The Release of FreeBSD 14.0

by

After two and a half years since branch 13.0 was published formed FreeBSD 14.0 release. Installation images prepared for amd64, i386, powerpc, powerpc64, powerpc64le, powerpcspe, armv7, aarch64 and riscv64 architectures. Additionally, assemblies have been prepared for virtualization systems (QCOW2, VHD, VMDK, raw) and cloud environments Amazon EC2, Google Compute Engine and Vagrant. The FreeBSD 14 branch will be the last to support 32-bit platforms. FreeBSD 15 will only support 64-bit systems, but will retain the ability to build 32-bit programs and use the COMPAT_FREEBSD32 mode to run 32-bit executables in a 64-bit environment.

Main changes:

Advertisement

  • The default shell for the root user is /bin/sh.
  • For NVME devices, the nda driver is enabled by default on all platforms. To return the old nvd driver, the “hw.nvme.use_nvd=1” setting is provided in loader.conf.
  • Added a new utility “fwget“, which identifies hardware that requires firmware and installs the appropriate firmware packages. Currently only PCI devices and firmware for Intel and AMD GPUs are supported.
  • Added new utility base64 for encoding and decoding data in base64 format.
  • Added utility tcpssowhich allows you to set socket options for existing TCP connections (for example, you can change the congestion control module or TCP stack).
  • Instead of sendmail, it is used as a mail delivery agent by default dma (DragonFly Mail Agent). Sendmail has been retained in the basic package and updated to version 8.17.1.
  • KTLS, the FreeBSD kernel implementation of the TLS protocol, adds support for TLS 1.3 hardware acceleration on the receiving side. Acceleration is ensured by moving some operations related to the processing of encrypted packets to the network card side.
  • The “.include” directive has been added to the jail.conf configuration file, which allows you to include additional files in the paths of which masks can be used when loading the configuration. The sysctl parameter security.bsd.see_jail_proc has been expanded, with the help of which unauthorized users in a separate jail environment can now be prohibited from forcing termination, changing priority, and debugging processes.
  • The pw and bsdinstall programs now create users in the “/home” directory by default rather than in the “/usr/home” directory. The symbolic link for “/home” pointing to “/usr/home” is no longer created.
  • Disabled by default the PROFILE build setting – profiled versions of system libraries are no longer provided, hardware profiling tools (hwpmc) should be used instead.
  • Enabled building of executable files for 64-bit architectures in PIE (Position Independent Executable) mode.
  • The Bhyve hypervisor has added the ability to forward access to the TPM (Trusted Platform Module) and improved the implementation of GPU forwarding to virtual environments for AMD and Intel chips.
  • The ZFS file system implementation has been updated to the OpenZFS 2.2 release. The makefs utility has added support for the ZFS file system. Provides the ability to create a ZFS pool associated with a single vdev virtual disk.
  • The number of supported CPU cores (MAXCPU parameter) in systems based on the amd64 and arm64 architecture has been increased from 256 to 1024.
  • In UFS, for configurations in which logging (soft updates) is enabled, background scanning of the file system is allowed using UFS snapshots. Additional hash checks have been added to superblocks, cylinder group maps, and inodes to detect corruption.
  • File system added tarfswhich can be used with tar archives compressed with zstd.
  • Toolkit added boottrace to track events that occurred during the boot and shutdown phases of the system.
  • Added a FIRECRACKER kernel configuration option to allow FreeBSD to run on the Firecracker virtualization system, which is designed to run virtual machines with minimal overhead. The boot time of the FreeBSD 14 kernel running Firecracker has been increased to 25 milliseconds, which allows you to launch environments with FreeBSD as needed to implement the infrastructure serverless computing.
  • The loader, written in Lua, in a special sandbox environment, supports the execution of lua files located in the loader_conf_files directory.
  • NFS support has been expanded. Added a new mount option “syskrb5” to support Kerberos in NFSv 4.1/4.2, and added support for the ExchangeID operation. Implemented the ability to run nfsd, nfsuserd, mountd, gssd and rpc.tlsservd in an isolated vnet network environment.
  • The growfs script implements the ability to place the swap partition at the end of the expandable area on the disk.
  • A new DTrace provider kinst (dtrace_kinst) has been added, allowing tracing of kernel structures.
  • To the kernel crypto subsystem added support for the XChaCha20-Poly1035 AEAD encryption algorithm, and also added an API for using the elliptic curve curve25519 (for WireGuard).
  • Reduced reboot time. Added sysctl parameter kern.reboot_wait_time, through which you can change the delay before the actual reboot after all diagnostic messages are output to the console. By default, the delay is removed.
  • A subsystem has been added to the kernel timerfdwhich makes it easier to port programs from Linux.
  • Added sysctl machdep.mitigations.zenbleed.enable to block the Zenbleed vulnerability on AMD Zen2 processors.
  • Wi-Fi 6 support has been added to wpa_supplicant and hostapd. The iwlwifi driver supports Intel chips that support Wi-Fi 6E AX411/AX211/AX210.
