SlideShare una empresa de Scribd logo

Lavigne bsdmag-jan2012

Dru Lavigne
Dru Lavigne

FreeBSD 9.0 introduces many new security, compiler, filesystem, networking, and other features. Key additions include the Capsicum security framework, LLVM/Clang compilers, ZFSv28 with deduplication and triple parity RAIDZ, resource accounting and limits, IPv6 support improvements, and performance enhancements to SSH, USB 3.0, and NFS.

Tecnología
1 de 4
Descargar para leer sin conexión
What’s New in FreeBSD 9.0 This article provides an overview of some of the new features available in FreeBSD 9.0. F reeBSD 9.0-RELEASE introduces many new permissions and mandatory access control policies. features which benefit FreeBSD users, application However, they cannot protect the user when an developers, and companies that use or base their application, such as a web browser, processes many products on FreeBSD. This article provides an overview of potentially malicious inputs, such as HTML, scripting some of these features, including references to additional languages, and untrusted images. Capsicum provides information. It does not list all of the new features as the application developers fine-grained control over files and FreeBSD 9.0 Detailed Release Notes, available from network sockets to provide privilege separation within an freebsd.org, contains a summary of all the changes application, with minimal code changes. In other words, introduced in 9.0. it provides application compartmentalisation, allowing This article discusses features in the following the application itself to provide many different sandboxes categories: security, compilers and testing frame- to contain its various elements. As an example, each works, filesystems and storage, networking, and miscel- tab in the Chromium browser has its own sandbox; it is laneous. also possible to contain each image in its own sandbox. Creating sandboxes under Capsicum does not require Security privilege, a key problem with current UNIX sandbox Capsicum Framework approaches. Capsicum is a lightweight framework which extends a As an example, the insecure tcpdump application can POSIX UNIX kernel to support new security capabilities be sandboxed with Capsicum in about 10 lines of code and adds a userland sandbox API. It was originally and the Chromium web browser can be sandboxed developed as a collaboration between the University of in about 100 lines of code. capsicum(4) provides an Cambridge Computer Laboratory and Google, sponsored overview of the available system calls. More information, by a grant from Google, with FreeBSD as the prototype including links to technical publications, projects, and a platform and Chromium as the prototype application. mailing list, can be found at the Capsicum website: http:// FreeBSD 9.0 provides kernel support as an experimental www.cl.cam.ac.uk/research/security/capsicum/. feature for researchers and early adopters. Application support will follow in a later FreeBSD release and there Resource Limits are plans to provide some initial Capsicum-protected rctl(8) has been added to the system, allowing the user to applications in FreeBSD 9.1. display the current resource limits and to define what action Traditional access control frameworks are designed will occur when a process exceeds it limits. Resource rules to protect users from each other through the use of can be applied to processes, users, login classes, or jails. 6 01/2012
What’s New in FreeBSD 9.0 The racct API tracks per-process, per-jail, per-loginclass, providing a much better picture of what exactly is going on and per-user resource accounting information. More behind the scenes. information about resource limits and rctl can be found at http://wiki.freebsd.org/DTrace provides examples for http://wiki.freebsd.org/Hierarchical_Resource_Limits. using both kernel- and user-level DTrace on FreeBSD, as well as links to other DTrace resources. Compilers and Testing Frameworks LLVM Compiler Infrastructure Filesystems and Storage LLVM is a BSD-licensed Highly Avaliable Storage (HAST) compiler infrastructure with The Highly Available Storage framework allows for similar capabilities to the synchronous, block-level replication of any storage media GPL3-licensed GCC compiler across several physically separated machines connected collection. Clang is the C, C++, by a TCP/IP network. HAST can be understood as a Objective C, and Objective network-based mirror, similar to Linux DRBD. When C++ front-end to LLVM combined with FreeBSD’s carp(4), HAST makes it possible and provides an alternative to build a highly available storage cluster that is resistant to programming environment for hardware failures. developers and companies HAST is file system and application independent and who prefer to use a BSD- can be combined with any existing GEOM class. In case licensed toolchain. of a primary node failure, the cluster will automatically In addition to being BSD- switch to the secondary node, check and mount the UFS licensed, Clang improves developer file system or import the ZFS pool, and continue to work productivity with significantly improved without missing a single bit of data. error messages and a static code analyzer. The FreeBSD Handbook describes how to configure HAST: The compiler is easily extendable to support research on http://www.freebsd.org/doc/handbook/disks-hast.html. new language features or code instrumentation. Beginning with FreeBSD 9.0, the FreeBSD kernel SU+J and world can be compiled using Clang on most of the Journaled softupdates for UFS is now the