EuroBSDcon 2011 Talks
Schedule (preliminary)
Saturday - October 8th 2011
Sunday - October 9th 2011
Keynote talks
What must we learn from Diginotar (and other data breaches)
About the author
Hans Van de Looy
Hans Van de Looy, is the starting founder of Madison Gurkha. He assists
organisations in establishing their baseline security and keeping it
up-to-date, specifically by performing pentests. He is a well known
speaker at (international) conferences, guest lecturer at universities
and colleges and regularly publishes in (online) journals about security
and breaking in. His interests include, but are not limited to: security
in the broadest sense (including pastimes such as ``Lock Picking''),
photography, flying quadcopters and and touring with trikes.
The eight-fold path to reliable operating systems.
About the author
Herbert Bos
Herbert Bos is an associate professor at VU University Amsterdam (aka
the Vrije Universiteit). He obtained his PhD from the University of
Cambridge (UK). After a brief stint at KPN Research in the
Netherlands, he moved to Leiden University as an assistant-professor.
Approximately four years later Herbert joined VU University Amsterdam,
where he heads a research group involved mostly in high-speed
networking, security and operating systems. In 2010, he became the
first and so far only computer scientist in the Netherlands to win an
ERC Ideas Starting Grant to work on reverse engineering of C binaries.
Systems developed by his group include the popular Argos intrusion
detection system, the Streamline architecture for high-speed network
processing. In addition, Herbert is involved in the development of the
Minix 3 Operating System. He has published papers in many leading
journals and conference proceedings and served on the program
committees of venues like SOSP, EUROSYS, ASPLOS, CCS, and Security and
Privacy.
All talks, alphabetically by speaker
Sendmail - History and design
Eric Allman
Abstract
Sendmail Revisited -- In which a mailer gets created, several networks
get connected, billions upon billions of emails are sent, a book is
written, a company is founded, and one person ends up in a totally
unexpected and surprisingly long-lived career.
This talk will give insight into how to design and build a system that
will survive a long time.
About the author
Eric Allman is the original author of Sendmail, co-founder and Chief
Scientist of Sendmail, Inc., and co-author of Sendmail, published by
O'Reilly and Associates. He has presented numerous papers on email and
programming and while at U.C. Berkeley, he was the chief programmer
on the INGRES relational database management project. He then led the
Mammoth project to provide large-scale research software and hardware
infrastructure. He has also designed database user and application
interfaces at Britton Lee (later Sharebase) and has contributed to the
Ring Array Processor project for neural-network-based speech recognition
at the International Computer Science Institute.
For several years he co-authored the "C Advisor" column for Unix Review
magazine and is on the Editorial Review Board of ACM Queue magazine, the
Board of Trustees of Cal Performances, and is a former member of the
Board of Directors of the USENIX Association. He has been active with
the IETF (most recently as co-author of the DomainKeys Identified Mail
specification). He received his M.S. in Computer Science from Berkeley
in 1980.
Eric has had an extraordinary effect on communications throughout the
world which can be seen to have had an impact on all of us in some way
or another.
OpenBSD PF's 10th anniversary
Henning Brauer, Ryan McBride
Abstract
2011 marks the 10th anniversary of OpenBSD's packet filter PF, and in
May the project will ship it's 20th release containing this firewall
implementation. This talk will present an illustrated history of PF's
evolution over this period, with highlights of the major changes,
adoption by other projects, and other points of interest. In addition
to presenting summary performance data for all 20 releases of OpenBSD
containing PF, Henning will also present more detailed "best case" and
"worst case" performance data for the current version of PF on a variety
of popular hardware platforms.
Henning has been involved with PF since it's inaugural release
with OpenBSD 3.0. In addition to actively developing the code, he
was possibly the first person to run it in a commercial production
environment.
About the authors
Henning Brauer is 32 and lives in Hamburg, Germany. He has been running
the Internet Service Provider "BS Web Services" there, for more than 10
years.
He joined OpenBSD in 2002 and has been working on many things, most
network related, since. He started OpenBGPD and OpenNTPD. The framework
he has written for bgpd is used by almost all newer daemons in
OpenBSD. He has been working on the OpenBSD packet filter, pf, from the
beginning and is now one of the heads behind it. When he's not hacking
you can find him mountain biking, traveling, and hiking, or in one of
the many bars in his neighborhood with his friends.
Ryan has years of experience wearing a suit in the Information Systems
industry, working with public, private, and non-profit organisations
ranging in size from small office to "Fortune 50".
His experience includes Security Policy development, Software
Development, VPN design and deployment, firewall configuration, and IDS
deployment and monitoring. When not wearing a tie, Ryan amuses himself
by working on OpenBSD's networking code
Practical Data Protection In 2011
Alistair Crooks
Abstract
This paper looks at various methods of protecting data from corruption
at rest or during transmission. Some of the methods are old, but have
been given a new slant by new code. Other methods showcase new codes
and new techniques which have, until now, not been present or used in
any BSD variant. Four different types of protection are presented:
detection of changes to data, erasure coding, encryption, and dispersal
of information redundantly, and various libraries and utilities are
presented to show how data can be protected when faced with challenges
in each of these categories. Legacy solutions are examined, and their
benefits and drawbacks listed. Threshold scehemes for data protection
are presented, providing a more flexible and scalable approach than
existing RAID solutions, for example, whilst preserving data from being
exposed to snooping methods. Erasure coding methods are presented, as
are one-time shared key schemes, in which a threshold number of users
can decrypt a secret; knowledge of that secret does not give any other
privilege. The examination concludes by presenting practical methods -
libraries and programs - of protecting our data.
