers often http://svnweb.freebsd.org/base?view=revision&revisi
end up acting as a bottleneck for network throughput on=223666.
of SCP, especially on long and high bandwith network
links. HPN-SSH adds support for dynamically adjusted Conclusion
buffers to allow the full use of the bandwidth of long fat With the release of FreeBSD 9.0, the FreeBSD Project
pipes such as 100Mbps or greater, trans-oceanic, or continues to innovate in the areas of security, compilers,
trans-continental links. Bandwidth-delay products up to filesystems, and networking. You can find out more
64MB are also supported. This implementation includes information about the FreeBSD Project and download
a multithreaded cipher implementation which makes such FreeBSD 9.0 from freebsd.org.
bandwidth sustainable on the CPU side.
HPN is enabled by default in FreeBSD 9.0’s sshd and
several HPN options have been added to /etc/ssh/sshd_
config. These options, as well as some performance tips,
are described in http://svnweb.freebsd.org/base/head/
crypto/openssh/README.hpn?revision=224638&view=
markup.
Miscellaneous
Several other features are also worth mentioning:
• large-scale SMP support for systems with more
than 32 CPUs. Previously, the kernel structures DRU LAVIGNE
were unable to account for such a large number of Dru Lavigne is author of BSD Hacks, The Best of FreeBSD
CPUs so this method implements extensible CPU Basics, and The De�nitive Guide to PC-BSD. As Director of
accounting. Yahoo! provided systems for testing Community Development for the PC-BSD Project, she leads the
these changes. documentation team, assists new users, helps to �nd and �x
• improved USB 3.0 support. bugs, and reaches out to the community to discover their needs.
• the default NFS client and nfsd(8) now support She is the former Managing Editor of the Open Source Business
NFSv4. Backwards compatibility for older NFS clients Resource, a free monthly publication covering open source and
is provided with the oldnfs mount type. the commercialization of open source assets. She is founder and
• a new kernel-mode NFS lock manager has been current Chair of the BSD Certi�cation Group Inc., a non-pro�t
added, improving performance and behavior of NFS organization with a mission to create the standard for certifying
locking. A new clear_locks(8) command has been BSD system administrators, and serves on the Board of the
added to clear locks held on behalf of an NFS client. FreeBSD Foundation.
www.bsdmag.org 9