default filesystem supported architectures. Work is ongoing to migrate type. It adds a light version of journaling to soft updates as the ports infrastructure so that any port can also be described in this technical paper: http://www.mckusick.com/ compiled with Clang. Details about architecture support, BSDCan/bsdcan2010.pdf. This significantly reduces boot link time optimizations, automatic test generation, time after an improper shutdown as a background fsck only and links to additional resources can be found at needs to be run if there is a corruption of the journal log. http://wiki.freebsd.org/BuildingFreeBSDWithClang. More information about Clang can be found at http:// ZFSv28 clang.llvm.org/ and more information about LLVM is FreeBSD 9.0 ships with ZFSv28. This version of ZFS available from http://www.llvm.org/. adds the following features: A video of Brooks Davis describing how the FreeBSD Project has been actively working to incorporate tools from • deduplication: the process of eliminating duplicate the LLVM project into the base system is available at http:// copies of data. When enabled on datasets with www.youtube.com/watch?v=yVaNAm8jR_U. You can follow duplicate data (for example, virtual images or jails), the status of the ports infrastructure with regards to Clang at deduplication saves space and increases performance http://wiki.freebsd.org/PortsAndClang. because less data is written and stored. • triple parity RAIDZ: RAIDZ3 offers three parity Userland Ttrace drives and can operate in degraded mode if up to DTrace is a general purpose, lightweight tracing three drives fail with no restrictions on which drives framework that allows administrators, developers, can fail. and users to investigate causes of system failure or • zfs diff: command which describes which file performance bottlenecks. FreeBSD introduced kernel- system level changes have occurred between two level DTrace support in FreeBSD 8.0. The addition of snapshots. user-level DTrace suppport in 9.0 allows inspection of • zpool split: allows an administrator to extract one disk userland software and its correlation with the kernel, thus from each mirrored top-level vdev and use them to www.bsdmag.org 7
create a new pool with an exact copy of the data. The would otherwise be spent handling timer interrupts which new pool can then be imported on any machine. have no work assigned to them. Tickless mode can be turned • snapshot holds: permit users or applications to place off by setting the sysctl value of kern.eventtimer.periodic to holds on snapshots to prevent them from being 1. Technical details about dynamic tick mode can be found deleted. at http://permalink.gmane.org/gmane.os.freebsd.architecht • zpool import -F: allows the administrator to rewind a ure/13276. corrupted pool to an earlier transaction group. • the ability to import zpool as read-only. Networking Five New TCP Congestion Control Algorithms Generic GEOM I/O Scheduler Framework The Centre for Advanced Internet Architectures at This framework supports scheduling disk I/O requests in Swinburne University of Technology, with the support of the a device independent manner in order to support multiple Cisco University Research Program Fund at Community disk I/O schedulers to be used on different I/O providers. Foundation Silicon Valley and the FreeBSD Foundation, The framework provides a couple of sample scheduling delivered enhancements to FreeBSD’s TCP stack in order algorithms that use the framework and implements two to support newer congestion control algorithms. These forms of anticipatory scheduling. enhancements included a modular framework for adding The ability to create different I/O schedulers allows future algorithms as well as new modular implementations users to select the I/O scheduler best suited to the task. of the H-TCP, CUBIC, Vegas, HD, and CHD algorithms. This can increase responsiveness in certain kinds of I/O Each congestion control algorithm is implemented as a workloads, such as a mix of sequential and random I/O. loadable kernel module. Algorithms can be selected to suit Examples of how to use the provided schedulers can be the application/network characteristics and requirements found at http://svnweb.freebsd.org/base/head/sys/geom/ of the host’s installation. The modular framework makes it sched/README?view=markup&pathrev=206497. much easier for developers to implement new algorithms, allowing FreeBSD’s TCP stack to be at the forefront of Changes to CAM and AHCI SATA advancements in this area, while still maintaining the The new ATA/SATA driver supports AHCI-compliant stability of its network stack. hardware, port multipliers, and NCQ (tagged queueing) Links to technical papers regarding the framework for increased performance on modern SATA drives. and algorithms can be found at http://caia.swin.edu.au/ Performance has been greatly increased, larger data freebsd/5cc/. transfers are supported, and hot-plugging support is much improved. ATA/SATA drives can now can be “IPv6-Only” enumerated and manipulated via camcontrol(8), just like FreeBSD has been on the leading edge of IPv6 SCSI drives. development ever since FreeBSD 4.0 was released in The cam(4) subsystem is now modularized and the 2000 with the KAME reference implementation of IPv4/ addition of the ATA/SATA modules allows the CAM IPv6 networking support. In addition, the FreeBSD Project subsystem to grow into a framework for arbitrary has been serving releases from IPv6-enabled servers for transports and protocols. It also allows drivers to be more than 8 years and