About the author
Alistair Crooks is the founder of pkgsrc, a NetBSD core member for 12
years, and has just finished a 6 year gig as President of the NetBSD
Foundation. He has written various pieces of software, including
netpgp, iSCSI target and initiator, and user(8); he lives in Cupertino,
California, with his wife, children, mountain bike and slippers.
[paper]
Improving System Management With ZFS
Brooks Davis
Abstract
The Zetabyte File System (ZFS) is a modern file system which combines
traditional file system features like a POSIX file system interface with
RAID and volume management functionality. Features such as snapshot
management and file share management are all managed within the ZFS
interface. This management interface provides a number of opportunities
to simplify system management. In the Technical Computing Services
Sub-division of The Aerospace Corporation we are taking advantage these
features in a number of different ways. This paper presents some of the
more interesting ones.
ZFS Basics
This section will provide a brief overview of ZFS operations and in
particular the two ZFS command line tools zpool and zfs. Features we
plan to use later will be introduced including making snapshots, cloning
snapshots, promoting snapshots, setting attributes including user
defined ones on file systems, and using zfs send/receive to transfer
snapshots.
Simple ZFS Use
This section will provide a few simple examples of how we use ZFS
for home directories and mailing list archive storage. The goal is
to provide a little background on ZFS and reinforce the idea that
administrators tend to create a LOT of file systems in normal ZFS
operations. Some of the issues this can cause will also be covered.
Fixing Mirror Problems With ZFS
One of the more vexing problems when running a mirror server is the
issue of partial and thus non-functional mirror updates where available
packages do not match the package database. In the past we adopted a
strategy where we performed an integrity check after each rsync and
restarted immediately if the mirror was inconsistent. This is fairly
effective, but during new releases this can leave the repository out of
sync for a significant period of time. We will demonstrate a solution to
this problem using ZFS clone and promote operations.
Efficient Replication With ZFS Metadata
Replication of snapshots for disaster recover is a common practice. In
this section we will present our method of using a combination of ZFS
send/receive and ZFS meta data to let us store all configuration data
including replica destinations and last snapshots in ZFS attributes. We
use this system to replicate projects in Aerosource, our internal
Source Forge like infrastructure.
More ZFS Metadata
On Aerosource we also use metadata to store project configuration data
in place of storing it in configuration files. This keeps all the data
in one place and directly ties project configuration to project
storage.
Summary
This paper presents a few ways ZFS features can be used to provide
enhanced integration with applications. By taking advantage of these
features we have reduced the number of configuration files in our
environment and improved over all robustness. We hope these ideas
inspire our readers to try integrating advanced ZFS features in their
environment and to help grow the set of ZFS patterns and tools available
today.
About the author
[slides]
Highly Available Storage for FreeBSD
Pawel Jakub Dawidek
Abstract
HAST stands for Highly Available STorage. It provides block-level
data replication over the TCP/IP network that can be used for
Primary-Secondary cluster setups. The talk will provide more details
about HAST and will demonstrate how to configure and use HAST
(hopefully).
HAST allows to transparently store data on two physically separated
machines connected over the TCP/IP network. Those two machines together
compose a cluster. HAST works in Primary-Secondary (Master-Backup,
Master-Slave) configuration, which means that only one of the cluster
nodes can be active at any given time. Active node will be called
Primary node. This is the node that is able to handle I/O requests to
HAST-managed devices. Currently HAST is limited to two cluster nodes in
total.
HAST operates at block level - it provides disk-like devices in
/dev/hast/ directory for use by file systems and/or applications.
Working at block level makes it transparent for file systems and
applications. There in no difference between using HAST-provided
device and raw disk, partition, etc. All of them are just regular GEOM
providers in FreeBSD.
HAST can be compared to a RAID1 (mirror) where one of the components is
local disk (on the primary node) and second component is a disk on the
remote machine (secondary node). Every write, delete or flush operation
(BIO_WRITE, BIO_DELETE, BIO_FLUSH) is send to the local and to the
remote disks over TCP connection (if secondary node is available). Every
read operation (BIO_READ) is served from local disk, unless local disk
isn't up-to-date or an I/O error occurs, then read operation is send to
secondary node (if it is, of course, available).
About the author
Pawel Jakub Dawidek is a CTO at Wheel Systems and an active FreeBSD
committer who lives and works in Warsaw, Poland; he is the author of a
widely-used VPN, multiple factor authentication/authorization system for
e-banking.
He is also the author or a contributor to several important security-
and storage-related FreeBSD components, including the GELI encrypted
disk subsystem, portions of the FreeBSD IPSEC stack, Jail sandboxing,
the ZFS file system port, highly-available storage layer, and RAID
storage transform modules.
