All Jupiter Broadcasting Shows

36 year old UFS bug fixed, a BSD for the road, automatic upgrades with OpenBSD, DTrace ext2fs support in FreeBSD, Dedicated SSH tunnel user, upgrading VMM VMs to OpenBSD 6.5, and more. Headlines 36+ year old bug in FFS/UFS discovered and patched This update eliminates a kernel stack disclosure bug in UFS/FFS directory entries that is caused by uninitialized directory entry padding written to the disk. When the directory entry is written to disk, it is written as a full 32bit entry, and the unused bytes were not initialized, so could possibly contain sensitive data from the kernel stack It can be viewed by any user with read access to that directory. Up to 3 bytes of kernel stack are disclosed per file entry, depending on the the amount of padding the kernel needs to pad out the entry to a 32 bit boundary. The offset in the kernel stack that is disclosed is a function of the filename size. Furthermore, if the user can create files in a directory, this 3 byte window can be expanded 3 bytes at a time to a 254 byte window with 75% of the data in that window exposed. The additional exposure is done by removing the entry, creating a new entry with a 4-byte longer name, extracting 3 more bytes by reading the directory, and repeating until a 252 byte name is created. This exploit works in part because the area of the kernel stack that is being disclosed is in an area that typically doesn't change that often (perhaps a few times a second on a lightly loaded system), and these file creates and unlinks themselves don't overwrite the area of kernel stack being disclosed. It appears that this bug originated with the creation of the Fast File System in 4.1b-BSD (Circa 1982, more than 36 years ago!), and is likely present in every Unix or Unix-like system that uses UFS/FFS. Amazingly, nobody noticed until now. This update also adds the -z flag to fsck_ffs to have it scrub the leaked information in the name padding of existing directories. It only needs to be run once on each UFS/FFS filesystem after a patched kernel is installed and running. Submitted by: David G. Lawrence dg@dglawrence.com So a patched kernel will no longer leak this data, and running the fsck_ffs -z command will erase any leaked data that may exist on your system OpenBSD commit with additional detail on mitigations The impact on OpenBSD is very limited: 1 - such stack bytes can be found in raw-device reads, from group operator. If you can read the raw disks you can undertake other more powerful actions. 2 - read(2) upon directory fd was disabled July 1997 because I didn't like how grep * would display garbage and mess up the tty, and applying vis(3) for just directory reads seemed silly. read(2) was changed to return 0 (EOF). Sep 2016 this was further changed to EISDIR, so you still cannot see the bad bytes. 3 - In 2013 when guenther adapted the getdents(2) directory-reading system call to 64-bit ino_t, the userland data format changed to 8-byte-alignment, making it incompatible with the 4-byte-alignment UFS on-disk format. As a result of code refactoring the bad bytes were not copied to userland. Bad bytes will remain in old directories on old filesystems, but nothing makes those bytes user visible. There will be no errata or syspatch issued. I urge other systems which do expose the information to userland to issue errata quickly, since this is a 254 byte infoleak of the stack which is great for ROP-chain building to attack some other bug. Especially if the kernel has no layout/link-order randomization ... NomadBSD, a BSD for the Road As regular It’s FOSS readers should know, I like diving into the world of BSDs. Recently, I came across an interesting BSD that is designed to live on a thumb drive. Let’s take a look at NomadBSD. NomadBSD is different than most available BSDs. NomadBSD is a live system based on FreeBSD. It comes with automatic hardware detection and an initial config tool. NomadBSD is designed to “be used as a desktop system that works out of the box, but can also be used for data recovery, for educational purposes, or to test FreeBSD’s hardware compatibility.” This German BSD comes with an OpenBox-based desktop with the Plank application dock. NomadBSD makes use of the DSB project. DSB stands for “Desktop Suite (for) (Free)BSD” and consists of a collection of programs designed to create a simple and working environment without needing a ton of dependencies to use one tool. DSB is created by Marcel Kaiser one of the lead devs of NomadBSD. Just like the original BSD projects, you can contact the NomadBSD developers via a mailing list. Version 1.2 Released NomadBSD recently released version 1.2 on April 21, 2019. This means that NomadBSD is now based on FreeBSD 12.0-p3. TRIM is now enabled by default. One of the biggest changes is that the initial command-line setup was replaced with a Qt graphical interface. They also added a Qt5 tool to install NomadBSD to your hard drive. A number of fixes were included to improve graphics support. They also added support for creating 32-bit images. Thoughts on NomadBSD I first discovered