FreeBSD’s website, mailing lists, written to support discrete hardware without jeopardizing and developer infrastructure have been IPv6-enabled the stability of non-related hardware. since 2007. Beginning with FreeBSD 9.0, no-IPv4 snapshots of Changes to Event Timer Infrastructure FreeBSD are available. By completely decoupling IPv6 The new event timers infrastructure provides unified from IPv4, early adopters and developers can determine APIs for writing event timer drivers and for choosing the if “IPv6-ready” applications really are ready for IPv6 or if best possible drivers by machine independent code. It bugs were hidden due to the ability to fallback on IPv4. provides support for both per-CPU and global timers in Providing an implementation of an IPv6-only kernel periodic and one-shot modes for the i386 and amd64 without IPv4 support provides the FreeBSD Project architectures. with the ability to test and fix such regressions while To improve performance in virtual machines and power encouraging other software developers to improve their usage in laptops, dynamic tick mode is enabled by default, code for true IPv6 readiness. More information about replacing the periodic hardware timer interrupt ticking with no-IPv4 versions of FreeBSD is available from http:// one-shot variable-time ticks. This saves CPU time which www.freebsd.org/ipv6/. 8 01/2012
What’s New in FreeBSD 9.0 To support IPv6-only, rtadvd(8) and rtsold(8) were • sysinstall has been replaced with bsdinstall. Its features completely overhauled to support RFC 6106. rtsold are described at http://wiki.freebsd.org/BSDInstall and can now update /etc/resolv.conf using the openresolv its usage is detailed in the FreeBSD Handbook: http:// DNS management framework (http://roy.marples.name/ www.freebsd.org/doc/en_US.ISO8859-1/books/hand projects/openresolv). An optional kernel module is book/bsdinstall.html. available to provide Secure Neighbor Discovery protocol • the kernel now supports a new textdump(4) format (SeND) support; SeND is described in RFC 3971. of kernel dumps. A textdump provides higher-level Continuing earlier efforts, more global options can now information via mechanically generated/extracted be controlled on a per-interface base, such as the ability debugging output, rather than a simple memory to accept router advertisements on one interface while still dump. This facility can be used to generate brief forwarding. This is needed to effectively run FreeBSD as kernel bug reports that are rich in debugging an IPv6 CPE device. The single /etc/rc.conf option ipv6_ information, but are not dependent on kernel symbol cpe_wanif will correctly set all sysctls and interface options tables or precisely synchronized source code. to make creating a CPE as easy as possible. • FreeBSD 9.0 can be installed on the Sony Playstation 3 using the instructions at http://people.freebsd.org/ High Performance SSH (HPN-SSH) ~nwhitehorn/ps3/README. OpenSSH is network performance limited by statically • call and return rule actions were added to ipfw(8): defined internal flow control buffers. These buffers often http://svnweb.freebsd.org/base?view=revision&revisi end up acting as a bottleneck for network throughput on=223666. of SCP, especially on long and high bandwith network links. HPN-SSH adds support for dynamically adjusted Conclusion buffers to allow the full use of the bandwidth of long fat With the release of FreeBSD 9.0, the FreeBSD Project pipes such as 100Mbps or greater, trans-oceanic, or continues to innovate in the areas of security, compilers, trans-continental links. Bandwidth-delay products up to filesystems, and networking. You can find out more 64MB are also supported. This implementation includes information about the FreeBSD Project and download a multithreaded cipher implementation which makes such FreeBSD 9.0 from freebsd.org. bandwidth sustainable on the CPU side. HPN is enabled by default in FreeBSD 9.0’s sshd and several HPN options have been added to /etc/ssh/sshd_ config. These options, as well as some performance tips, are described in http://svnweb.freebsd.org/base/head/ crypto/openssh/README.hpn?revision=224638&view= markup. Miscellaneous Several other features are also worth mentioning: • large-scale SMP support for systems with more than 32 CPUs. Previously, the kernel structures DRU LAVIGNE were unable to account for such a large number of Dru Lavigne is author of BSD Hacks, The Best of FreeBSD CPUs so this method implements extensible CPU Basics, and The De�nitive Guide to PC-BSD. As Director of accounting. Yahoo! provided systems for testing Community Development for the PC-BSD Project, she leads the these changes. documentation team, assists new users, helps to �nd and �x • improved USB 3.0 support. bugs, and reaches out to the community to discover their needs. • the default NFS client and nfsd(8) now support She is the former Managing Editor of the Open Source Business NFSv4. Backwards compatibility for older NFS clients Resource, a free monthly publication covering open source and is provided with the oldnfs mount type. the commercialization of open source assets. She is founder and • a new kernel-mode NFS lock manager has been current Chair of the BSD Certi�cation Group Inc., a non-pro�t added, improving performance and behavior of NFS organization with a mission to create the standard for certifying locking. A new clear_locks(8) command has been BSD system administrators, and serves on the Board of the added to clear locks held on behalf of an NFS client. FreeBSD Foundation. www.bsdmag.org 9