BSD Multiplicity: An applied survey of BSD multiplicity and virtualization strategies from chroot to BHyVe
Michael Dexter
Abstract
Ever since the University of California, Berkeley Computer Science
Research Group implemented the chroot(8) command in its "Berkley
Software Distribution" operating system in 1982, the community-developed
BSD derivatives have set the standard for the introduction of plurality
to the conventionally-singular layers of the Unix model. Today's system
operators and developers have an array of multiplicity strategies
at their disposal that offer various degrees of both isolation and
virtualization. This paper will survey established BSD multiplicity
strategies including chroot, jail, Xen, Amazon EC2, compat_linux,
VMWare, SIMH, GXemul and QEMU, plus experimental strategies such as
FreeBSD BHyVe, sysjail and mult. As an applied survey, this paper will
both categorize each multiplicity strategy by the Unix layer that it
introduces multiplicity to, plus demonstrate the usage of the utilities
that are related to the solution. The reader will thus be provided a set
of working examples that they can implement on their own. Finally, this
paper will also highlight applicable system management strategies that
are available outside the base operating systems such as Puppet and CF
Engine.
About the author
Michael has used BSD Unix systems since 1991 and wrote his first FreeBSD
jail management system in 2005. Dissatisfied with existing multiplicity
solutions, he has sponsored the BSD.lv sysjail and mult multiplicity
research projects and took his BSD support public with the formation of
BSD Fund in 2007. Michael now works independently and lives with his
wife and daughter in Portland, Oregon.
Beastie Meets Raccoon: MINIX 3 as a BSD
Ben Gras, Gianluca Guida, Arun Thomas, Thomas Veerman (VU University Amsterdam)
Abstract
MINIX 3 has imported a significant amount of userland BSD code. The
trend began several years ago, but the pace has quickened markedly. We
have already imported NetBSD's buildsystem, NetBSD's C library, the
pkgsrc package management infrastructure, and various userland utilities
from NetBSD and FreeBSD. We are currently in the process of porting
a full NetBSD userland as well as puffs for increased filesystem
support. Though not technically BSD code, we have adopted clang/LLVM as
our default toolchain, and we are working to adopt elftoolchain as a
binutils replacement.
When MINIX 3 was originally conceived, the goal was to create a robust
multiserver operating system that maintains POSIX compatibility. We
leveraged our multiserver architecture in which most OS code runs in
separate usermode processes to provide new functionality, such as driver
isolation and restartability. Now, we would like to push farther than
just POSIX compatibility and provide a system that looks much like a
BSD from a user's perspective. This paper serves as a progress report
on our ongoing work turning MINIX 3 into a BSD. We have a long way to
go before MINIX implements all BSD functionality, but we have a good
start. We will continue to pull in BSD code, and we have identified
future opportunities to pull in driver code and kernel components from
BSD.
This will serve to enable our vision of the best of both worlds:
isolation and restartability features unique to Minix combined with
the well-maintained, real-world-hardened system code for drivers,
filesystems, userland, and other OS code, of a modern BSD OS.
About the author
Ben Gras is a core MINIX 3 developer and is employed by the VU
University Amsterdam.
Gianluca Guida is a core MINIX 3 developer and is employed by the VU
University Amsterdam.
Arun Thomas is a core MINIX 3 developer and is employed by the VU
University Amsterdam.
Thomas Veerman is a core MINIX 3 developer and is employed by the VU
University Amsterdam.
[paper]
Testing NetBSD Automagically
Martin Husemann
Abstract
A huge effort is made by the NetBSD project to systematically test
"current" - the bleeding edge version - systematically. While the setup
is still developing, divers, and somewhat chaotic, this has already
proven to be an extremely valuable early notice alarm system during
times of massive churn all over the tree, as well when hunting down
already concrete bugs.
The introduction of tests changes developers mind and approaches to a
problem. At the same time it splits the developer community - into the
ones that believe in bugs in code and tests that find them, and the ones
that believe in bugs in test cases (or the test environment).
Testing a full operating system, covering kernel and user land (all of
it!) is practically impossible. This paper will try to show the stony
way, the problems met on the social side, the ongoing quest to improve
the testing framework, show examples of the quickly increasing number
of test cases, and discuss in detail and categorize examples from the
various types of bugs encountered and solved (or not yet solved).
The author is running the NetBSD/sparc64 instance of the regular tests
About the author
Born 1965, got a master in computer science (Diplom-Informatiker) from
University of Paderborn.
I have been a NetBSD user sind the very beginning (of NetBSD). After
some years of teaching various IT topics at various levels (from using
MS word for secretaries to programing in pascal) and consultancy work
for union oriented organizations I have been working for a small
commercial consultancy company some years, mostly doing networking and
security stuff in the beginning, but then ending up in a huge project
doing heavy C++ stuff in a large team for a few years. I got bored by
that and in 1997 switched employers, ending up in the CAD market working
on a product called ArCon.
In 2001 I founded my own company with a few co-workers, aprisoft GmbH,
and also attended Eurobsdcon in Amsterdam - so this year will be my
anniversary as well ,-).
I have been doing graphical and CAD programing mostly for windows
since then. Last year aprisoft was taken over by ELECO Software GmbH,
for which I know work as lead of software developement, still doing
CAD/graphical stuff in C++ (again for ArCon, as this has been taken over
by ELECO as well in the mean time).
I joined the NetBSD foundation as a developer in 2000, and have served
as a director on board from 2006 to 2010. Since 2003 I am the portmaster
for NetBSD/sparc64.