NomadBSD back in January when they released 1.2-RC1. At the time, I had been unable to install Project Trident on my laptop and was very frustrated with BSDs. I downloaded NomadBSD and tried it out. I initially ran into issues reaching the desktop, but RC2 fixed that issue. However, I was unable to get on the internet, even though I had an Ethernet cable plugged in. Luckily, I found the wifi manager in the menu and was able to connect to my wifi. Overall, my experience with NomadBSD was pleasant. Once I figured out a few things, I was good to go. I hope that NomadBSD is the first of a new generation of BSDs that focus on mobility and ease of use. BSD has conquered the server world, it’s about time they figured out how to be more user-friendly. News Roundup [OpenBSD automatic upgrade](https://www.tumfatig.net/20190426/openbsd-automatic-upgrade/) OpenBSD 6.5 advertises for an installer improvement: rdsetroot(8) (a build-time tool) is now available for general use. Used in combination with autoinstall.8, it is now really easy to do automatic upgrades of your OpenBSD instances. I first manually upgraded my OpenBSD sandbox to 6.5. Once that was done, I could use the stock rdsetroot(8) tool. The plan is quite simple: write an unattended installation response file, insert it to a bsd.rd 6.5 installation image and reboot my other OpenBSD instances using that image. Extra notes There must be a way to run onetime commands (in the manner of fw_update) to automatically run sysmerge and packages upgrades. As for now, I’d rather do it manually. This worked like a charm on two Synology KVM instances using a single sd0 disk, on my Thinkpad X260 using Encrypted root with Keydisk and on a Vultr instance using Encrypted root with passphrase. And BTW, the upgrade on the X260 used the (iwn0) wireless connection. I just read that florian@ has released the sysupgrade(8) utility which should be released with OpenBSD 6.6. That will make upgrades even easier! Until then, happy upgrading. FreeBSD Dtrace ext2fs Support Which logs were replaced by dtrace-probes: Misc printf's under DEBUG macro in the blocks allocation path. Different on-disk structures validation errors, now the filesystem will silently return EIO's. Misc checksum errors, same as above. The only debug macro, which was leaved is EXT2FSPRINTEXTENTS. It is impossible to replace it by dtrace-probes, because the additional logic is required to walk thru file extents. The user still be able to see mount errors in the dmesg in case of: Filesystem features incompatibility. Superblock checksum error. Create a dedicated user for ssh tunneling only I use ssh tunneling A LOT, for everything. Yesterday, I removed the public access of my IMAP server, it’s now only available through ssh tunneling to access the daemon listening on localhost. I have plenty of daemons listening only on localhost that I can only reach through a ssh tunnel. If you don’t want to bother with ssh and redirect ports you need, you can also make a VPN (using ssh, openvpn, iked, tinc…) between your system and your server. I tend to avoid setting up VPN for the current use case as it requires more work and more maintenance than running ssh server and a ssh client. The last change, for my IMAP server, added an issue. I want my phone to access the IMAP server but I don’t want to connect to my main account from my phone for security reasons. So, I need a dedicated user that will only be allowed to forward ports. This is done very easily on OpenBSD. The steps are: 1. generate ssh keys for the new user 2. add an user with no password 3. allow public key for port forwarding Obviously, you must allow users (or only this one) to make port forwarding in your sshd_config. That was easy. Some info on upgrading VMM VMs to 6.5 We're running dedicated vmm(4)/vmd(8) servers to host opinionated VMs. OpenBSD 6.5 is released! There are two ways you can upgrade your VM. Either do a manual upgrade or leverage autoinstall(8). You can take care of it via the console with vmctl(8). Upgrade yourself To get connected to the console you need to have access to the host your VM is running on. The same username and public SSH key, as provided for the VM, are used to create a local user on the host. When this is done you can use vmctl(8) to manage your VM. The options you have are: ```$ vmctl start id [-c]``` $ vmctl stop id [-fw]``` ```-w Wait until the VM has been terminated.``` -c Automatically connect to the VM console.``` See the Article for the rest of the guide Beastie Bits powerpc64 architecture support in FreeBSD ports GhostBSD 19.04 overview HardenedBSD will have two user selectable ASLR implementations NYCBUG 2016 Talk Shell-Fu Uploaded What is ZIL anyway? Feedback/Questions Quentin - Organize an Ada/BSD interview DJ - Update Patrick - Bhyve frontends A small programming note: After BSDNow episode 300, the podcast will switch to audio-only, using a new higher quality recording and production system. The live stream will likely still include video. Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv Your browser does not support the HTML5 video tag.

