FreeBSD 10.0-RELEASE Release Notes

The FreeBSD Project

FreeBSD is a registered trademark of the FreeBSD Foundation.

IBM, AIX, OS/2, PowerPC, PS/2, S/390, and ThinkPad are trademarks of International Business Machines Corporation in the United States, other countries, or both.

IEEE, POSIX, and 802 are registered trademarks of Institute of Electrical and Electronics Engineers, Inc. in the United States.

Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

SPARC, SPARC64, and UltraSPARC are trademarks of SPARC International, Inc in the United States and other countries. SPARC International, Inc owns all of the SPARC trademarks and under licensing agreements allows the proper use of these trademarks by its members.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the or the ® symbol.

Last modified on 2014-01-14 by hrs.
Abstract

The release notes for FreeBSD 10.0-RELEASE contain a summary of the changes made to the FreeBSD base system on the 10.0-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.


Table of Contents
1. Introduction
2. What's New
3. Upgrading from previous releases of FreeBSD

1. Introduction

This document contains the release notes for FreeBSD 10.0-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.

The latest, up-to-date version of the release notes are available online at http://www.FreeBSD.org/releases/10.0R/relnotes.html.

This distribution of FreeBSD 10.0-RELEASE is a release distribution. It can be found at http://www.FreeBSD.org/releases/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook.

All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 10.0-RELEASE can be found on the FreeBSD Web site.

2. What's New

This section describes the most user-visible new or changed features in FreeBSD since 9.2-RELEASE.

Typical release note items document recent security advisories issued after 9.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.

2.1. Security Advisories

Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from FreeBSD Security Information.

AdvisoryDateTopic
SA-13:14.openssh19 November 2013

OpenSSH AES-GCM memory corruption vulnerability

SA-14:01.bsnmpd14 January 2014

bsnmpd remote denial of service vulnerability

SA-14:02.ntpd14 January 2014

ntpd distributed reflection Denial of Service vulnerability

SA-14:03.openssl14 January 2014

OpenSSL multiple vulnerabilities

SA-14:04.bind14 January 2014

BIND remote denial of service vulnerability

2.2. Kernel Changes

Capsicum has been enabled in the kernel by default, allowing sandboxing of several programs that work within the capabilities mode.

[amd64,i386] The drm2(4) Radeon GPU driver, which works for GPUs up-to Radeon HD 6000 and partially supports the Radeon HD 7000 family, has been added. This driver was ported from Linux 3.8. [r254885]

The use of unmapped VMIO buffers eliminates the need to perform TLB shootdown for mapping on buffer creation and reuse, greatly reducing the amount of IPIs for shootdown on big-SMP machines and eliminating up to 25-30% of the system time on i/o intensive workloads. [r248508]

[amd64] The maximum amount of memory the FreeBSD kernel can address has been increased from 1TB to 4TB. [r254466]

The ddb(4) kernel debugger now has an output capture facility. Input and output from ddb(4) can now be captured to a memory buffer for later inspection using sysctl(8) or a textdump. The new capture command controls this feature.

The ddb(4) debugger now supports a simple scripting facility, which supports a set of named scripts consisting of a set of ddb(4) commands. These commands can be managed from within ddb(4) or with the use of the new ddb(8) utility. More details can be found in the ddb(4) manual page.

[amd64,i386] Support was added for the new Intel on-CPU Bull Mountain random number generator, found on IvyBridge and supposedly later CPUs, accessible with the RDRAND instruction. [r240135]

2.2.1. Virtualization support

[amd64] The BSD Hypervisor, bhyve(8) is included with FreeBSD. bhyve(8) requires Intel CPUs with VT-x and Extended Page Table (EPT) support. These features are on all Nehalem models and beyond (e.g. Nehalem and newer), but not on the lower-end Atom CPUs. [r245652]

virtio(4) support has been added. virtio(4) is the name for the paravirtualization interface developed for the Linux KVM, but since adopted to other virtual machine hypervisors (with the notable exception of Xen). This work brings in a BSD-licensed clean-room implementation of the virtio kernel drivers for disk IO (virtio_blk(4) and virtio_scsi(4)), network IO (vtnet(4)), memory ballooning (virtio_balloon(4)), and PCI. Tested with on Qemu/KVM, VirtualBox, and bhyve(4). [r227652]

[amd64,i386] Paravirtualized drivers which support Microsoft Hyper-V have been imported and made part of the amd64 GENERIC kernel. For i386, these drivers are not part of GENERIC, so the following lines must be added to /boot/loader.conf to load these drivers: [r255524]

hv_ata_pci_disengage_load="YES"
hv_netsvc_load="YES"
hv_utils_load="YES"
hv_vmbus_load="YES"

Alternatively, the Hyper-V drivers can be added to the i386 kernel by adding device hyperv to the kernel config, and then recompiling the kernel. Please refer to FreeBSD and Microsoft Windows Server Hyper-V support for full instructions on how to set up Hyper-V support under FreeBSD.

The vmx(4) driver has been added. vmx(4) is a VMware VMXNET3 ethernet driver ported from OpenBSD. [r254738]

[amd64,i386] Xen PVHVM virtualization is now part of the GENERIC kernel. [r255744]

2.2.2. ARM support

Raspberry PI support has been added. Refer to these setup instructions and this quick start guide. [r239922]

The default ABI on ARM is now the ARM EABI. This brings a number of improvements and allows future support for VFP and Thumb-2. [r253396]

ARM support has been greatly improved, including support for ARMv6 and ARMv7, SMP and thread-local storage (TLS). Additionally support for some newer SoC like the MV78x60 and OMAP4 was added. See the announcement for further details. [r239268]

Superpages support on ARM has been added. Superpages support provides improved performance and scalability by allowing TLB translations to dynamically cover large physical memory regions. All ARMv6 and ARMv7-based platforms can take advantage of this feature. See the ARM Superpages status page for further details. [r254918]

2.2.3. Hardware Support

2.2.3.1. Multimedia Support

Support for version 2.0 of the USB Audio reference design has been added. New devices should support higher bandwidth, increased sampling frequency and wider dynamic range. [r240609]

2.2.3.2. Network Interface Support

The firmware for the mxge(4) driver has been to 1.4.55. [r236212]

The re(4) driver has been overhauled to fix a number of issues. This driver now has Wake On LAN (WOL) support.

The vr(4) driver has been overhauled to fix a number of outstanding issues. It also now works on all architectures.

[amd64,i386] The wpi(4) driver has been updated to include a number of stability fixes.

The cxgbe(4) driver has been updated to support 40G/10G Ethernet NICs based on Chelsio's Terminator 5 (T5) ASIC. [r248925]

The iw_cxgbe driver has been added. This is an experimental iWARP/RDMA driver (kernel verbs only) for Chelsio's T4 and T5 based cards. [r256694]

The Open Fabrics Enterprise Distribution (OFED) and OFED Infiniband core has been updated to the same version as supplied by Linux version 3.7 [r255932]

The Mellanox Infiniband driver has been updated to firmware version 2.30.3200 for ConnectX3 NICs. Support has been added for ConnectX3 VPI NICs, where each port can be used as Infiniband 56 GB/s or Ethernet 40 GB/s. Support has been added for dynamically loading kernel modules for Infiniband core (ibcore) and IP over Infiniband (ipoib). [r255932]

netmap(4) has been added. netmap(4) is a framework for high-performance direct-to-hardware packet IO, offering low latency and high PPS rates to userland applications while bypassing any kernel-side packet processing. With netmap(4) it is trivially possible to fully saturate a 10 Gbps network interface with minimal packet sizes. For more information, see: Netmap Project. [r227614]

2.2.4. Network Protocols

carp(4) has been rewritten to make addresses more sane from the viewpoint of routing daemons such as quagga/zebra. It also brings support for a single redundant address on the subnet (carpdev), switching state with ifconfig(8), better locking and using modern kernel interfaces to allocate multicast memberships. Configuration of the CARP protocol via ifconfig(8) has changed, as well as the format of CARP events submitted to devd(8). See carp(4) for more information. The arpbalance feature of carp(4) is currently not supported anymore. [r228571]

The pf(4) firewall now supports fine-grain locking and better utilization on multi-CPU machines, resulting in significant improvements in performance. [r240233]

Support for up to 65536 routing tables has been introduced. [r250700]

Support for setting/matching differentiated services codepoints (DSCP) in IP header has been added to ipfw(8). [r248552]

2.2.5. Disks and Storage

The aac(4) driver now supports volumes larger than 2TB in size.

The ata(4) driver now supports a spindown command for disks; after a configurable amount of time, if no requests have been received for a disk, the disk will be spun down until the next request. The atacontrol(8) utility now supports a spindown command to configure this feature.

The hptrr(4) driver has been updated to version 1.2 from Highpoint.

nvme(4) has been added and provides NVM Express support. NVM Express is an optimized register interface, command set and feature set of PCI Express (PCIe)-based Solid-State Drives (SSDs). For more information, see nvmexpress.org. [r240616]

2.2.6. File Systems

A new kernel-based iSCSI target and initiator has been added. [r255570]

UFS filesystems can now be enlarged with growfs(8) while mounted read-write. This is especially useful for virtual machines, allowing the addition of more harddrive space without interruption of service. [r243246]

A state of the art FUSE implementation is now part of the base system. It allows the use of nearly all fusefs file systems. [r241519]

2.2.6.1. ZFS

bsdinstall(8) now supports installing ZFS on the root file system. It includes a single configuration menu that allows you to select all of the required details, including which drives to use, what ZFS RAID level to use (taking into consideration the selected number of drives), GPT or MBR, GELI encryption, forcing 4K sectors, pool name, etc. [r256361]

Support for L2ARC compression has been added to ZFS. [r252140]

The zio nop-write improvement from Illumos was imported into FreeBSD. To reduce I/O, nop-write skips overwriting data if the (cryptographically secure) checksum of new data matches the checksum of existing data. It also saves space if snapshots are in use. This improvement only works on datasets with enabled compression, disabled deduplication and sha256 checksums. ZFS will now compare the checksums of incoming writes to the checksum of the existing on-disk data and avoid issuing any write I/O for data that has not changed. This will reduce I/O as well as space usage because if the old block is referenced by a snapshot, both copies of the block are kept even though both contain the same data. [r243524]

2.3. Userland Changes

On platforms where clang(1) is the default system compiler (such as i386, amd64, arm), GCC and GNU libstdc++ are no longer built by default. clang(1) and libc++ from LLVM are used on these platforms by instead. GCC 4.2.1 and libstdc++ are still built and used by default on pc98 and all other platforms where clang(1) is not the default system compiler. [r255321]

clang(1) and llvm have been updated to version 3.3 release. Please refer to Clang 3.3 Release Notes. [r251662]

BIND has been removed from the base system. unbound(8), which is maintained by NLnet Labs, has been imported to support local DNS resolution functionality with DNSSEC. Note that it is not a replacement of BIND and the latest versions of BIND is still available in the Ports Collection. With this change, nslookup and dig are no longer a part of the base system. Users should instead use host(1) and drill(1) Alternatively, nslookup and dig can be obtained by installing dns/bind-tools port. [r255949]

sysinstall has been removed from the base system. Auxiliary libraries and tools used by sysinstall such as libdisk, libftpio, and sade have also been removed. sysinstall has been replaced by bsdinstall(8) and bsdconfig(8). [r225937]

freebsd-version(1) has been added. This tool makes a best effort to determine the version and patch level of the installed kernel and userland. [r256106]

GNU patch has been removed from the base system, and replaced by a BSD-licensed patch(1) program. [r255191]

GNU sort has been removed from the base system, and replaced by a BSD-licensed sort(1) program. [r241511]

Berkeley yacc (byacc) has been imported from invisible island. This brings bison compatibilities to yacc(1) while preserving full backwards compatibility with previous version of yacc(1). [r235723]

lex(1) has been replaced by flex 2.5.37. [r250881]

make(1) has been replaced with the Portable BSD make tool (bmake) from NetBSD. [r250699]

Support for usernames up to 32 characters. [r243023]

The adduser(8) utility now supports a -M option to set the mode of a new user's home directory.

BSD-licensed versions of ar(1) and ranlib(1), based on libarchive(3), have replaced the GNU Binutils versions of these utilities.

BSD-licensed versions of bc(1) and dc(1) have replaced their GNU counterparts.

chflags(1) now supports a -v flag for verbose output and a -f flag to ignore errors with the same semantics as (for example) chmod(1).

For compatibility with other implementations, cp(1) now supports a -a flag, which is equivalent to specifying the -RrP flags.

BSD-licensed version of cpio(1) based on libarchive(3), has replaced the GNU cpio. Note that the GNU cpio is still installed as gcpio.

The env(1) program now supports -u name which will completely unset the given variable name by removing it from the environment, instead of just setting it to a null value.

The fdopendir(3) library function has been added.

The fetch(3) library now supports HTTP 1.1 If-Modified-Since behavior. The fetch(1) program now supports -i filename which will only download the specified HTTP URL if the content is newer than filename.

find(1) has been enhanced by the addition of a number of primaries that were present in GNU find but not FreeBSD find(1).

kgdb(1) now supports a new add-kld command to make it easier to debug crash dumps with kernel modules.

The ls(1) program now supports a -D option to specify a date format string to be used with the long format (-l) output.

nc(1) now supports a -O switch to disable the use of TCP options.

nc(1)'s -o switch has been deprecated. It will be removed in a future release.

The ping6(8) utility now returns 2 when the packet transmission was successful but no responses were received (this is the same behavior as ping(8)). It returned a non-zero value before this change.

The realpath(1) utility now supports a -q flag to suppress warnings; it now also accepts multiple paths on its command line.

sh(1) has many bug fixes, some new features, and will now refuse to parse some invalid scripts. Additionally, it now has filename completion and defaults to the emacs editing mode.

The split(1) utility now supports a -n flag to split a file into a certain number of chunks.

The tar(1) utility now supports a -Z flag to enable compress(1)-style compression/decompression.

The tar(1) utility now supports a --numeric-owner flag to ignore user/group names on create and extract.

The tar(1) utility now supports the -S flag to sparsify files on extraction.

The tar(1) utility now supports a -s flag to substitute filenames based on the specified regular expression.

The tcgetsid(3) library function has been added to return the process group ID for the session leader for the controlling terminal. It is defined in IEEE Std 1003.1-2001 (POSIX).

top(1) now supports a -P flag to provide per-CPU usage statistics.

zdump(8) is now working properly on 64-bit architectures.

traceroute(8) now has the ability to print the AS number for each hop with the new -a switch; a new -A option allows selecting a particular WHOIS server.

traceroute6(8) now supports a -U flag to send probe packets with no upper-layer protocol, rather than the usual UDP probe packets.

2.3.1. /etc/rc.d Scripts

rc.d/sendmail now generates and uses an SSL certificate by default when sendmail_enable="YES". This will allow remote MTA to use STARTTLS to encrypt incoming email. The certification is signed with a key that is thrown away and is not a substitute for generating your own properly if you need to use STARTTLS authentication. Options to control the certificate generation is documented in rc.d/sendmail. [r256773]

The followoing rc(8) scripts have been added:

rc(8) ScriptFunction
ctld

iSCSI target daemon startup script

iscsictl

iSCSI initiator management utility startup script

iscsid

iSCSI initiatior daemon startup script

kfd

Kerberos ticket forwarding daemon startup script

local_unbound

Unbound startup script for the local caching resolver

postrandom

Generates a new entropy file at system boot

swap

Replaces swap1; enable swap at system boot

swaplate

Enables swap with late set at system boot

utx

User accounting database startup and shutdown script

The following rc(8) scripts have been removed:

rc(8) Script

Reason

encswap

Replaced by swap and swaplate

named

Removed with BIND

swap1

Replaced by swap and swaplate

2.4. Contributed Software

jemalloc(3) has been updated to 3.4.0. See this link for more details. [r251300]

AMD has been updated from 6.0.10 to 6.1.5.

awk has been updated to the 20121220 release.

CVS has been removed from the base system, but is still available from Ports Collection. [r251794]

Subversion has been imported into the base system and is installed as svnlite. svnlite should only be used for checking out the FreeBSD source trees and committing, and does not replace the full Subversion port. [r251886]

file has been updated to 5.11. [r234449]

hostapd has been updated from 0.5.8 to 0.5.10. [r252726]

IPFilter has been updated to 5.1.2.

less has been updated to v458. [r250592]

ncurses has been updated to 5.7-20081102.

OpenSSH has been updated to 6.4.

OpenPAM has been updated to the Micrampelis release. [r236109]

sendmail has been updated from 8.14.1 to 8.14.7.

The timezone database has been updated from the tzdata2008h release to the tzdata2009m release.

The stdtime part of libc, zdump(8) and zic(8) have been updated from the tzcode2004a release to the tzcode2009h release. If you have upgraded from source or via the freebsd-update(8), then please run tzsetup(8) to install a new /etc/localtime.

WPA Supplicant has been updated to 2.0. [r252726]

xz has been updated from snapshot as of 12 April 2010 to 5.0.0.

nvi(1) has been updated to 2.1.2. [r258231]

nvi(1) supports wide-character locales. [r254225]

2.5. Ports/Packages Collection Infrastructure

The pkg_add, pkg_create, pkg_delete, pkg_info, pkg_updating, and pkg_version utilities have been removed. pkg(7) must now be used to install binary packages. pkg(7) is the next generation FreeBSD package manager, also referred to as pkgng. If upgrading from a previous FreeBSD release, be sure to run pkg2ng to convert the old package database to the new format. [r257444]

2.6. Release Engineering and Integration

The supported version of the GNOME desktop environment (x11/gnome2) has been updated from 2.20.1 to 2.22.

3. Upgrading from previous releases of FreeBSD

[amd64,i386] Beginning with FreeBSD 6.2-RELEASE, binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC or SMP kernels distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity.

Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.

Important:

Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files.

This file, and other release-related documents, can be downloaded from http://www.FreeBSD.org/releases/.

For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.

All users of FreeBSD release should subscribe to the <stable@FreeBSD.org> mailing list.

For questions about this documentation, e-mail <doc@FreeBSD.org>.