[paper]
OpenBSD's New Suspend and Resume Framework
Paul Irofti
Abstract
Suspend and resume support in OpenBSD was almost complete in the
4.8 Release. During the development, a lot had to be changed - it
was a long process, starting from acpi(4) and apm(4) changes, down
into the low level parts of autoconf (9) and upwards into the device
drivers. What started as i386 and amd64 targeted development turned
into a machine independent framework that can now be used by other
architectures. Currently, loongson is one such architecture that is
still a work in progress.
About the author
I'm an OpenBSD developer since 2008, involved in ACPI, suspend and
resume, porting and currently with a keen interest in the Loongson
and Itanium platforms. In the past I worked for a telephony company
developing VoIP, Voicemail and related software and after that as an
antivirus engine developer and reverse engineer.
Currently I'm a freelancer working on various interesting projects.
In my spare time I enjoy a good game of Go or a nice hike.
[paper]
The MPLS framework in OpenBSD
Claudio Jeker
Abstract
Work on supporting MPLS started in 2008 at the n2k8 mini-hackathon
in Ito (Japan). In the last 2 years much work went into this new
framework. Apart from the network stack changes ldpd(8) -- the label
distribution protocol daemon -- was developed and bgpd(8) was modified
to make it possible to setup and terminate MPLS VPNs on OpenBSD. OpenBSD
is probably the first open-source system able to do MPLS out of the box
without additional patches.
But what is MPLS?
Most people have heard about MPLS but how it actually works is often
unknown. MPLS changes the way networking is done but at a high price.
While the label switching part itself is trivial it is just one part of
a much larger puzzle. There are changes in many routing protocols and
with over 150 RFC about MPLS it shows that this is more then just simple
label switching.
About the author
Claudio Jeker is OpenBSD committer since late 2003 and works on many
network related projects like bgpd, ospfd, ospf6d and the network stack
itself. He is one of the main developers of the MPLS framework in
OpenBSD.
[paper]
OpenBSD/sun4v: Porting OpenBSD to Sun's UltraSPARC T1 and T2 processors
Mark Kettenis
Abstract
Sun's UltraSPARC T1 and T2 processors form a radical change to earlier
64-bit SPARC processors from Sun and Fujitsu. They have many cores,
many threads per core and offer a unique approach to virtualization.
This virtualization approach has characteristics that makes it more
attractive from a security standpoint than what's available on other
hardware architectures. Therefore it is a very interesting architecture
to run OpenBSD on. In this presentation I will discuss how this was
achieved and some of the new functionality is offered on these machines.
I'll discuss some of the architectural changes introduced with the
UltraSPARC T1 processor and their implications for the OpenBSD kernel.
For example, the number of trap levels available to the OS kernel was
reduced, which provided a big challenge in rewriting the low-level
assembly code that does the trap handling. On the other hand some of
the functionality that was traditionally implemented in the OS kernel is
now implemented by the hypervisor. Since we wanted to provide support
for older UltraSPARC, the new UltraSPARC T1/T2 processors and Fujitsu's
SPARC64 processors in a single kernel, some trickery was needed as well.
I'll continue with a description of the virtualization approach chosen
by Sun for the CoolThreads machines based on the UltraSPARC T1 and
T2. Virtual network interfaces and virtual disks have been implemented
in OpenBSD 4.5 following the protocols defined by Sun. These make
it possible to run OpenBSD in a guest domain on top of a so-called
control domain running Solaris. This opens up the possibility for
some interesting setups, like running a pf firewall protecting one or
more Solaris domains in a single 1U box. I'll discuss the security
implications for OpenBSD running in such a setup. Virtual disk servers
and virtual network switches, also following the protocols defined by
Sun, have been implemented in OpenBSD 4.7. This makes it possible to
run OpenBSD also in the control domain. As a result it is no longer
necessary to run Solaris at all on a CoolThreads machine configured
with multiple domains. Virtual disk servers have been implemented in
a similar way to the existing vnd(4) pseudo device. Virtual network
switches have been designed to be added to a bridge(4) to maximise code
re-use. I'll give an example of such a setup to illustrate how this is
done.
About the author
Mark Kettenis did his undergraduate in technical physics at the
University of Twenete in Enschede, The Netherlands, and has a Ph.D. in
Theoretical Physics from the University of Amsterdam. After spending
a couple of years in the IT industry, building high available UNIX
systems and teaching customers about them, he joined the Joint Institute
for VLBI in Europe (JIVE) in 2004 as a software engineer. At JIVE he
is involved with several projects related to data processing of long
baseline radio astronomy observations in Europe and Beyond. These
projects all involve high speed networking and high performance computing
in one way or another.
Mark contributed to various Open Source software projects such as the
GNU C Library, The Hurd, FreeBSD and GDB, the GNU Project Debugger.
It was GDB that got him involved with OpenBSD when trying to make GDB
useful on OpenBSD/sparc with the StackGhost security feature enabled.
He was recruited to improve GDB on all the hardware architectures that
OpenBSD runs on, but soon became a hardcore OpenBSD kernel hacker.
His interest is mostly on the hardware side of things, and he is the
maintainer of the OpenBSD/sparc64 and OpenBSD/hppa ports.