  • The kernel on amd64 systems provides support for the AddressSanitizer and MemorySanitizer tools from the LLVM project.
  • rc.d scripts allow the use of the status method, even if the program name (procname) and PID file are not defined in the script.
  • The default kernel, bootloader, and userspace serial port baud rate has been increased from 9600 bps to 115200 bps. The default beep tone is set to 800Hz. Integration with devd is provided to output beeps through the sound card. For the vt console, the beep is disabled by default (to enable it, you need to run the commands “sysctl kern.vt.enable_bell=1” and “kbdcontrol -b normal”).
  • Improved support for NXP DPAA2 (Data Path Acceleration Architecture Gen2) network hardware acceleration architecture.
  • Added igc driver for Intel I225 Ethernet controllers, supporting 2.5 Gbps speed.
  • By default, the net.inet.tcp.nolocaltimewait setting is enabled, which disables the creation of timewait records for TCP connections that are terminated on the local system side.
  • Expanded and support for the Netlink communication protocol is enabled by default (RFC 3549), used in Linux to organize the interaction of the kernel with processes in user space. Some network utilities have been converted to use Netlink.
  • The pf packet filter provides compatibility with the syntax and behavior of the packet normalization (scrubbing) operations of the OpenBSD version of pf. pfsync implements the ability to use IPv6 transport. The pfsync packet format has been extended to support queues, packet normalization, and route-to rules.
  • IPv6 Rapid Deployment (RFC 5969) support has been added to the if_stf (IPv6 over IPv4) network interface. IPv6 nodeinfo mode (RFC 4620) is disabled by default.
  • The net.inet.tcp.nolocaltimewait sysctl parameter is enabled by default, disabling the creation of timewait state entries for locally interrupted TCP connections.
  • Default for TCP involved network congestion control mechanism CUBIC instead of NewReno, which allowed increased use of available bandwidth.
  • In IPv4 disabled sending broadcast packets to subnet address zero, unless such address is explicitly declared as a broadcast address. The change allows hosts to use addresses ending in “.0”.
  • OpenSSH settings have been changed: in scp the SFTP protocol is enabled by default instead of scp/rcp, support for RSA/SHA-1 signatures is disabled, the VerifyHostKeyDNS and X11Forwarding parameters are set to “no”, the VersionAddendum directive is removed, deleted support for HPN settings.
  • Added “-z” option to date utility to convert time zones.
  • The “–color” option has been added to the diff utility to visualize color changes.
  • The sleep utility now supports units other than seconds (for example, you can specify “sleep 1h 30m”).
  • Support for the “-q” and “-h” options has been added to the head and tail utilities, and the ability to specify values ​​with suffixes in the international system of SI units has been implemented. In head, the limit on the maximum number of lines of 2^31 has been removed.
  • Added “iolat” command to systat to display I/O latencies calculated by the CAM scheduler.
  • The libncursesw library is split into two libraries, libtinfow and libncursesw. Added support for using the terminfo database in ncurses, and not just termcap.
  • For the aarch64 (arm64) architecture, the COMPAT_LIB32 build option has been implemented and enabled by default, providing the assembly of 32-bit libraries for ARM64 systems that allow running executable files compiled for the armv7 platform.
  • Improved support for cloud systems. Experimental builds with ZFS root file system and cloud-init have been added for AWS EC2. For Azure, images are provided for arm64 and amd64 architectures, with a choice of UFS or ZFS. Added driver for gve virtual network card (Google Virtual NIC).
  • The ACPI system has added support for the threshold value _CR3, which allows you to set the temperature upon reaching which the system will be switched to sleep mode (S3).
  • Updated versions of third-party applications and libraries included in the base system: OpenSSH 9.5p1, OpenSSL 3.0.12, awk 2021072, bc 6.6.0, libbsdxml 2.4.7, libfido2 1.13.0, tcpdump 4.99.4, libpcap 1.10.4, xz 5.4 .3, zlib 1.3, zstd 1.5.2. The implementation of the objdump utility has been replaced by llvm-objump. The Clang compiler has been updated to branch 16.
  • Outdated systems were cleaned:
    • Support for OPIE one-time passwords has been removed from the base system (the security/opie port can be set to resume use).
    • Drivers for sound cards with ISA interface have been removed.
    • The fmtree and minigzip utilities have been removed.
    • Removed ATM components in netgraph (NgATM).
    • The telnetd background process has been removed (you can use the net/freebsd-telnetd port).
    • Removed VINUM class in geom.
    • Removed outdated amr, iscsi_initiator, iir, mn, mly, nlmrsa and twa drivers.
    • The VESA parameter has been removed from the GENERIC and MINIMAL cores.
    • Support for asymmetric cryptographic operations has been removed from the kernel-level cryptographic framework OCF (Open Cryptographic Framework).
    • The mergemaster utility has been deprecated and should be replaced etcupdate.
    • The portsnap utility has been removed (you should use “git clone /usr/ports” to extract ports).
    • The generation of assemblies for the armv6 architecture has been stopped.
    • Removed support for MIPS architecture.

Thanks for reading: