FreeBSD 8.0 Review: Enterprise Ready Server Operating System
by Vivek Gite
The FreeBSD Project is one of the oldest and successful project. FreeBSD is well known for its reliability, robustness, and performance.
FreeBSD 8 has been released.Find release announcement on that link.
Jails v2
FreeBSD jails (operating system-level virtualization) are perfect for virtual hosting environments. It offers security and ability to partition a FreeBSD-based system into independent system. Jail v2 features the extensible jail parameters and hierchical jails. By setting a jail's children.max parameter, processes within a jail may be able to create jails of their own. You can also use multiple IPv4 and IPv6 addresses (
added in 7.2) per jails. You can also restrict jails to certain CPUs and jail admin can create and manage their own ZFS file systems within the jails.
Listing Active FreeBSD Jails with jls and jexec commands
Improved ZFS & DTrace
FreeBSD 8 includes improved ZFS support which bringing ZFS out of the "experimental" status to "stable". Zpool format upgrade to 13 from 6 and many bugs are fixed. DTrace is a comprehensive dynamic tracing framework for the Solaris. It provides a powerful infrastructure that permits administrators, developers, and service personnel to concisely answer arbitrary questions about the behavior of the operating system and user programs. Also kmem_max, limit has been increased to 512 GB from 2GB.
ULE scheduler
The default scheduler is ULE:
$ sysctl kern.sched.name
Sample outputs:
kern.sched.name: ULE
The ULE scheduler provides a number of advanced scheduler features not present in bsd scheduler [sched_4bsd(4)], the traditional system scheduler. These features address SMP and interactivity and include:
- Thread CPU affinity.
- CPU topology awareness, including for hyper-threading.
- Assigning individual CPUs to jails.
- Performance improvements etc.
New USB Stack
After a long period of review and testing FreeBSD 8 will ship with Hans Peter's new
usb stack:
- A new and mutex enabled USB API.
- Linux USB kernel compatibility layer.
- New UGEN backend and libusb library, finally solves the "driver unloading" problem.
- New "usbconfig" utility, for easy configuration of USB.
- Full support for Split transactions, which means you can use your full speed USB audio device on a high speed USB HUB.
- Full support for USB on embedded platforms, mostly cache flushing and buffer invalidating stuff.
- Autodetect of annoying USB install disks.
- Support for USB transfers like I/O vectors, means more throughput and less interrupts.
Get Detailed Process Information
The new procstat(8) utility displays detailed information about the running processes. This is useful for for debugging server problems. You can display the following information with procstat:
- Binary information for the process.
- Command line arguments for the process.
- File descriptor information for the process.
- The stacks of kernel threads in the process, excluding stacks of threads currently running on a CPU and threads with stacks swapped to disk.
- Security credential information for the process.
- Thread information for the process.
- Virtual memory mappings for the process.
Fig.02: procstat(8) Output
Superpages
Superpages provides good application support for quad-core and newer AMD / Intel CPUs. The FreeBSD virtual memory subsystem now supports fully transparent use of superpages (included since 7.2) for application memory. This can be enabled by setting a loader tunable vm.pmap.pg_ps_enabled to 1 and vm.pmap.pg_ps_enabled=1. By default it was turned on under FreeBSD 8.
Xen DomU Support
New experimental
Xen support has been added into FreeBSD 8. It means you can use a 32-bit guest operating system on recent versions of Xen dom0. You will not able use XEN as host i.e. you can use CentOS or other Linux as host and install FreeBSD as guest. Xen HVM support can be added using the following two options and buildworld inside VM (see config(5) man page or /usr/src/sys/`uname -p`/conf/XENHVM config file):
options XENHVM
device xenpci
Work is also in progress to make FreeBSD 8 ready to used on Amazon EC2.
Network Stack Virtualization (VIMAGE)
The network stack
virtualization project aims at extending the FreeBSD kernel to maintain multiple independent instances of networking state. This will allow for complete networking independence between jails on a system, including giving each jail its own firewall, virtual network interfaces, rate limiting, routing tables, and IPSEC configuration. The vimage is a jail with a virtualized instance of the FreeBSD network stack. It is an experimental feature. To enable VIMAGE, edit your kernel config file and add the following line:
options VIMAGE
Make sure you remove the SCTP option. Save and close the file. Rebuild the kernel:
make buildkernel KERNCONF=NIXCRAFT
make installkernel KERNCONF=NIXCRAFT
reboot
You can easily create the vimage enabled jail using jail, run:
jail -c vjail1 name=vjail1 host.hostname=vjail1.nixcraft.in path=/ persist
You can easily communicate between jails using epair driver interface which is a pair of virtual back-to-back connected Ethernet interfaces:
ifconfig epair0 create
ifconfig epair0a config-options
See jail(8), and epair(4) man page for more details.