[slides]
BSD Certification: How to Create a Psychometrically Valid Certification Examination
Dru Lavigne
Abstract
The BSD Certification Group Inc. (BSDCG), founded in 2005, is a
non-profit organization committed to creating and maintaining a global
certification standard for system administration on BSD based operating
systems. One of the founding tenets is that its certifications are
psychometrically valid in order to provide value to both the system
administrator and the employer. The science of psychometrics can guide
a certifying organization through the lengthy and time-consuming exam
creation process by providing a series of distinct and repeatable
steps. Psychometrics helps to maintain the quality of the examination's
questions, allowing for a reliable assessment of the skills being
certified. This provides great value to those seeking certification, the
employers who hire certificants, and the organization that provides the
certification. This paper provides a brief introduction to psychometrics
and its value proposition. The remainder of this paper outlines the
process of creating and maintaining a psychometrically valid examination
and how members of the BSD community can contribute to this process.
About the author
Dru Lavigne is founder and current Chair of the BSD Certification Group
Inc., a non-profit organization with a mission to create the standard
for certifying BSD system administrators. As Director of Community
Development for the PC-BSD Project, she leads the documentation team,
assists new users, helps to find and fix bugs, and reaches out to the
community to discover their needs. She is author of BSD Hacks, The Best
of FreeBSD Basics, and The Definitive Guide to PC-BSD and Editor of the
PC-BSD Handbook and the FreeNAS Guide. She serves on the Board of the
FreeBSD Foundation.
[paper]
History of BSD
Kirk McKusick
Abstract
Learn the history of the BSD (Berkeley Software Distributions) from
one of its key developers, who brings the history to life, complete
with anecdotes and footnotes to the historical narrative. The BSD
community began at the UC Berkeley in the late 1970s. You'll hear
about the triumphs and defeats of the project and its releases during
its heyday in the 1980s. The Berkeley era concludes with the tumultuous
lawsuit, ultimately settled in Berkeley's favor, which allowed the final
release in 1992 of 4.4BSD-Lite, an open-source version of BSD. The talk
includes a brief commentary on the FreeBSD, NetBSD, OpenBSD, Darwin,
and Dragonfly projects that took their genesis from the release of
4.4BSD-Lite.
About the author
Dr. Marshall Kirk McKusick's work with Unix and BSD development
spans nearly thirty years. It begins with his first paper on the
implementation of Berkeley Pascal in 1979, goes on to his pioneering
work in the eighties on the BSD Fast File System, the BSD virtual memory
system, the final release of 4.4BSD-Lite from the UC Berkeley Computer
Systems Research Group, and carries on with his work on FreeBSD. A
key figure in Unix and BSD development, his experiences chronicle not
only the innovative technical achievements but also the interesting
personalities and philosophical debates in Unix over the past thirty
years.
Virtualization under *BSD: the case of Xen
Jean-Yves Migeon
Abstract
Alongside the ever growing importance of virtualization in today's
information systems, Xen has been one of the key player that popularized
the hypervisor-based approach in the operating system world, focusing
on x86 architectures. There is a considerable amount of information
that can be found about Xen on the Web; however, the fast pace of
virtualization's technology often makes this information hard to follow,
or even understand.
The purpose of this talk is to present all the underlying aspects of
Xen, as seen from a 2011 point of view. We will start by presenting the
general ideas behind Xen's hypervisor, together with a brief description
of its architecture, both from a developer (kernel and userland) and
system administrator's perspective (operating systems, running daemons
and services). We will then move on to its history among the *BSD, draw
an inventory of the functionalities currently supported as well as their
impacts through time (hardware virtualization, power management, SMP,
PCI passthrough, migration, ...), and conclude with the roadmap (and
challenges!) the *BSD community is facing: being proactive rather than
reactive in Xen virtualization's land, support new hardware mechanisms
like IOMMUs and SR-IOV, high availability and scalability.
About the author
Jean-Yves Migeon has been a NetBSD developer since 2008, mainly focused
on kernel-related work especially in the x86 and Xen ports. He is
currently working as a system and software engineer for Cassidian, a
division of EADS, where his job primarily relates to operating systems
security and administration.
[slides]
Recent developments in OpenSSH
Damien Miller
Abstract
This talk will describe some recent changes in OpenBSD's popular SSH
implementation, most notably the implementation of elliptic curve
cryptography for authentication and key agreement and the new OpenSSH
certificate format for user and host authentication. It will discuss the
rationale, design and implementation of these changes and demonstrate
their use. Future developments and directions for OpenSSH will also be
discussed.
About the author
[slides]
PBI reimplementation for FreeBSD and PC-BSD 9
Kris Moore
Abstract
The PBI format (*P*ush *B*utton *I*nstaller) has been the default
package management system for PC-BSD going on 5+ years now. However as
we looked to the future it became apparent that it was greatly needing
an overhaul to both improve its functionality, and expand its usage
outside the scope of just PC-BSD. Among the areas needing improvement
were how it dealt with identical libraries between applications, the
heavy requirements from being implemented in QT/KDE, and lack of a
digital verification mechanism.
