MidnightBSD Developer Journal

If you're interested in helping the project, here's a list of ideas http://wiki.midnightbsd.org/display/MD/Ways+to+Contribute… We need translators, website design, documentation, porting apps, etc.

We just discovered a bug with the ca_root_nss port and mport package manager. It seems that the symlink isn't generated correctly in /usr/local/openssl Manual fix for now is cd /usr/local/openssl && ln -s /usr/local/share/certs/ca-root-nss.crt cert.pem This fixes lynx

Bug reporting change: We've migrated from bugzilla to Atlassian Jira. URL hasn't changed. Note: we decided not to migrate old bugs. Most were closed or for very old releases. https://bugreport.midnightbsd.org

Please report issues using the new jira to us. File OS bugs in MidnightBSD project (MNBSD), website bugs in WWW project and mports issues in the mports project.

MidnightBSD includes mDNSresponder in base. You can configure your local machine to access resources on your local network.  This can be useful to ssh into Apple Mac systems, etc.  This is sometimes called Bonjour.

To see other systems with mdns enabled on your network

Edit /etc/nsswitch.conf and add 
mdns
to hosts line.  It should read
hosts: files mdns dns

add mdnsd_enable="YES" to /etc/rc.conf

start mdnsd with service mdnsd start

To advertise services on your local machine

Add mdnsresponder_enable="YES" to /etc/rc.conf

create a new file called /etc/mdnsresponder.conf in /etc/

file contents:

#
# Example services file parsed by mDNSResponderPosix.
#
# Lines beginning with '#' are comments/ignored.
# Blank lines indicate the end of a service record specification.
# The first character of the service name can be a '#' if you escape it with
# backslash to distinguish if from a comment line.
# ie, "\#serviceName" will be registered as "#serviceName".
# Note that any line beginning with white space is considered a blank line.
#
# The record format is:
#
# 
# . 
# 
# 
#
# 
#
# Examples shown below.
#

#serviceName1
#_afpovertcp._tcp.
#548
#name=val1

SSH
_ssh._tcp.
22

#FTP
#_ftp._tcp.
#21

#HTTP
#_http._tcp.
#80

samba
_smb._tcp
445

adisk
_adisk._tcp
0
dk1=adVN=TimeMachine
adVF=0x82

deviceinfo
_device-info._tcp
0

model=Xserve

Enabling two factor authentication on MidnightBSD for SSH. 

Recently, we added a security/duo port in mports. 

When setting up two factor authentication, we recommend using the login duo setup. It's much easier to get going and we noticed some segfaults with the duo pam module. 

Steps:

Setup a Duo account

Install the security/duo port.  If you only want to use SSHD, you can avoid the SUID port option.  However, for testing it can be helpful

Obtain the appropriate API host, skey and ikey and add them to the /usr/local/etc/login_duo.conf file.

Fix the permissions on the login_duo.conf file so that they are 600 and owned by sshd if you are only using with SSHD. if you did choose SUID option in the mport, then own by root. 

In the /etc/ssh/sshd_config, you will need to add a line with ForceCommand /usr/local/sbin/login_duo

If you wish to protect all logins, you can leave ForceCommand line global. However, you can also choose to only protect certain users or groups. For instance, if you want to protect the wheel group for admins

Match group wheel 
        ForceCommand  /usr/local/sbin/login_duo

Duo also has instructions on setting up on FreeBSD and this works with MidnightBSD as well. 

Login Duo https://duo.com/docs/loginduo

PAM https://duo.com/docs/duounix

Using it

When logging into ssh the first time, you'll get an activation link that you'll want to load in a browser. It will walk you through configuring your phone.  You'll probably want the duo app installed so you can do push notifications. 

After that, you'll see a menu asking if you want a push as you attempt to ssh into a box.

By default, /etc/resolv.conf is updated when DHCP is enabled for an interface.  This is useful for WiFi or laptops where you frequently change networks. However, it can be problematic sometimes when different DNS servers are required. 

For static IP addresses, this is not modified automatically. 

Preventing Automatic Config Changes

Methods to try:

Use a static IP address

Make /etc/resolv.conf immutable

Override the dhclient configuration

Turn off resolvconf

Static IP

Simply edit your /etc/rc.conf and replace DHCP in your ifconfig line with a static IP configuration

Immutable resolv.conf

chflags schg /etc/resolv.conf

Override the dhclient config

place the following in /etc/dhclient.conf, but change the name of the interface as appropriate.  This example uses OpenDNS with an Intel Gigabit NIC. 

interface "em0" {

    supersede domain-name-servers 208.67.222.222,208.67.220.220;

}

You will need to restart the dhclient for changes to take effect. 

service dhclient restart em0

Disable resolvconf(8)

Create a file 

/etc/resolvconf.conf

Place this in the file

resolv_conf="/dev/null"

resolvconf="NO"

We now have a new wiki for MidnightBSD at http://wiki.midnightbsd.org/

We finally fixed a number of issues with the package build and i386 packages were refreshed.