We scale the Red Hat Summit and come back with a few stories to share. Plus some big community news, finding threats on the command line, and our reaction to Microsoft shipping the Linux kernel in Windows.Special Guests: Alex Kretzschmar, Brent Gervais, Cassidy James Blaede, Ell Marquez, and Neal Gompa.Links:Scientists Develop Software That Simulates Sound Of Stars — A team of astronomers from University of Wisconsin-Madison successfully developed a software called GYRE that can simulate the complex vibrations that stars produce.GitHub Package Registry: Your packages, at home with their code — Discover and publish public and private packages in one place. Then seamlessly use and reuse any package as a dependency in a project by downloading it straight from GitHub. About GitHub Package Registry — GitHub Package Registry is a software package hosting service, similar to npmjs.org, rubygems.org, or hub.docker.com, that allows you to host your packages and code in one place.Package hello-world-npm — This is a simple npm package that demonstrates the GitHub Package Registry. Lenovo adds AMD Ryzen Pro-powered laptops to its ThinkPad family — The biggest differences between these laptops and Intel-powered ThinkPads are performance and ports. According to Lenovo, the second-gen AMD Ryzen 7 Pro processors combined with integrated Vega graphics should provide an 18-percent improvement in performance over previous generationsClear Linux Further Enhances Its Desktop Installer, Launches Help Forums — This week I was pleased to find they have further improved the graphical interface for making their desktop Linux installation on-par with other Linux installers. If you recall, it was only towards the end of last year that they rolled out a new desktop installer and now with their latest design improvements, their latest installer looks much better off than their previous version. It's Time To Pay Attention To Intel's Clear Linux OS Project — This is neither a review nor an endorsement of Clear Linux at this stage, but it is an open invitation to be curious about it. To explore it. Maybe to even actively contribute to it. Especially as we edge closer to Intel's assault on the dedicated GPU market.Install Clear Linux* OS from the live desktop — The live desktop allows you to boot Clear Linux* OS in a GNOME desktop without modifying the host system, offering the chance to explore developing on Clear Linux OS. Better yet, launch the Clear Linux OS installer to install on your target system.Clear Linux* OS - An Introduction and Beyond — We invite you to join us for the first in a series of Intel Clear Linux OS MeetUps. The aim of this initial MeetUp is to introduce you to the Clear Linux* project and help you learn how to better use the Clear Linux OS in your everyday job. Light refreshments and dinner provided.Ulauncher is migrating to Python 3. Changes to Extension API and more — It's been a while since the last significant update in Ulauncher. One of the reasons was the migration from Python 2 to 3. For a regular user it may not mean a lot, but Python 2 end of life is coming very soon so that had to be done.2019 Is the Year of Linux on the Desktop — Traditional Linux distributions may not be taking over the world, but Linux is becoming even more pervasive than ever.The Friday Stream Episode 3: Fluffle of Fools — Back from Boston and we have a few stories to share, the best 39 seconds from Red Hat Summit, and the protest we found our selves in the middle of. Texas Linux Fest 2019 — Texas Linux Fest is an annual Linux and open source software event for Texas and the surrounding region. We are excited to bring you two days of general sessions and vendor sessions this year along with two full days of expo floor! Texas Linux Fest is for the business and home Linux user, and for the experienced developer and newcomer alike.Can I get a RHEL yeah? Version 8 arrives at last as IBM given go-ahead to wolf down Red Hat • The Register — Distributed with the Linux 4.18 kernel, the OS supports AMD and Intel 64-bit architectures, as one would expect, as well as 64-bit Arm, IBM Power Systems and IBM Z.Introducing the Red Hat Universal Base Image — With the release of the Red Hat Universal Base Image (UBI), you can now take advantage of the greater reliability, security, and performance of official Red Hat container images where OCI-compliant Linux containers run - whether you’re a customer or not. Azure Red Hat OpenShift, a Kubernetes service jointly managed by Microsoft and Red Hat, is now available — The two companies announced Azure Red Hat OpenShift at last year’s Red Hat Summit. OpenShift is available on other public clouds, but Microsoft and Red Hat will jointly manage and support this service on Azure and customers will be able to pay for it through a single unified bill from Azure under a revenue-sharing agreement.Red Hat Summit 2019 — Are cloud and culture alive and well at Red Hat? If I've taken away anything from this year's Red Hat Summit (my first), it's the two simple words "cloud and culture." Two words echoed several times this past week which to me is obviously by design. Red Hat and IBM want us to know they are ready for the cloud, hybrid-cloud, other person's Linux box, and its culture is still alive and well despite grumbling in the community about the IBM acquisition.Red Hat Summit 2019 RecapCommand Line Threat Hunting — That viruses and malware are Windows problems is a misnomer that is often propagated through the Linux community and it's an easy one to believe until you start noticing strange behaviour on your system. What do you do next? Join Ell Marquez (Jupiter Broadcasting/Linux Academy) and Tony Lambert (redcanary.com) in discussing a common sense approach to threat detection using only command line tools.