Starting in April of 2010, work began on re-implementing the PBI
format to address these issues, and greatly expand upon its usefulness
as a package management system for both PC-BSD and FreeBSD. From
this work the *pbi-manager* was born as a subset of command-line
functionality for dealing with every aspect of PBIs, from building,
installing, distribution and advanced management. The resulting format
has been implemented 100% in shell, allowing it to run virtually
unmodified on a fresh FreeBSD system, as well as be agnostic towards
which desktop a particular user may be running in PC-BSD. Features
such as digital signature verification, intelligent library sharing,
repository management, *bsdiff* updating and others have already been
implemented, along with improved QT4-based front-ends, which behave and
look almost identical to the legacy format. The end result is a powerful
package format which can be used for traditional FreeBSD users as well
as PC-BSD running any window manager, or none for that matter.
About the author
Kris Moore is the founder and lead developer of the PC-BSD project.
He lives in the Eastern Tennessee area (USA) with his wife and four kids.
[paper]
NPF: a new packet filter
Mindaugas Rasiukevicius, Zoltan Arnold Nagy
Abstract
Currently, there are several choices of firewalls available in the
different BSD systems, namely: IPFilter, PF for OpenBSD and ipfw for
FreeBSD. However, several problems arise upon a closer look at them.
IPFilter has been surrounded by legal issues, was not designed with
a modern SMP world in mind, and while it has been preferred packet
filter for a while - its current focus and future directions are
uncertain. OpenBSD's PF lacks general design principles. Potential
improvements and maintenance of its code base are problematic. Coming
up with a new filter, having a modern design was easier and more
advantageous solution in the long term.
NetBSD's new packet filter - NPF - will be introduced in NetBSD 6.0. It
was written from scratch by Mindaugas Rasiukevicius, the work was funded
by The NetBSD Foundation, and the product got IPv6 support in this
year's Google Summer of Code.
High performance and extensibility were the two main motivational
points. One of the main NPF differences from other packet filters is
protocol-independence and flexibility of using "n-code" processor, which
is conceptually a byte-code interpreter, inspired by the Berkeley Packet
Filter. General design goals of NPF are to keep engine lightweight, well
abstracted, modular and simple, as well as mostly lockless to achieve
SMP scalability.
NPF supports common features required by any modern firewall, such as
stateful filtering, network address translation (NAT), scalable IP sets
(also known as "tables"), packet logging and more.
In the talk, internals of NPF will be overviewed and the benchmark data
comparing NPF against aforementioned alternatives will be presented.
About the author
Mindaugas Rasiukevicius is a member of the NetBSD project since 2007,
focusing on kernel development, such areas as threading, virtual memory,
synchronisation, IPC and various others. Has a particular interest in
multi-threading, high performance and real-time computing. Currently
has a consulting company, Nox Technologies Ltd.
Zoltan Arnold Nagy is working on his MSc in Computer Science at Eotvos
Lorand University in Budapest, and participated in both last year's and
this year's Google Summer of Code as a student. He's been working as a
full-time Java developer for the 6 years. Main areas of interest are
networking stacks and performance, cryptography and infrastructure cloud
security.
Exploring FreeNAS 8
James T. Nixon III
Abstract
This presentation will feature a demonstration on installing FreeNAS
using the CLI installer, a brief primer on nanobsd with django and
sqlite, configuring various services, and navigating the FreeNAS web
interface. I will discuss the benefits of using ZFS & FreeNAS 8, such
as Thin Provisioning, Periodic Snapshots, and ZFS Datasets. I will
demonstrate the ease of configuring a virtual LAN interface, link
aggregation, as well as setting up static routes in the Network section
of FreeNAS. Next, I will cover adding/importing volumes, scheduling
snapshots, and other uses of the Storage section of FreeNAS. I will
discuss sharing files on FreeNAS with NFS, AFP, and CIFS. Also, I will
detail the added functionality the Services section of FreeNAS provides
like FTP, Dynamic DNS, LDAP, Active Discovery, iSCSI, and how you can
use FreeNAS to save time and money. Finally, I will show inexpensive
solutions for deploying FreeNAS at home, office, or dorm.
About the author
James is a core developer for the FreeNAS project, member of the
PC-BSD Team, and Webmaster for iXsystems. He spends his time tinkering
with PC-BSD desktop usability enhancements, Django, and Joomla. He
recently helped organize and act as Master of Ceremonies for the MeetBSD
California conference and volunteers at the FreeBSD booth around the
world.
When AFK, James is usually playing the drums and watching documentaries.
[paper]
FreeBSD + nginx
Sergey A. Osokin
Abstract
This presentation will be about the continued porting and support
of the best web server nginx for the best operationg system FreeBSD.
nginx [engine x] is a HTTP and reverse proxy server, as well as a
mail proxy server written by Igor Sysoev. It has been running for
more than five years on many heavily loaded Russian sites including
Rambler (RamblerMedia.com). According to Netcraft nginx served or
proxied 4.70% busiest sites in April 2010.
About the author
[slides]
The Obsoletion of the OS
Andrew Pantyukhin
Abstract
For decades now there has been a chasm growing between the computing
needs of corporate entities or medium-to-large-scale online projects and
the vector of operating systems development. From the day the original
Beowulf cluster was built on, to the time a FreeBSD cluster was used
to compute special effects for "The Matrix", to the present day of the
prevalent cloud computing, to the next days of hybrid cloud grids and
ubiquitous computing -- the operating system was being continuously
pushed from a ready-made toolkit for easily solving inconceivably
difficult problems to the obscure assembler in the food chain of
solution stacks, a distraction sheltering painful to debug hardware
drivers and annoying software compatibility problems.