Virtualbox (Port)
VirtualBox is an actively developed, complete virtualization package, that is available for FreeBSD. You can run MS-Windows or UNIX / Linux like guests. VirtualBox is available as a FreeBSD port in
emulators/virtualbox.
Fig.03: Freebsd 8 Running Virtualbox Virtualization Software
Stack-smashing Protection (ProPolice)
The "
Stack-Smashing Protector" (ProPolice SSP) is an enhancement which prevent exploits that use stack-based buffer overflows. ProPolice moves canary code generation from the back-end to the front-end of the compiler. ProPolice also protects all registers saved in function's prologue (for example the frame pointer), and not only the Return Address. ProPolice, in addition to canary protection, also sorts array variables (where possible) to the highest part of the stack frame, to make it more difficult to overflow them and corrupt other variables. It also creates copies of arguments of the function, and relocates them together with local variables, effectively protecting the arguments.
Rewritten NFS client/server Introducing NFSv4
FreeBSD 8 supports NFSv4 with ACLs, strong authentication, stateful protocol, and performance improvements. FreeBSD 8 also includes a brand new
NFS Lock Manager which runs in kernel mode and uses the normal local locking infrastructure for its state.
Textdumps (debugging)
The
textdump(4) facility allows the capture of kernel debugging information to disk in a human-readable rather than the machine-readable form normally used with kernel memory dumps and minidumps. This representation, while less complete in that it does not capture full kernel state, can provide debugging information in a more compact, portable, and persistent form than a traditional dump. It is recommended that you use textdumps with ddb(4).
Wireless Mesh Support
FreeBSD 8 includes IEEE 802.11s wireless mesh standard. Wireless mesh networks are expected to become widespread as routers and network appliances deploy them, allowing wireless networks to be built and extended dynamically.
gvinum Improvements
gvinum is a Logical Volume Manager for FreeBSD. It supports the following features:
- JBOD, RAID 0 / 1 / 5
- Create a mirror on disk
- Volume management and much more
Other Improvements (quoting from the release notes)
- TTY layer rewrite.
- Multicast updates including IGMPv3.
- Back end support for equal-cost multi-path (ECMP) for both IPv4 and IPv6.
- FreeBSD 8 should no longer panic when you remove a USB drive without unmounting it first.
- Boot support for GPT partitions.
- bsdlabel now support 26 partitions.
- The aac(4) driver now supports volumes larger than 2TB in size.
- The top(1) command now supports a -P flag to provide per-CPU usage statistics.
- Increased the maximum number of groups a user may belong - GROUPS_MAX and NGROUPS have been increased from 16 to 1023 and 1024 respectively.
- FreeBSD 8 supports new Intel Nehalem / Core i7 platform.
- OpenSSH has been updated to 5.2p1. Finally you can specifies a path to chroot(2) to after authentication using ChrootDirectory directive.
- FreeBSD 8 bundles lots of software via ports including Firefox 3.5.5, Gnome gnome2-2.26,kde4-4.3.1, gimp 2.6.6, and much more. FreeBSD desktop is feature rich and perfect for software development and/or network / sys admin purpose.
- The awk(1) utility now supports 64 files. The upper limit was 20 in the prior releases.
- BIND has been updated to version 9.6.1rc1.
- OpenBSM 1.1 from Trusted BSD Project has been merged.
Conclusion
This release improves on the functionality of FreeBSD 7.2 and introduces often requested new features in jail, SMP-optimized scheduler, virtualization, virtual network stack, NFS4, and storage subsystem improvements. This the most impressive FreeBSD releases to date. Kudos to FreeBSD team for rolling out stable and feature rich enterprise ready FreeBSD 8 operating systems.
For more details about the release, refer to the official announcement on the FreeBSD mailing list (yet to announce). You can download the installation images from the
FreeBSD mirrors (main
FTP site) or via
BitTorrent.
In the meantime, I'm testing and deploying a few FreeBSD 8 boxes with virtual network stack and Jail v2 features, stay tuned for updates.
