Valuable FreeBSD 14.0-RELEASE Updates

While we all wait for the official FreeBSD 14.0-RELEASE announcement – the FreeBSD 14.0-RELEASE Release Notes are mostly ready.

In this short article I would like to summarize the most valuable additions that FreeBSD 14.0 will bring. You can treat that article as the source to get some reasons if you look an answer to a question like “why update while 13.2 works well for me”.

… and do not get me wrong here – all updates and improvements in the FreeBSD 14.0-RELEASE are valuable – these just stand out a little more IMHO.

General

• FreeBSD base system is built with PIE (Position Independent Executable) support enabled by default.
• You may now add default routes for FIBs other than primary with defaultrouter_fibN in rc.conf(5) config.
• ASLR (Address Space Layout Randomization) enabled by default for 64bit executables.
• It is now possible to take snapshots on UFS with Soft Updates Journaling enabled.
• Background checks using snapshot on UFS with Soft Updates Journaling enabled now possible.
• The msdosfs(5) now records available directory entries in root dir of FAT12/FAT16 filesystems and reports them as inodes.
• The msdosfs(5) now correctly calculates available and used blocks of FAT12/FAT16 and no longer rejects mounting filesystems created using valid but uncommon parameters.
• Synthetic devfs(5) or procfs(5) filesystems now report 0 blocks used so they are not reported as 100% full.
• The tarfs(5) filesystem backed by POSIX tar(1) archives added – optionally compressed with zstd(1).
• Kernel WireGuard wg(4) driver reintegrated – provides VPN using WireGuard protocol.
• KTLS (kernel TLS implementation) added with offload support for TLS 1.3 version.
• Default shell for root user is now POSIX sh(1) shell.
• Default mail transport agent (MTA) is now Dragonfly Mail Agent dma(8) – replaced sendmail(8) here.
• The pw(8) and bsdinstall(8) tools now create home dirs in /home by default rather than /usr/home place.
• HPN option handling removed from OpenSSH.
• The systat(1) tool has new iolat command which reports I/O latencies computed by CAM I/O scheduler.
• The sockstat(1) utility is now run in sandbox with capsicum(4) framework.
• The portsnap(8) utility has been removed.
• Telnet daemon telnetd(8) removed – its available as net/freebsd-telnetd port.
• The mergemaster(8) has been removed – use etcupdate(8) instead.
• The COMPAT_LIB32 build option implemented for arm64 and enabled by default.
• SMP now supports up to 1024 cores on amd64/arm64 and many kernel CPU sets are now dynamically allocated to avoid consuming excessive memory.
• When using default vt(4) console audible bell is now disabled by default.
• The iwlwifi(4) driver for Intel WiFi updated to latest version.
• The rtw88(4) driver for Realtek WiFi updated.
• NVMe disks are now nda(4) devices by default – symbolic links for previous nvd(4) devices are created in /dev for compatibility.
• Previous qat(4) driver has been replaced with Intel QAT driver.
• The GEOM gconcat(8) allows appending devices to concatenated device.
• New GEOM gunion(8) tool allows tracking changes to read only disk on additional writable disk – useful for repairs.
• The carp(4) supports configuration of address to which CARP messages are sent allowing use of unicast addresses.
• The pf(4) Packet Filter now supports scrubbing with OpenBSD syntax and behavior.
• The rtsol(8) and rtsold(8) programs now have -i option to disable random delay of up to second that is used by default.
• Many tweaks and cleanups to improve accuracy of hier(7) man page.

NFS

• NFS server in VNET Jail possible including nfsd(8)/nfsuserd(8)/mountd(8)/gssd(8)/rpc.tlsservd(8) daemons.
• NFS client now uses highest minor version supported for NFSv4 mounts.
• NFS client can now be set to use 1 MB I/O size via vfs.maxbcachebuf tunable.
• New rpc.tlsclntd(8) and rpc.tlsservd(8) daemons are now built by default on amd64/arm64 – they provide support for NFS over TLS.

