FreeBSD 15: Great strides thanks to industry support
FreeBSD 15 brings noticeable improvements thanks to strong industry support: New features include package management, cloud, and laptop usage.
(Image: Profit_Image/Shutterstock.com)
- Michael Plura
FreeBSD 15 is here: The BSD, primarily suited for servers and appliances, has made great strides – for its standards. This is likely due to the significant industry support, which clearly sees FreeBSD as an important part of diversifying open-source operating systems. In addition to the surprisingly large support from the Sovereign Tech Agency, funded by the federal government, and a long list of sponsors, FreeBSD's development has significantly accelerated: Netflix, Amazon, Google, Microsoft, Samsung, Nvidia, Intel, Arm, OVHcloud, Klara, and many other companies have strongly supported the developers, who are funded solely by donations. After two years of development, FreeBSD 15 has emerged, bringing noticeable improvements in key areas.
FreeBSD 15: Long list of changes and improvements
The list of all changes in the Release Notes is overwhelmingly long. Every minor detail improvement is important, but from the perspective of users and administrators, some new features are clearly noticeable and change how FreeBSD is handled.
In terms of architectures, the last 32-bit systems are slowly falling out of focus. Only armv7 is supported as the last 32-bit platform. Native 32-bit applications for i386, armv6, and powerpc now only run in the 32-bit compatibility mode of the respective 64-bit platforms. Its roots as a further development of 386BSD in the form of the original FreeBSD/i386 1.0 are thus severed.
During the development of FreeBSD 15, – also specifically guided by sponsors – special attention was paid to mobile devices such as laptops and notebooks. Older FreeBSD versions required some tinkering and had limitations even on ThinkPads. With FreeBSD 15 and the significant progress in power management (especially AMD CPUs), graphics drivers, and in the area of WLAN drivers, the most widely used BSD is not only easy to install but also feels snappier and is more battery-friendly. Best example: The commonly used iwlwifi(4) driver for Intel IEEE 802.11a/b/g/n/ac/ax/be cards supports some WiFi5 and all WiFi6/7 chips.
As the implementation of new WLAN standards and the development of Intel, Realtek, and Mediatek WLAN chips continue to advance, the kernel API has not yet been classified as "stable." The "borrowing" of Linux drivers via LinuxKPI has also been improved; only a few adjustments are still missing for suspend-and-resume. The graphics card drivers ported from Linux are up to Linux 6.12. The Direct Rendering Manager drm-kmod for Intel and AMD GPUs runs significantly faster with some GPUs. But there's also cleanup: The bus driver for AGP graphics cards, agp(4), is to be removed with FreeBSD 16. fdisk(8) is also to be removed in the future in favor of gpart(8); likewise syscons(4), the classic console driver, because UEFI does not work with it. The inotify(2) interface, familiar from Linux for monitoring file system events, is now also natively available under FreeBSD 15, which should simplify porting system-level tools.
Ready for the Cloud and Better Networking
The integration of FreeBSD into clouds is being heavily driven by its operators through sponsorship. FreeBSD supports cloudinit and is compatible with OpenStack. Particularly important are the now OCI-compatible container images. This makes FreeBSD 15 ready for the clouds of Amazon, Microsoft, Google, Oracle, and other providers.
FreeBSD developer Colin Percival announced on X some time ago that thanks to a more modern sorting algorithm, the FreeBSD kernel starts significantly faster. Instead of sorting its SysInits into the correct order using Bubblesort, the Mergesort now used is said to be up to 100x faster. MicroVMs on Amazon Web Services (AWS FaaS Lambda with Firecracker hypervisor) are said to start in 25ms with the old FreeBSD 14, while a Linux kernel requires 75 to 80ms. The optimization affects the AMD64, but also the ARM64 architecture, which Amazon frequently uses in the cloud.
The MIT Kerberos, preferred by many administrators, replaces the previously used Heimdal Kerberos in FreeBSD 15. There are also some improvements for NFS, for example, new support for NFSv4.2 cloning, where block cloning is used for a type of CoW (copy-on-write) of files on an NFS server. This currently only works for exported ZFS file systems for which block cloning is enabled.
Packet Filter pf(4) Further Approaches OpenBSD's pf(4)
The packet filter pf(4) in FreeBSD 15 now also supports the NAT syntax of its counterpart in OpenBSD. Since 2004, FreeBSD has used not only IPFW but also the packet filter pf(4) ported from OpenBSD, which among other things spurred the development of pfSense. Due to different goals – FreeBSD focuses on performance, OpenBSD on security and new features – the originally identical pf(4) implementations have increasingly diverged, especially since FreeBSD did not adopt major syntax changes like those from OpenBSD 4.7. Since around 2013, both variants are no longer compatible; differences are evident in memory allocation or the interpretation of IP values, for example. However, both projects recognize that closer cooperation could bring more security to FreeBSD and more performance to OpenBSD.