Recomendados

Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorial
Dru Lavigne
 
Fsoss2011
Fsoss2011Fsoss2011
Fsoss2011
Dru Lavigne
 
Flourish11
Flourish11Flourish11
Flourish11
Dru Lavigne
 
Oclug 2010
Oclug 2010Oclug 2010
Oclug 2010
Dru Lavigne
 
Scale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersScale 2010: BSD for Linux Users
Scale 2010: BSD for Linux Users
Dru Lavigne
 
Lavigne bsdmag sept12
Lavigne bsdmag sept12Lavigne bsdmag sept12
Lavigne bsdmag sept12
Dru Lavigne
 
Posscon2013
Posscon2013Posscon2013
Posscon2013
Dru Lavigne
 
Olf2012
Olf2012Olf2012
Olf2012
Dru Lavigne
 

Recomendados

Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorial
Dru Lavigne
 
Fsoss2011
Fsoss2011Fsoss2011
Fsoss2011
Dru Lavigne
 
Flourish11
Flourish11Flourish11
Flourish11
Dru Lavigne
 
Oclug 2010
Oclug 2010Oclug 2010
Oclug 2010
Dru Lavigne
 
Scale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersScale 2010: BSD for Linux Users
Scale 2010: BSD for Linux Users
Dru Lavigne
 
Lavigne bsdmag sept12
Lavigne bsdmag sept12Lavigne bsdmag sept12
Lavigne bsdmag sept12
Dru Lavigne
 
Posscon2013
Posscon2013Posscon2013
Posscon2013
Dru Lavigne
 
Olf2012
Olf2012Olf2012
Olf2012
Dru Lavigne
 
Sweden11
Sweden11Sweden11
Sweden11
Dru Lavigne
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
Dru Lavigne
 
Lavigne aug11 bsdmag
Lavigne aug11 bsdmagLavigne aug11 bsdmag
Lavigne aug11 bsdmag
Dru Lavigne
 
Lavigne bsdmag-jan13
Lavigne bsdmag-jan13Lavigne bsdmag-jan13
Lavigne bsdmag-jan13
Dru Lavigne
 
SELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux UsersSELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux Users
Dru Lavigne
 
Fsoss12
Fsoss12Fsoss12
Fsoss12
Dru Lavigne
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
Dru Lavigne
 
Tlf2013
Tlf2013Tlf2013
Tlf2013
Dru Lavigne
 
Asiabsdcon15
Asiabsdcon15Asiabsdcon15
Asiabsdcon15
Dru Lavigne
 
Bsd ss
Bsd ssBsd ss
Bsd ss
Dru Lavigne
 
Olf2013
Olf2013Olf2013
Olf2013
Dru Lavigne
 
Lavigne bsdmag apr13
Lavigne bsdmag apr13Lavigne bsdmag apr13
Lavigne bsdmag apr13
Dru Lavigne
 
Ilf2012
Ilf2012Ilf2012
Ilf2012
Dru Lavigne
 
Scale9x sun
Scale9x sunScale9x sun
Scale9x sun
Dru Lavigne
 
olf10
olf10olf10
olf10
Dru Lavigne
 
Nelf2013
Nelf2013Nelf2013
Nelf2013
Dru Lavigne
 
Article may11 bsdmag
Article may11 bsdmagArticle may11 bsdmag
Article may11 bsdmag
Dru Lavigne
 
Nycbsdcon14
Nycbsdcon14Nycbsdcon14
Nycbsdcon14
Dru Lavigne
 
Lavigne bsdmag march12
Lavigne bsdmag march12Lavigne bsdmag march12
Lavigne bsdmag march12
Dru Lavigne
 
Asiabsdcon14
Asiabsdcon14Asiabsdcon14
Asiabsdcon14
Dru Lavigne
 
Containers for Lawyers Richard Fontana
Containers for Lawyers Richard FontanaContainers for Lawyers Richard Fontana
Containers for Lawyers Richard Fontana
Black Duck by Synopsys
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
David Sweigert
 

Más contenido relacionado

La actualidad más candente

Lavigne bsdmag-jan13
Lavigne bsdmag-jan13Lavigne bsdmag-jan13
Lavigne bsdmag-jan13
Dru Lavigne
 

La actualidad más candente (20)

Sweden11
Sweden11Sweden11
Sweden11
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
 
Lavigne aug11 bsdmag
Lavigne aug11 bsdmagLavigne aug11 bsdmag
Lavigne aug11 bsdmag
 