ZFS

• OpenZFS has been upgraded to 2.2 version and brings these new features:
  • Block Cloning – allows shallow copies of blocks in file copies – disabled by default- enable with vfs.zfs.bclone_enabled=1 using sysctl(8) tool.
  • Scrub error log (use zpool scrub -e command).
  • BLAKE3 checksums which are fast and are now recommended solution.
  • Corrective ZFS receive can heal corrupted data.
  • ZFS vdev and zpool user properties similar to dataset user properties.
  • Fully adaptive ZFS ARC – unified ARC that minimizes need for manual tuning.
  • The zstd(1) early abort improving efficiency with uncompressible data.
  • I/O prefetch improvements and general optimization.
• The makefs(8) now has experimental ZFS support.
• New zfskeys service script for rc(8) which allows automatic decryption of ZFS datasets at boot.

Bhyve

• The bhyve(8) utility gained virtio-input device emulation support – can be used to inject keyboard/mouse input events into guest.
• The bhyve(8) now supports more than 16 CPUs in guest – by default guest VM is limited to physical CPUs on host. Modify loader tunable hw.vmm.maxcpu for larger amount.
• The bhyve(8) now supports TPM (Trusted Platform Module) passthrough support.
• GPU passthrough has been improved in bhyve(8) for AMD and Intel GPUs.

Sponsors

Lets not forget that many of these additions were sponsored by either FreeBSD Foundation or various companies that use and support FreeBSD.

Here is a dirty pipe-one-liner that summarizes that information.

FreeBSD % \
w3m 'https://freebsd.org/releases/14.0R/relnotes/'      \
  | grep -A 1 -o 'Sponsored.*'                          \
  | tr '\n' ' '                                         \
  | sed -e "s.--.'\n'.g"        -e 's.("..g'            \
        -e 's.")..g'            -e 's./ ./.g'           \
        -e 's.  . .g'           -e 's.via GSoC 2022..g' \
        -e 's/Inc.//g'          -e 's/ GmbH//g'         \
        -e 's/ & Co. KG//g'     -e 's/ Networks//g'     \
  | tr -d ",'" | tr ')' '\n'                            \
  | tr -d '('  | tr '\n' ' '                            \
  | sed -e 's/Sponsored/\nSponsored/g'                  \
  | sed 1d                                              \
  | while read I
    do
      echo ${I}
    done                                                \
  | sort -n                                             \
  | uniq -c                                             \
  | sort -n                                             \
  | sed 1d                                              \
  | grep -v 'Sponsored by The$'                         \
  | lolcat -b -r

Here is how the result looks like.

Yes – the vast of these improvements was sponsored by the FreeBSD Foundation – including so much wanted WiFi updates 🙂

I of course encourage to read full Release Notes for soon to be announced FreeBSD 14.0-RELEASE version.

UPDATE 1 – Better Pipe Train for Sponsors Summary

After a good night of sleep (just joking – it was not that good anyway) I figured better pipe train for the ‘Sponsors’ summary.

FreeBSD % \
w3m 'https://freebsd.org/releases/14.0R/relnotes/'       \
  | grep -A 1 -o 'Sponsored.*'                           \
  | tr '\n' ' '                                          \
  | sed -e "s.--.'\n'.g"       -e 's.("..g'              \
        -e 's.")..g'           -e 's./ ./.g'             \
        -e 's. . .g'           -e 's.via GSoC 2022..g'   \
        -e 's/Inc.//g'         -e 's/ GmbH//g'           \
        -e 's/ & Co. KG//g'    -e 's/ Networks//g'       \
  | tr -d ",'" | tr ')' '\n'                             \
  | tr -d '('  | tr '\n' ' '                             \
  | sed -e 's. and .\nSponsored by .g'                   \
        -e 's/Sponsored/\nSponsored/g'                   \
  | while read I
    do
      echo ${I}
    done                                                 \
  | grep -v '^$'                                         \
  | sort -n                                              \
  | sed 1d                                               \
  | uniq -c                                              \
  | sort -n                                              \
  | grep -v 'Sponsored by The$'                          \
  | lolcat -b -r

… and below how it looks like.

EOF