Microsoft catches Mike’s eye with WSL 2, Google gets everyone's attention with their new push for Kotlin, and we get a full eGPU report.Links:QA Feedback from Lewis — I thought I was going to be in a big rush to get out of the basement and up to a developer position, but after listening to the show I really feel like my contribution to this team is going to be important and necessary from the get go.Request: Subreddit recommendations — Anyone know any linux and/or programming subs aren't full of mindless circlejerking? Most seem to be afflicted with mindless circlejerking, free software extremism and other indiscretions.Feedback on Tools for Docs — One idea is a mind map tool (like Freeplane). This can provide a free-form way to show at a high level how all the parts link together, and attach as much details as needed Kotlin is now Google’s preferred language for Android app development — “Android development will become increasingly Kotlin-first,” Google writes in today’s announcement. “Many new Jetpack APIs and features will be offered first in Kotlin. If you’re starting a new project, you should write it in Kotlin; code written in Kotlin often mean much less code for you–less code to type, test, and maintain.”Flutter and Chrome OS: Better Together — Flutter initially focused on providing a UI toolkit for building apps for mobile devices, which typically feature touch input and small screens. However, we’ve been building keyboard and mouse support into Flutter since before our 1.0 release last December. And today, we’re pleased to announce that Flutter for Chrome OS is now stronger with scroll wheel support, hover management, and better keyboard event support.How Windows and Chrome quietly made 2019 the year of Linux on the desktop — The cleverly named Windows Subsystem for Linux 2, announced at Microsoft’s Build event this week, shakes things up by shipping a full Linux kernel (version 4.19) within Windows itself as a lightweight virtual machine. Doing so should supercharge performance for developers who use the tool.Ubuntu 19.04 – Easy-to-use setup script for your EGPU — I have created a script which automatically detects your (E)GPUs and creates the needed X-Server configuration files. You won't have to mess around with finding the correct BUS-IDs and convert them from dec to hex or anything like that, the script takes care of it.Linux Action News 105 — RHEL 8 is released, we report from the ground of the big announcement, Microsoft announces WSL 2 with a real Linux kernel at the core, and details on their new open source terminal.