Lavigne bsdmag-jan13
Lavigne bsdmag-jan13Lavigne bsdmag-jan13
Lavigne bsdmag-jan13
 
SELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux UsersSELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux Users
 
Fsoss12
Fsoss12Fsoss12
Fsoss12
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
 
Tlf2013
Tlf2013Tlf2013
Tlf2013
 
Asiabsdcon15
Asiabsdcon15Asiabsdcon15
Asiabsdcon15
 
Bsd ss
Bsd ssBsd ss
Bsd ss
 
Olf2013
Olf2013Olf2013
Olf2013
 
Lavigne bsdmag apr13
Lavigne bsdmag apr13Lavigne bsdmag apr13
Lavigne bsdmag apr13
 
Ilf2012
Ilf2012Ilf2012
Ilf2012
 
Scale9x sun
Scale9x sunScale9x sun
Scale9x sun
 
olf10
olf10olf10
olf10
 
Nelf2013
Nelf2013Nelf2013
Nelf2013
 
Article may11 bsdmag
Article may11 bsdmagArticle may11 bsdmag
Article may11 bsdmag
 
Nycbsdcon14
Nycbsdcon14Nycbsdcon14
Nycbsdcon14
 
Lavigne bsdmag march12
Lavigne bsdmag march12Lavigne bsdmag march12
Lavigne bsdmag march12
 
Asiabsdcon14
Asiabsdcon14Asiabsdcon14
Asiabsdcon14
 

Similar a Lavigne bsdmag-jan2012

18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
Krisman Tarigan
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
jasembo
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
kanedafromparis
 
LINBIT_HA_Business_Apr2016
LINBIT_HA_Business_Apr2016LINBIT_HA_Business_Apr2016
LINBIT_HA_Business_Apr2016
Alexandre Huynh
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Walid Shaari
 
Open solaris customer presentation
Open solaris customer presentationOpen solaris customer presentation
Open solaris customer presentation
xKinAnx
 

Similar a Lavigne bsdmag-jan2012 (20)

Containers for Lawyers Richard Fontana
Containers for Lawyers Richard FontanaContainers for Lawyers Richard Fontana
Containers for Lawyers Richard Fontana
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
 
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
 
Rhel7 vs rhel6
Rhel7 vs rhel6Rhel7 vs rhel6
Rhel7 vs rhel6
 
Tlf2012
Tlf2012Tlf2012
Tlf2012
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in Kubernetes
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"
Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"
Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
 
Piattaforma Web Linux completa dai sorgenti
Piattaforma Web Linux completa dai sorgentiPiattaforma Web Linux completa dai sorgenti
Piattaforma Web Linux completa dai sorgenti
 
LINBIT_HA_Business_Apr2016
LINBIT_HA_Business_Apr2016LINBIT_HA_Business_Apr2016
LINBIT_HA_Business_Apr2016
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
Why containers
Why containersWhy containers
Why containers
 
Open solaris customer presentation
Open solaris customer presentationOpen solaris customer presentation
Open solaris customer presentation
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Nelf2012
Nelf2012Nelf2012
Nelf2012
 

Más de Dru Lavigne

Más de Dru Lavigne (20)

Olf2018
Olf2018Olf2018
Olf2018
 
Olf2017
Olf2017Olf2017
Olf2017
 
FreeBSD System Administration Using SysAdm
FreeBSD System Administration Using SysAdmFreeBSD System Administration Using SysAdm
FreeBSD System Administration Using SysAdm
 
Asiabsdcon2017
Asiabsdcon2017Asiabsdcon2017
Asiabsdcon2017
 
Olf2016
Olf2016Olf2016
Olf2016
 
Tlf2016
Tlf2016Tlf2016
Tlf2016
 
Knoxbug2016
Knoxbug2016Knoxbug2016
Knoxbug2016
 
Lfnw2016
Lfnw2016Lfnw2016
Lfnw2016
 
Flourish16
Flourish16Flourish16
Flourish16
 
Scale2016
Scale2016Scale2016
Scale2016
 
Fossetcon15
Fossetcon15Fossetcon15
Fossetcon15
 
Lfnw15
Lfnw15Lfnw15
Lfnw15
 
Scale2015
Scale2015Scale2015
Scale2015
 
Olf2014
Olf2014Olf2014
Olf2014
 
Ghc14
Ghc14Ghc14
Ghc14
 
Fossetcon14
Fossetcon14Fossetcon14
Fossetcon14
 
Tlf2014
Tlf2014Tlf2014
Tlf2014
 
Asiabsdcon14 lavigne
Asiabsdcon14 lavigneAsiabsdcon14 lavigne
Asiabsdcon14 lavigne
 