Thick virtualization, software appliances, comprehensive management
consoles, datacenter systems consolidation suites, cloud supervisors --
are all solutions to the problems which have been stubbornly ignored in
the operating systems development landscape, ascetically self-limited to
the territory claimed in the early 70s.
The great shift of paradigm from multiuser machines to multimachine,
distributed computing was dampened by contagiously spread support for
TCP/IP and fortunate presence of fundamental network services, designed
for intersystem communications and quickly repurposed for intrasystem
tasks. The sharp divide between internal and external protocols so
vivid in the telecom industry virtually never happened in the systems
world. Numerous academic initiatives, such as project Athena, addressed
systems issues of such long terms and large scales that little to no
industry interest was attracted, resulting in mostly partial, often
proprietary and ultimately dysfunctional implementations.
What is a systems issue today? Where do systems operation extend
to? What do they require from the OS? What is happening at the DevOps
boundary? How an operating system can become more relevant and useful
for solving modern systems problems and stay out of obsolescence?
We shall explore these questions from operational and management
perspectives, based on experience architecting a large corporate
infrastructure and building highly distributed global-scale systems
behind massive cloud services -- all using the FreeBSD operating systems
almost exclusively.
About the author
Andrew Pantyukhin has been an aspiring Unix hacker for the last decade,
a latent FreeBSD ports committer since 2006, an architect behind
Gubkin University IT operations and most recently the CTO with Dream
Industries, a disruption lab launching next-generation cloud media
services in emerging markets around the world. His primary interest
in IT is rethinking development and operations to better suit current
demands and those looming on new horizons.
Improving the performance of Open vSwitch
Marta Carbone, Gaetano Catalli, Luigi Rizzo
Abstract
Open vSwitch is a software implementation of a virtual
switch, designed to be fully configurable and
compatible with the most used protocols. Among
other features, the program includes a user space forwarding
engine, which can be used to build flexible
packet processing systems.
In the process of porting Open vSwitch to
FreeBSD, we measured its forwarding performance
and found disappointingly low figures, which existed
also in the original Linux implementation. As a consequence,
we analysed and revised the architecture of
some key parts of the code obtaining a speedup of a
factor of 10, up to 690 Kpps.
The main contribution of this paper is to illustrate
the architecture of the system, its performance bottlenecks,
and present how we revised it to achieve
huge performance improvements. As a second contribution,
we extend the program adding a BPFcompatible
driver, enabling operation on BSD systems.
This driver is of particular importance because
it opens the way to a recently developed network API
called netmap, which promises further huge performance
improvement.
About the authors
Luigi Rizzo is a professor at the Universita` di Pisa and long time
committer for the FreeBSD project, to which he has contributed
several subsystems mostly in the networking area. His research
is in the area of network congestion control, emulation, fast
packet processing.
Marta Carbone is a PhD student in Ingegneria dell'Informazione at
the Universita` di Pisa, working on network testbeds and emulation tools.
She has worked on improvements and porting of the ipfw firewall and
dummynet emulator, and in 2009 participated to Google Summer of
Code. Her recent work is on accelerating software packet processing.
Gaetano Catalli graduated in July 2011 in Computer Engineering at
the Universita` di Pisa, where he was recently appointed a research
contract to work on EC FP7 project OpenLab on OpenFlow-related
topics. His master thesis was on porting and improving performance
of the OpenvSwitch software.
[paper]
Webcamd - a modern userspace Linux kernel driver framework for FreeBSD
Hans Petter Selasky
Abstract
The FreeBSD's webcamd project first first came to light in 2009 like an
extension of another similar hobby project, namely porting of the FreeBSD USB
stack to NetBSD. This port was never part of the official NetBSD distribution,
though the ideas and principles behind the porting layer lived on. Webcamd is
a complete Linux kernel environment that allows you to compile and run
typically Linux Webcam and DVB-X drivers in userspace under FreeBSD without
any modifications. The primary target is USB devices, hence this kind of
devices have a common way to be programmed and do DMA data transfers. This
talk is going through the process of compiling webcamd and how you can include
your own new drivers. Also how kernel, drivers and users are separated will be
explained. Cuse4bsd a dependency of webcamd will be covered in detail. Some
example applications will be given too and in the end there will be room for
questions.
About the author
Hans Petter Selasky has been contributing to the FreeBSD project for more than
a decade and is a well known USB developer in FreeBSD circles. In 2010 he got
commit rights to the FreeBSD kernel sources.
[slides]
Fossilizing NetBSD: The road to modern version control
Joerg Sonnenberger
Abstract
The NetBSD project has successfully deployed CVS for over one and a half
decades. The main modules, pkgsrc and src, provide a huge challenge for
any replacement. The pkgsrc module challenges scalability by having
over 60,000 files per working copy and a total of over 100,000 files in
the repository. The src module challenges scalability both in the raw
size (4.3GB of RCS files) and the large history of 240,000 revisions.
Over the last three years a number of attempts to provide conversions
to modern version control systems (VCS) have been made. The different
VCS and the associated conversion tools all have different shortcomings
and no clean consensus could be reached to move into one direction or
another.
One important tool is Simon Schubert's fromcvs. It was the only option
for continously replicating the CVS changes into Git without breaking
the normal updating process of the target VCS. This created the
question of how much work a RCS/CVS conversion tool would be that fits
the requirements of NetBSD:
* Be faithful: honor RCS keywords
* Be smart: properly deal with vendor branches and magic CVS revisions
* Be fast: finish in much less than a day on reasonable modern hardware
* Be helpful: provide support for cleaning up the mess that a large scale
repository ends up being
At the time concrete plans started to form, Richard Hipp had started
making his Fossil VCS project more visible and managed to cut the
legalese associated with the source code by an order of magnitude.
The result is attractive-- a compact binary under a liberal license
with few external dependencies and a fitting name. A project was
born: converting the NetBSD repository to Fossil and evaluating the
scalability issues.
The first part of the paper discusses the resulting conversion tool.
This includes an overview of how different CVS features work and issues
that could be found in the NetBSD repository. It compares the chosen
strategy of incremental fix up with the approach of cvs2svn and related
tools of ad-hoc adjustments.
The second part of the paper analyses the current performance of Fossil
for various important operations and changes made in Fossil to deal
with scalability limits. A limited comparison to other VCSs is also
provided.
The results of this work provide a much better foundation for any
future conversion attempt. Support of the git-fast-export format in
Fossil allows easy conversion to most other changeset oriented VCSs.
The included benchmarks compare Fossil with other popular VCSs. They
allow the quantification of some of the involved decision factors for a
potential migration from CVS for the NetBSD project.
About the author
Joerg Sonnenberger is a NetBSD and pkgsrc developer. In NetBSD he has
been working on ACPI, the toolchain and other areas. In pkgsrc his main
interest are the infrastructure components. He is currently working as
software developer in Germany.
[paper]
Capsicum: Practical Capabilities for UNIX
Dr Robert N. M. Watson
Abstract
Capsicum is a lightweight operating system capability and sandbox framework in
FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new
kernel primitives (sandboxed capability mode and capabilities) and a userspace
sandbox API. These tools support compartmentalisation of monolithic UNIX
applications into logical applications, an increasingly common goal supported
poorly by discretionary and mandatory access control. We demonstrate our
approach by adapting core FreeBSD utilities and Google's Chromium web browser to
use Capsicum primitives, and compare the complexity and robustness of Capsicum
with other sandboxing techniques.
About the author
Dr Watson is a security and operating systems researcher at the Computer
Laboratory, University of Cambridge, where he leads research projects in
experimental CPU and operating system design, introspective software models,
automated program analysis, and cloud computing security. Previously, he was
Senior Principal Scientist at SPARTA, Inc., and Senior Research Scientist at
McAfee Research. His prior projects include development of the TrustedBSD MAC
Framework, a flexible kernel access control framework now used in the FreeBSD,
Mac OS X, and Apple iOS operating systems. He is a member of the board of
directors (and past president) of the FreeBSD Foundation.
[paper]
OpenBSD SCSI Evolution
Ken Westerback
Abstract
The SCSI protocol has become the lingua franca of block oriented
i/o. OpenBSD has always supported SCSI devices, but recently the OpenBSD
SCSI stack has been significantly enhanced to improve stability,
performance and scalability. This paper presents the architectural
details of the recent changes. It describes the state of the SCSI
stack at the beginning of the changes, identifies issues driving those
changes, describes current state and lays out some near term goals for
the SCSI stack.
About the author
Ken made his first commit to OpenBSD on February 6, 2000. Having
purchased an unsupported SCSI card, he was encouraged by deraadt@ to add
support for it. Since then Ken has added scsi hardware drivers (e.g.
iha(4) and trm(4)); significantly updated others such as adv(4), adw(4),
siop(4), ahc(4), ahd(4) and isp(4); worked extensively on the SCSI layer
and the install scripts. Over the last two or three years Ken has worked
with David Gwyne and others in evolving the SCSI layer to solve many
long standing problems. In the real world Ken was the Chief IT Architect
for the Centre for Addiction and Mental Health in Toronto, Canada until
2010, where he deployed OpenBSD in some infrastructure and patient
internet access applications. He is now an independant contractor.
[paper]
An update on IPv6 in FreeBSD
Björn Zeeb
Abstract
FreeBSD has shipped IPv6 support for more than a decade with the
KAME-based reference implementation. As IPv6 is becoming more crucial
every day, you will hear about the latest improvements on IPv6 in
FreeBSD and how you can make use of them to prepare better for your IPv6
future.
The talk will start with a quick review on FreeBSD and World IPv6 Day.
It will show you what we have done upfront and during that day, as well
as some results. Following that you will get a short introduction on
the IPv6-only validation work and what has happened since May. You
will learn why this is an interesting feature not just for IPv6 geeks
but for software developers as well as sysadmins, port maintainers or
website operators, why it is needed now and how you can try or use it.
The last part will concentrate on new IPv6 configuration options and
features in FreeBSD 9.0 you should be aware of. It will give you ideas
how to handle various situations for FreeBSD servers, home gateways or
desktops. The talk will conclude with a short outlook on the next IPv6
changes we are working on.
About the author
Bjoern Zeeb is a consultant based in Germany and has been an active
FreeBSD committer since 2004 interested in networking, security and
virtualization. He is currently also a member of the FreeBSD Security
and Release Engineering teams.
[slides]