Back from Boston and we have a few stories to share, the best 39 seconds from Red Hat Summit, and the protest we found our selves in the middle of. Plus we get to know the new guy a little better, the Pixel 3a is announced and we weigh the tradeoffs, and we replay Chris having a panic attack on air.Links:Google Pixel 3A hands-onGoogle Pixel 3a and Pixel 3a XL kernel source code is now availableGoogle Pixel 3A review: a $399 phone with a great camera - YouTubeAndroid Auto 2019 Update at Google I/O - YouTubeGoogle improved Android Auto by making it act more like your phoneGoogle Assistant Driving mode, which is replacing Android Auto on phonesMusic: Bit by BIt - Pack -A- Clones

RHEL 8 is released, we report from the ground of the big announcement, Microsoft announces WSL 2 with a real Linux kernel at the core, and details on their new open source terminal. Plus Alpine Linux Docker images shipped for 3 years with root accounts unlocked, and Google's new attempt to send updates directly to your phone.Links:RHEL 8 released — Red Hat Enterprise Linux 8 is the operating system redesigned for the hybrid cloud era and built to support the workloads and operations that stretch from enterprise datacenters to multiple public clouds. Considerations in adopting RHEL 8IBM's Red Hat acquisition moves forward — The Department of Justice has approved IBM's acquisition of Red Hat.WSL 2 using LTS source from Kernel.orgCanonical announces support for Ubuntu on Windows Subsystem for Linux 2WSL 2 deep dive - YouTubeAll new Chromebooks will run Linux apps — Google has announced that all new Chromebook devices will be Linux ready.Project Mainline is Google’s new attempt to send security updates directly to your phone — Google will start delivering some Android security updates through the Play StoreAlpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked — This vulnerability appears to be the result of a regression introduced in December of 2015.Alpine Linux's response to CVE-2019-5021Gartner says 90% of blockchain supply chain initiatives will go nowhere — Research firm Gartner is unimpressed.The Friday Stream

We’re back from LinuxFest Northwest with an update on all things WireGuard, some VLAN myth busting, and the trade-offs of highly available systems.Links:TechSNAP Episode 390: What’s Up with WireGuardWireGuard Sent Out Again For Review — WireGuard lead developer Jason Donenfeld has sent out the ninth version of the WireGuard secure network tunnel patches for review. If this review goes well and lands in net-next in the weeks ahead, this long-awaited VPN improvement could make it into the mainline Linux 5.2 kernel. CloudFlare announces Warp VPN — Using Cloudflare’s existing network of servers, Internet users all over the world will be able to connect to Warp VPN through the 1.1.1.1 app. In the same vein, Warp VPN will not significantly increase battery usage by using an efficient protocol called WireGuard.CloudFlare Launches "BoringTun" As Rust-Written WireGuard User-Space Implementation - Phoronix — CloudFlare took to creating BoringTun as they wanted a user-space solution as not to have to deal with kernel modules or satisfying certain kernel versions. They also wanted cross platform support and for their chosen implementation to be very fast, these choices which led them to writing a Rust-based solution. cloudflare/boringtun — BoringTun is an implementation of the WireGuard® protocol designed for portability and speed. VPN protocol WireGuard now has an official macOS app — You can already download the WireGuard app on Android and iOS, but today’s release is all about macOS.WireGuard Windows Pre-Alpha — I've been mostly absent these last weeks, due to being completely absorbed in Windows programming. I think we're finally getting to the state where we might really benefit from testing of the "pre-alpha".Wintun – Layer 3 TUN Driver for Windows — Wintun is a very simple and minimal TUN driver for the Windows kernel, which provides userspace programs with a simple network adapter for reading and writing packets. It is akin to Linux's /dev/net/tun and BSD's /dev/tun. WireGuard for Kubernetes: Introducing Gravitational Wormhole — Wormhole is a Kubernetes network plugin that combines the simplicity of flannel with encrypted networking from WireGuard.gravitational/wormhole: Wireguard based overlay network CNI plugin for kubernetesNetworkManager 1.16 — NetworkManager 1.16 is a big feature release bringing support for WireGuard VPN tunnelsPortal Cloud - Subspace — Subspace is an open source WireGuard® VPN server that supports connecting all of your devices to help secure your internet access. subspacecloud/subspace — A simple WireGuard VPN server GUIjimsalterjrs/wg-admin — Simple CLI utilities to manage a WireGuard server5 big misconceptions about virtual LANs — In the real world, VLANs are anything but simple. High Availability vs. Fault Tolerance vs. Disaster Recovery — You need IT infrastructure that you can count on even when you run into the rare network outage, equipment failure, or power issue. When your systems run into trouble, that’s where one or more of the three primary availability strategies will come into play: high availability, fault tolerance, and/or disaster recovery.High Availability: Concepts and Theory — Running server operations using clusters of either physical or virtual computers is all about improving both reliability and performance over and above what you could expect from a single, high-powered server. RPO and RTO: Understanding the Differences — Recovery time objective refers to how much time an application can be down without causing significant damage to the business. Recovery point objectives refer to your company’s loss tolerance: the amount of data that can be lost before significant harm to the business occurs.JupiterBroadcasting/Talks — Public repository of crew talks, slides, and additional resources.Command Line Threat Hunting — That viruses and malware are Windows problems is a misnomer that is often propagated through the Linux community and it's an easy one to believe until you start noticing strange behavior on your system. What do you do next? Join Ell Marquez and Tony Lambert in discussing a common sense approach to threat detection using only command line tools.Fear the Man in the Middle? This company wants to sell quantum key distribution — For now, Quantum XChange has only said about a dozen companies are part of the pilot. But with the appetite for quantum solutions in the US increasing—the National Quantum Initiative was just signed into law at the end of 2018 to advance the tech—this could be an opportune time to enter the market, so long as the service lives up to its billing.