Scale2014
Scale2014Scale2014
Scale2014
 
Dru lavigne oss-sysadmin
Dru lavigne oss-sysadminDru lavigne oss-sysadmin
Dru lavigne oss-sysadmin
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Lavigne bsdmag-jan2012

  • 1. What’s New in FreeBSD 9.0 This article provides an overview of some of the new features available in FreeBSD 9.0. F reeBSD 9.0-RELEASE introduces many new permissions and mandatory access control policies. features which benefit FreeBSD users, application However, they cannot protect the user when an developers, and companies that use or base their application, such as a web browser, processes many products on FreeBSD. This article provides an overview of potentially malicious inputs, such as HTML, scripting some of these features, including references to additional languages, and untrusted images. Capsicum provides information. It does not list all of the new features as the application developers fine-grained control over files and FreeBSD 9.0 Detailed Release Notes, available from network sockets to provide privilege separation within an freebsd.org, contains a summary of all the changes application, with minimal code changes. In other words, introduced in 9.0. it provides application compartmentalisation, allowing This article discusses features in the following the application itself to provide many different sandboxes categories: security, compilers and testing frame- to contain its various elements. As an example, each works, filesystems and storage, networking, and miscel- tab in the Chromium browser has its own sandbox; it is laneous. also possible to contain each image in its own sandbox. Creating sandboxes under Capsicum does not require Security privilege, a key problem with current UNIX sandbox Capsicum Framework approaches. Capsicum is a lightweight framework which extends a As an example, the insecure tcpdump application can POSIX UNIX kernel to support new security capabilities be sandboxed with Capsicum in about 10 lines of code and adds a userland sandbox API. It was originally and the Chromium web browser can be sandboxed developed as a collaboration between the University of in about 100 lines of code. capsicum(4) provides an Cambridge Computer Laboratory and Google, sponsored overview of the available system calls. More information, by a grant from Google, with FreeBSD as the prototype including links to technical publications, projects, and a platform and Chromium as the prototype application. mailing list, can be found at the Capsicum website: http:// FreeBSD 9.0 provides kernel support as an experimental www.cl.cam.ac.uk/research/security/capsicum/. feature for researchers and early adopters. Application support will follow in a later FreeBSD release and there Resource Limits are plans to provide some initial Capsicum-protected rctl(8) has been added to the system, allowing the user to applications in FreeBSD 9.1. display the current resource limits and to define what action Traditional access control frameworks are designed will occur when a process exceeds it limits. Resource rules to protect users from each other through the use of can be applied to processes, users, login classes, or jails. 6 01/2012
  • 2. What’s New in FreeBSD 9.0 The racct API tracks per-process, per-jail, per-loginclass, providing a much better picture of what exactly is going on and per-user resource accounting information. More behind the scenes. information about resource limits and rctl can be found at http://wiki.freebsd.org/DTrace provides examples for http://wiki.freebsd.org/Hierarchical_Resource_Limits. using both kernel- and user-level DTrace on FreeBSD, as well as links to other DTrace resources. Compilers and Testing Frameworks LLVM Compiler Infrastructure Filesystems and Storage LLVM is a BSD-licensed Highly Avaliable Storage (HAST) compiler infrastructure with The Highly Available Storage framework allows for similar capabilities to the synchronous, block-level replication of any storage media GPL3-licensed GCC compiler across several physically separated machines connected collection. Clang is the C, C++, by a TCP/IP network. HAST can be understood as a Objective C, and Objective network-based mirror, similar to Linux DRBD. When C++ front-end to LLVM combined with FreeBSD’s carp(4), HAST makes it possible and provides an alternative to build a highly available storage cluster that is resistant to programming environment for hardware failures. developers and companies HAST is file system and application independent and who prefer to use a BSD- can be combined with any existing GEOM class. In case licensed toolchain. of a primary node failure, the cluster will automatically In addition to being BSD- switch to the secondary node, check and mount the UFS licensed, Clang improves developer file system or import the ZFS pool, and continue to work productivity with significantly improved without missing a single bit of data. error messages and a static code analyzer. The FreeBSD Handbook describes how to configure HAST: The compiler is easily extendable to support research on http://www.freebsd.org/doc/handbook/disks-hast.html. new language features or code instrumentation. Beginning with FreeBSD 9.0, the FreeBSD kernel SU+J and world can be compiled using Clang on most of the Journaled softupdates for UFS is now the default filesystem supported architectures. Work is ongoing to migrate type. It adds a light version of journaling to soft updates as the ports infrastructure so that any