New development is progressing on 1.3-CURRENT. it's recommended that users avoid it and stick with stable branches for now.

If you're trying to run a recent elasticsearch such as 6.x on midnightbsd, you may find it doesn't startup.  

Try adding the following to /usr/local/etc/elasticsearch/elasticsearch.yml:

xpack.ml.enabled: false

bootstrap.system_call_filter: false

MidnightBSD 1.2 release is now available. It's a security and bug fix release. 

Most of the focus was on mports and base system third party libraries.

A lot of people have been curious what our plans are for this year.  I've also had a lot of bug reports lately. 

First, the plan is to release 1.1 in the next few weeks. This is mostly a security update with new versions of several popular software packages. It will be a small update from 1.0.  As a result of this work, plans for package manager changes have been pushed to 1.2 along with the related installer work. 

In terms of ports, we plan on looking into the flavors feature available in FreeBSD and other BSDs ports systems. Some of the plumbing has already been put into the package manager to support this. However, it will take a bit more work as there are modifications needed for our package cluster software to handle it. 

The package cluster software is getting rewritten currently. 

At the time of the 1.0 release, there were a lot of outdated packages. We've since fixed several and updated many gnome related ports. Qt5 updates are still on the todo list.  It was also determined that there are problems with python ports as more things are transitioning to python 3.x.  This requires the flavors work or a bunch of py3 ports to be created. 

On the browser front, epiphany and midori were updated last month along with some of the webkit ports. The firefox port is partially done, but stalled on badly needed compiler updates and patches. 

Work was started on porting LLVM properly, but complications arose upstream.  We didn't get a hard no, but a soft no along with needs for a build cluster node for their project. If someone is willing to donate this or time to help with getting upstream patches, that would be quite helpful. Proper LLVM/CLANG ports are needed at a starting point to get Rust and other languages working more easily. This is a top blocker for really solving long term browser support issues. 

We need help getting patches upstreamed with various projects.

MidnightBSD 1.1-CURRENT now has OpenSSL 1.0.2p rather than the 1.0.1 verisons. 

Ideally, we will need to get 1.1.1 in, but that will take a lot more work in userland. 

Anything built against the system OpenSSL should be rebuilt.  Many ports should not be affected.  

In light of other changes in the last 24 hours, it's ideal to rebuild world completely if you're running current.

mksh R56C and OpenSSH 7.5p1 are now in current.  The latter removes support for the legacy v1 protocol.  

Several bugfixes were done related to MSI-X allocation and for intel gigabit network cards.  (em/igb)

Take advantage of our third party security advisory site. http://sec.midnightbsd.org/#!/  It has a searchable REST api and shows software from all software even windows :) It powers our security-advisory-client port

Perl client code: https://t.co/0feWsHnf3v

Backend source: https://t.co/4JitOuMG5U

New feature in current mport package manager:

mport config get lets you see a setting configured.

mport config set lets you set a setting.

This allows you to configure the region that you want to download packages from.

Hadoop 1.x was just added to mports in devel/hadoop.  This took some time to port.  

devel/glib20 was recently updated.

The 1.0 release is finally available. Still buidling packages for i386 and plan to do an amd64 package build later in the week.  

The single largest issue with the release process has been the web server performance.  The CPU is overloaded and has been at solid 100% for several days.  The server has a core i7 7700 in it.  I'm trying to figure out what to buy as an upgrade so that we don't continue to have this issue going forward. As it's actually blocked in multiple processes, a 6 or 8 core chip might be an improvement for the workload.

The 1.0 ISOs are on the FTP server. The release notes are nearly written. Waitnig on some updated packages and we'll be able to call this thing.

One of our servers was setup in MidnightBSD 0.7 and had an older ZFS configuration. Over time, the drivers were replaced with 4k advanced format disks. Since ZFS won't let you change the ashift setting on an existing pool, the drivers were not running at optimal performance.  MidnightBSD 1.0 current warns about this sutation. 

How to fix it? 

In this case, there were 2 drives in a mirror and a cache disk as well as another backup pool.  First, we performed a backup to the other pool just to be safe using zfs send -R mypool@snapshot | zfs receive -F backup/mypool, then we removed one of the disks from the pool using zpool detach ada4p1.  We then blew away the partition and created a new gpt partion that was 4k aligned.  gpart add -t mnbsd-zfs -a 4k ada4 

Next, we created a new pool called tank  with the one drive.  We then ran zfs send and receive to copy data from mypool to tank. 

Once this data is copied, we went into single user mode (shutdown now) and exported both pools. We then imported the new pool tank.  zfs export tank; zfs export mypool; zfs import tank.  This allowed our mount points to kick in.  

Next, we repreated the process of repartitioning the second disk, ada3.  We then add it by doing zfs attach tank ada4p1 ada3p1 to include the second disk in the mirror.  Finally we did zpool add cache tank ada1 to re-add our ssd cache drive. 

The drive will need to rebuild which can take some time. 

This approach prevents any data loss.