What it takes to make a proper distro, how we send emails, and the constant quest for knowledge. Plus D&D, and April Fools annoyances. 00:01:00 Email etiquette 00:10:17 #AskError: Thoughts on Dungeons and Dragons? 00:14:00 What does it take to be a proper Linux distro? 00:26:33 #AskError: Do April Fool’s Day tech “jokes” annoy you? 00:32:16 Always learning new things

FreeBSD ZFS vs. ZoL performance, Dragonfly 5.4.2 has been release, containing web services with iocell, Solaris 11.4 SRU8, Problem with SSH Agent forwarding, OpenBSD 6.4 to 6.5 upgrade guide, and more. Headlines FreeBSD ZFS vs. ZoL Performance, Ubuntu ZFS On Linux Reference With iX Systems having released new images of FreeBSD reworked with their ZFS On Linux code that is in development to ultimately replace their existing FreeBSD ZFS support derived from the code originally found in the Illumos source tree, here are some fresh benchmarks looking at the FreeBSD 12 performance of ZFS vs. ZoL vs. UFS and compared to Ubuntu Linux on the same system with EXT4 and ZFS. Using an Intel Xeon E3-1275 v6 with ASUS P10S-M WS motherboard, 2 x 8GB DDR4-2400 ECC UDIMMs, and Samsung 970 EVO Plus 500GB NVMe solid-state drive was used for all of this round of testing. Just a single modern NVMe SSD was used for this round of ZFS testing while as the FreeBSD ZoL code matures I'll test on multiple systems using a more diverse range of storage devices. FreeBSD 12 ZoL was tested using the iX Systems image and then fresh installs done of FreeBSD 12.0-RELEASE when defaulting to the existing ZFS root file-system support and again when using the aging UFS file-system. Ubuntu 18.04.2 LTS with the Linux 4.18 kernel was used when testing its default EXT4 file-system and then again when using the Ubuntu-ZFS ZoL support. Via the Phoronix Test Suite various BSD/Linux I/O benchmarks were carried out. Overall, the FreeBSD ZFS On Linux port is looking good so far and we are looking forward to it hopefully maturing in time for FreeBSD 13.0. Nice job to iX Systems and all of those involved, especially the ZFS On Linux project. Those wanting to help in testing can try the FreeBSD ZoL spins. Stay tuned for more benchmarks and on more diverse hardware as time allows and the FreeBSD ZoL support further matures, but so far at least the performance numbers are in good shape. DragonFlyBSD 5.4.2 is out Upgrading guide ```The normal ISO and IMG files are available for download and install, plus an uncompressed ISO image for those installing remotely. I uploaded them to mirror-master.dragonflybsd.org last night so they should be at your local mirror or will be soon. This version includes Matt's fix for the HAMMER2 corruption bug he identified recently.``` If you have an existing 5.4 system and are running a generic kernel, the normal upgrade process will work.``` ```> cd /usr/src ``` git pull ``` ```And then rebuild: (in /usr/src ) ``` ``` ```> make buildkernel ``` make installkernel ``` ```> make upgrade ``` ``` ``` ``` (reboot) ``` ```> make initrd ``` ``` ``` ``` pkg update > pkg upgrade``` News Roundup Containing web services with iocell I'm a huge fan of the FreeBSD jails feature. It is a great system for splitting services into logical units with all the performance of the bare metal system. In fact, this very site runs in its own jail! If this is starting to sound like LXC or Docker, it might surprise you to learn that OS-level virtualization has existed for quite some time. Kudos to the Linux folks for finally getting around to it. 😛 If you're interested in the history behind Jails, there is an excellent talk from Papers We Love on the subject: https://www.youtube.com/watch?v=hgN8pCMLI2U Getting started There are plenty of options when it comes to setting up the jail system. Ezjail and Iocage seem popular, or you could do things manually. Iocage was recently rewritten in python, but was originally a set of shell scripts. That version has since been forked under the name Iocell, and I think it's pretty neat, so this tutorial will be using Iocell. To start, you'll need the following: A FreeBSD install (we'll be using 11.0) The iocell package (available as a package, also in the ports tree) A ZFS pool for hosting the jails Once you have installed iocell and configured your ZFS pool, you'll need to run a few commands before creating your first jail. First, tell iocell which ZFS pool to use by issuing iocell activate $POOLNAME. Iocell will create a few datasets. As you can imagine, your jails are contained within the /iocell/jails dataset. The /iocell/releases dataset is used for storing the next command we need to run, iocell fetch. Iocell will ask you which release you'd like to pull down. Since we're running 11.0 on the host, pick 11.0-RELEASE. Iocell will download the necessary txz files and unpack them in /iocell/releases. See Article for the rest of the walkthrough. Oracle Solaris 11.4 SRU8 Today we are releasing the SRU 8 for Oracle Solaris 11.4. It is available via 'pkg update' from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. This SRU introduces the following enhancements: Integration of 28060039 introduced an issue where any firmware update/query commands will log eereports and repeated execution of such commands led to faulty/degraded NIC. The issue has been addressed in this SRU. UCB (libucb, librpcsoc, libdbm, libtermcap, and libcurses) libraries have been reinstated for Oracle Solaris 11.4 Re-introduction of the service fc-fabric. ibus has been updated to 1.5.19 The following components have also been updated to address security issues: NTP has been updated to 4.2.8p12 Firefox has been updated to 60.6.0esr BIND has been updated to 9.11.6 OpenSSL has been updated to 1.0.2r MySQL has been updated to 5.6.43 & 5.7.25 libxml2 has been updated to 2.9.9 libxslt has been updated to 1.1.33 Wireshark has been updated to 2.6.7 ncurses has been updated to 6.1.0.20190105 Apache Web Server has been updated to 2.4.38 perl 5.22 pkg.depot The Problem with SSH Agent Forwarding After hacking the matrix.org website today, the attacker opened a series of GitHub issues mentioning the flaws he discovered. In one of those issues, he mentions that “complete compromise could have been avoided if developers were prohibited from using [SSH agent forwarding].” Here’s what man ssh_config has to say about ForwardAgent: "Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent’s Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent."" Simply put: if your jump box is compromised and you use SSH agent forwarding to connect to another machine through it, then you risk also compromising the target machine! Instead, you should use either ProxyCommand or ProxyJump (added in OpenSSH 7.3). That way, ssh will forward the TCP connection to the target host via the jump box and the actual connection will be made on your workstation. If someone on the jump box tries to MITM your connection, then you will be warned by ssh. [OpenBSD Upgrade Guide: 6.4 to 6.5 Start by performing the pre-upgrade steps. Next, boot from the install kernel, bsd.rd: use bootable install media, or place the 6.5 version of bsd.rd in the root of your filesystem and instruct the boot loader to boot this kernel. Once this kernel is booted, choose the (U)pgrade option and follow the prompts. Apply the configuration changes and remove the old files. Finish up by upgrading the packages: pkg_add -u. Alternatively, you can use the manual upgrade process. You may wish to check the errata page or upgrade to the stable branch to get any post-release fixes. Before rebooting into the install kernel Configuration and syntax changes Files to remove Special packages Upgrade without the install kernel Beastie Bits 2019 FreeBSD Community Survey Seagate runs Mach.2 demo on FreeBSD FreeBSD: Resizing and Growing Disks Loading 4.9 on an old Tandy 4025LX - 386, 16MB, 1GB HD. Good old external SCSI CD OS108 MATE 20190422 released Feedback/Questions Casey - Oklahoma City & James Michael - Question on SAS backplane (camcontrol?) Ales - OpenBSD, FreeNAS, OpenZFS questions Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv Your browser does not support the HTML5 video tag.

.NET 5 has been announced and brings a new unified future to the platform. We dig in to Microsoft's plans and speculate about what they might mean for F#. Plus the value of manual testing, Visual Studio Code Remote, and Conway's Game of Life in Rust.Links:Feedback: Testing as a CareerFeedback: Keeping up with Documentationruby/rdoc — RDoc produces HTML and command-line documentation for Ruby projects.Javadoc — Javadoc is a documentation generator created by Sun Microsystems for the Java language for generating API documentation in HTML format from Java source code. Literate programming — Literate programming is a programming paradigm introduced by Donald Knuth in which a program is given as an explanation of the program logic in a natural language, such as English, interspersed with snippets of macros and traditional source code, from which a compilable source code can be generated.Literate Programming — Writing a literate program is a lot more work than writing a normal program. After all, who ever documents their programs in the first place!? Moreover, who documents them in a pedagogical style that is easy to understand? And finally, who ever provides commentary on the theory and design issues behind the code as they write the documentation?A tutorial that implements Conway's Game of Life in Rust and WebAssembly. — This tutorial is for anyone who already has basic Rust and JavaScript experience, and wants to learn how to use Rust, WebAssembly, and JavaScript together. JupiterBroadcasting/Talks — Public repository of crew talks, slides, and additional resources. Visual Studio Code Remote Development — Visual Studio Code Remote Development allows you to use a container, remote machine, or the Windows Subsystem for Linux (WSL) as a full-featured development environment. Remote Development - Visual Studio MarketplaceIntroducing .NET 5 — There will be just one .NET going forward, and you will be able to use it to target Windows, Linux, macOS, iOS, Android, tvOS, watchOS and WebAssembly and more.The Friday Stream — Our crew from all over the world share stories, make new friends, and give each other a hard time live.

Is Fedora 30 the peak release of this distribution? We put it through the ultimate test, live on the air, and put everything on the line. Plus Red Hat’s new logo, Dell’s new Linux workstations, and meet a new member of our crew.Special Guests: Alex Kretzschmar, Brent Gervais, and Neal Gompa.Links:I made a smart watch from scratch — I decided sometime last year that I wanted to make a smart watch from scratch. I am an electrical engineer and product designer by day, so this was a fun side project that had been rolling around in my head for a while now.smarchWatch_PUBLIC on GitHubWe’ve launched new corporate brand and logo system - Red HatNew hat, same vision video — We are Red Hat. We believe that transparency, sharing, and collaboration are the best ways to create better technology..and logos. See the transformation of the Red Hat logo.Canonical Releases "WLCS" Wayland Conformance Suite 1.0 — As part of their Wayland interests and namely as part of developing Mir now with Wayland support, for a while they have been working on the "Wayland Conformance Suite" for testing the Wayland protocols for conformance to the specifications. This is for ensuring Wayland compositors behave correctly against the intentions of the protocols.Wayland Conformance Test Suite on GitHub — wlcs aspires to be a protocol-conformance-verifying test suite usable by Wayland compositor implementors. L4T Ubuntu - A fully featured linux on your switch — L4T Ubuntu is a version of Linux based on nvidia's linux for tegra project. It uses a different kernel compared to previous releases which allows it to use features not yet in mainline. Such as audio, docking support and vulkan.JoyCon Jig on AmazonJupiterBroadcasting/Talks: Public repository of crew talks, slides, and additional resources. — We'll be updating this with slides and additional audio files as they become available. Changes/FlickerFreeBoot - Fedora Project Wiki — Make Fedora Workstation boot graphically smooth, without the display briefly turning off and without any abrupt graphical transitions.Releases/30/ChangeSet - Fedora Project Wiki — These changes have been accepted by the Fedora Engineering Steering Committee for the Fedora 30 Release as System Wide Changes. Security Lab — The Fedora Security Lab provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies in universities and other organizations. Fedora LXQt Desktop — Fedora LXQt provides a lightweight, well-integrated LXQt desktop environment. In addition to LXQt itself it provides a small, well selected collection of applications like the QupZilla browser, which combines Chromium's rendering engine with a nice Qt experience.Fedora Silverblue Documentation — Fedora Silverblue is an immutable desktop operating system. Aiming at good support for container-focused workflows, this variant of Fedora Workstation targets developer communities. My 30 days with Fedora 29 Silverblue — Silverblue is a Fedora variant that uses OStree and Flatpak instead of dnf. So basically you've got an immutable (read-only) system image built with OStree.Fedora Python Classroom — The Python Classroom lab is shipped as a live operating system. It's everything you need to try out Fedora's Python Classroom - you don't have to erase anything on your current system to try it out, and it won't put your files at risk. Buku: Browser-independent bookmark manager — buku is a powerful bookmark manager written in Python3 and SQLite3.Sysctl Explorer — Sysctl Explorer is an initiative to facilitate the access of Linux' sysctl reference documentation. This is a work in progress and you may consider this increment as a Minimum viable product (MVP) version. termshark: A terminal UI for tshark, inspired by Wireshark — If you're debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!Upgrading Fedora 29 to Fedora 30