port can also be described in this technical paper: http://www.mckusick.com/ compiled with Clang. Details about architecture support, BSDCan/bsdcan2010.pdf. This significantly reduces boot link time optimizations, automatic test generation, time after an improper shutdown as a background fsck only and links to additional resources can be found at needs to be run if there is a corruption of the journal log. http://wiki.freebsd.org/BuildingFreeBSDWithClang. More information about Clang can be found at http:// ZFSv28 clang.llvm.org/ and more information about LLVM is FreeBSD 9.0 ships with ZFSv28. This version of ZFS available from http://www.llvm.org/. adds the following features: A video of Brooks Davis describing how the FreeBSD Project has been actively working to incorporate tools from • deduplication: the process of eliminating duplicate the LLVM project into the base system is available at http:// copies of data. When enabled on datasets with www.youtube.com/watch?v=yVaNAm8jR_U. You can follow duplicate data (for example, virtual images or jails), the status of the ports infrastructure with regards to Clang at deduplication saves space and increases performance http://wiki.freebsd.org/PortsAndClang. because less data is written and stored. • triple parity RAIDZ: RAIDZ3 offers three parity Userland Ttrace drives and can operate in degraded mode if up to DTrace is a general purpose, lightweight tracing three drives fail with no restrictions on which drives framework that allows administrators, developers, can fail. and users to investigate causes of system failure or • zfs diff: command which describes which file performance bottlenecks. FreeBSD introduced kernel- system level changes have occurred between two level DTrace support in FreeBSD 8.0. The addition of snapshots. user-level DTrace suppport in 9.0 allows inspection of • zpool split: allows an administrator to extract one disk userland software and its correlation with the kernel, thus from each mirrored top-level vdev and use them to www.bsdmag.org 7
  • 3. create a new pool with an exact copy of the data. The would otherwise be spent handling timer interrupts which new pool can then be imported on any machine. have no work assigned to them. Tickless mode can be turned • snapshot holds: permit users or applications to place off by setting the sysctl value of kern.eventtimer.periodic to holds on snapshots to prevent them from being 1. Technical details about dynamic tick mode can be found deleted. at http://permalink.gmane.org/gmane.os.freebsd.architecht • zpool import -F: allows the administrator to rewind a ure/13276. corrupted pool to an earlier transaction group. • the ability to import zpool as read-only. Networking Five New TCP Congestion Control Algorithms Generic GEOM I/O Scheduler Framework The Centre for Advanced Internet Architectures at This framework supports scheduling disk I/O requests in Swinburne University of Technology, with the support of the a device independent manner in order to support multiple Cisco University Research Program Fund at Community disk I/O schedulers to be used on different I/O providers. Foundation Silicon Valley and the FreeBSD Foundation, The framework provides a couple of sample scheduling delivered enhancements to FreeBSD’s TCP stack in order algorithms that use the framework and implements two to support newer congestion control algorithms. These forms of anticipatory scheduling. enhancements included a modular framework for adding The ability to create different I/O schedulers allows future algorithms as well as new modular implementations users to select the I/O scheduler best suited to the task. of the H-TCP, CUBIC, Vegas, HD, and CHD algorithms. This can increase responsiveness in certain kinds of I/O Each congestion control algorithm is implemented as a workloads, such as a mix of sequential and random I/O. loadable kernel module. Algorithms can be selected to suit Examples of how to use the provided schedulers can be the application/network characteristics and requirements found at http://svnweb.freebsd.org/base/head/sys/geom/ of the host’s installation. The modular framework makes it sched/README?view=markup&pathrev=206497. much easier for developers to implement new algorithms, allowing FreeBSD’s TCP stack to be at the forefront of Changes to CAM and AHCI SATA advancements in this area, while still maintaining the The new ATA/SATA driver supports AHCI-compliant stability of its network stack. hardware, port multipliers, and NCQ (tagged queueing) Links to technical papers regarding the framework for increased performance on modern SATA drives. and algorithms can be found at http://caia.swin.edu.au/ Performance has been greatly increased, larger data freebsd/5cc/. transfers are supported, and hot-plugging support is much improved. ATA/SATA drives can now can be “IPv6-Only” enumerated and manipulated via camcontrol(8), just like FreeBSD has been on the leading edge of IPv6 SCSI drives. development ever since FreeBSD 4.0 was released in The cam(4) subsystem is now modularized and the 2000 with the KAME reference implementation of IPv4/ addition of the ATA/SATA modules allows the CAM IPv6 networking support. In addition, the FreeBSD Project subsystem to grow into a framework for arbitrary has been serving releases from IPv6-enabled servers for transports and protocols. It also allows drivers to be more than 8 years and FreeBSD’s website, mailing lists, written to support discrete hardware without jeopardizing and developer infrastructure have been IPv6-enabled the stability of non-related hardware. since 2007. Beginning with FreeBSD 9.0, no-IPv4 snapshots of Changes to Event Timer Infrastructure FreeBSD are available. By completely decoupling IPv6 The new event timers infrastructure provides unified from IPv4, early adopters and developers can determine APIs for writing event timer drivers and for choosing the if “IPv6-ready” applications really are ready for IPv6 or if best possible drivers by machine independent code. It bugs were hidden due to the ability to fallback on IPv4. provides support for both per-CPU and global timers in Providing an implementation of an IPv6-only kernel periodic and one-shot modes for the i386 and amd64 without IPv4 support provides the FreeBSD Project architectures. with the ability to test and fix such regressions while To improve performance in virtual machines and power encouraging other software developers to improve their usage in laptops, dynamic tick mode is enabled by default, code for true IPv6 readiness. More information about replacing the periodic hardware timer interrupt ticking with no-IPv4 versions of FreeBSD is available from http:// one-shot variable-time ticks. This saves CPU time which www.freebsd.org/ipv6/. 8 01/2012
  • 4. What’s New in FreeBSD 9.0 To support IPv6-only, rtadvd(8) and rtsold(8) were • sysinstall has been replaced with bsdinstall. Its features completely overhauled to support RFC 6106. rtsold are described at http://wiki.freebsd.org/BSDInstall and can now update /etc/resolv.conf using the openresolv its usage is detailed in the FreeBSD Handbook: http:// DNS management framework (http://roy.marples.name/ www.freebsd.org/doc/en_US.ISO8859-1/books/hand projects/openresolv). An optional kernel module is book/bsdinstall.html. available to provide Secure Neighbor Discovery protocol • the kernel now supports a new textdump(4) format (SeND) support; SeND is described in RFC 3971. of kernel dumps. A textdump provides higher-level Continuing earlier efforts, more global options can now information via mechanically generated/extracted be controlled on a per-interface base, such as the ability debugging output, rather than a simple memory to accept router advertisements on one interface while still dump. This facility can be used to generate brief forwarding. This is needed to effectively run FreeBSD as kernel bug reports that are rich in debugging an IPv6 CPE device. The single /etc/rc.conf option ipv6_ information, but are not dependent on kernel symbol cpe_wanif will correctly set all sysctls and interface options tables or precisely synchronized source code. to make creating a CPE as easy as possible. • FreeBSD 9.0 can be installed on the Sony Playstation 3 using the instructions at http://people.freebsd.org/ High Performance SSH (HPN-SSH) ~nwhitehorn/ps3/README. OpenSSH is network performance limited by statically • call and return rule actions were added to ipfw(8): defined internal flow control buffers. These buffers often http://svnweb.freebsd.org/base?view=revision&revisi end up acting as a bottleneck for network throughput on=223666. of SCP, especially on long and high bandwith network links. HPN-SSH adds support for dynamically adjusted Conclusion buffers to allow the full use of the bandwidth of long fat With the release of FreeBSD 9.0, the FreeBSD Project pipes such as 100Mbps or greater, trans-oceanic, or continues to innovate in the areas of security, compilers, trans-continental links. Bandwidth-delay products up to filesystems, and networking. You can find out more 64MB are also supported. This implementation includes information about the FreeBSD Project and download a multithreaded cipher implementation which makes such FreeBSD 9.0 from freebsd.org. bandwidth sustainable on the CPU side. HPN is enabled by default in FreeBSD 9.0’s sshd and several HPN options have been added to /etc/ssh/sshd_ config. These options, as well as some performance tips, are described in http://svnweb.freebsd.org/base/head/ crypto/openssh/README.hpn?revision=224638&view= markup. Miscellaneous Several other features are also worth mentioning: • large-scale SMP support for systems with more than 32 CPUs. Previously, the kernel structures DRU LAVIGNE were unable to account for such a large number of Dru Lavigne is author of BSD Hacks, The Best of FreeBSD CPUs so this method implements extensible CPU Basics, and The De�nitive Guide to PC-BSD. As Director of accounting. Yahoo! provided systems for testing Community Development for the PC-BSD Project, she leads the these changes. documentation team, assists new users, helps to �nd and �x • improved USB 3.0 support. bugs, and reaches out to the community to discover their needs. • the default NFS client and nfsd(8) now support She is the former Managing Editor of the Open Source Business NFSv4. Backwards compatibility for older NFS clients Resource, a free monthly publication covering open source and is provided with the oldnfs mount type. the commercialization of open source assets. She is founder and • a new kernel-mode NFS lock manager has been current Chair of the BSD Certi�cation Group Inc., a non-pro�t added, improving performance and behavior of NFS organization with a mission to create the standard for certifying locking. A new clear_locks(8) command has been BSD system administrators, and serves on the Board of the added to clear locks held on behalf of an NFS client. FreeBSD Foundation. www.bsdmag.org 9