The industry has apparently recognized this too: Netgate and InnoGames jointly financed long-time FreeBSD developer Kristof Provost to adapt the outdated FreeBSD variant of pf(4) to the current state of OpenBSD. Naturally, Netgate wants to make the central function of pfSense, its in-house firewall distribution based on FreeBSD, more modern and secure.
Package Management Twice: pkgbase vs freebsd-update
FreeBSD 15 is reorganizing its package management. This – objectively speaking – brings some advantages, but – subjectively perceived – can lead to potentially catastrophic problems. To put it briefly: Until now, there is freebsd-update(8), which is responsible for the base system (kernel, kernel modules, /usr/bin, /usr/sbin, /lib, etc.). An update or upgrade to a new version is done via a freebsd-update fetch and freebsd-update install.
Everything added after installation must be managed with the package manager pkg(8). This includes all additional tools like tmux(1) or emacs(1), but also compiler suites, Xorg(1), graphics drivers, entire desktop environments, or applications like browsers, office suites, or KiCAD (you can also compile all packages yourself from the sources (ports) with your own customizations and optimizations). In principle, this works like other package managers:
pkg {search|install|delete} tmux
pkg upgrade
pkg infoWith upgrade, you update all packages; info displays a list of all packages installed via pkg(8).
One (perhaps only apparent) advantage is that you can easily delete the list output by pkg info completely via pkg delete -fay without affecting the base system. Tools, desktop environments, applications... – everything (!) is then gone in one go. The base system is "safe," and you can set up a new system as if after a fresh installation.
But: freebsd-update(8) is a script of several thousand lines with countless sha256 calls. It runs quite slowly and is not very user-friendly in terms of operation – pkg(8) is much more modern.
Optional in FreeBSD 15, mandatory in FreeBSD 16: pkgbase
For this reason, FreeBSD 15 is undergoing an optional transition to pkgbase. As the name suggests, the base system is also converted to the pkg format. In FreeBSD 15, you can choose during installation whether to keep the classic system with freebsd-update(8) (Distribution Sets) or to try out the new pkgbase (Packages(Tech Preview)). By the way: Tech Preview was called experimental until recently. With FreeBSD 16, pkgbase is intended to completely replace the old system.
One of the major advantages of pkgbase is likely that you can now, for example, remove the Manual Pages as a package, and that the entire system can now be built from source code via ports/Poudriere. Caution is still advised; there will likely be some problems – for example, make installworld / installkernel should be replaced by make buildworld buildkernel update-packages. And above all, you should absolutely not use pkgbase and freebsd-update(8) in parallel on one system, as that will definitely end in disaster. As an old FreeBSD admin, you now have to get used to some changes, but after a short time, the new pkgbase is quite enjoyable and simplifies system administration. A detailed and worthwhile discussion of pkgbase with many comments can be found on Vermaden's FreeBSD blog.
From FreeBSD 15.0: Streamlined Release Cycle and Shorter Support
Over a year ago, Colin Percival, head of the FreeBSD Release Engineering Team, announced two changes to the release engineering process: First, the support duration of the stable branch will be reduced from five to four years after the respective .0 version, starting with FreeBSD 15. Second, there will be a fixed and strictly scheduled release plan, with a new minor version of the supported stable branches appearing every quarter. By shortening support to four years, Percival aims to relieve the security team, as it will only have to monitor two main FreeBSD versions instead of the current three.
Improved communication between the Release Engineering Team and the many FreeBSD developers should also lead to only about three beta versions and one release candidate -- whereas in the past, sometimes three to four betas and three to six release candidates were necessary. The frequent and predictable release times should also reduce some pressure on developers to absolutely implement a feature, as they are now only six months away from the next release, not a year.
Important: The changes apply from FreeBSD 15; versions 13 (currently 13.5) and 14 (currently 14.3) will still be supported on the 5-year cycle: FreeBSD 13 until approximately April 30, 2026, and FreeBSD 14 until November 30, 2028.
On Target: Everything is (was) going according to plan
The FreeBSD developers always meticulously document the path to a new release. Minor deviations from the given schedule are of course normal in software development, and this time too there were small delays here and there -- especially with the beta versions (FreeBSD 15.0-BETA*) in October. However, flexibility is important, as the fourth release candidate added at the last minute (FreeBSD 15.0-RC4) showed: As is typical for BSD, the focus is on correct documentation, and RC4 resolved some inconsistencies in the Manual Pages. The new pkgbase still needed a "backup" signature, and there were necessary bug fixes for cp(1) and inotify(2). Finally, a few packages had to be reordered for the DVD image so as not to exceed the 4.7 GB limit.
However, the build process for FreeBSD 15.0-RELEASE began on time, and a few days before the official release, the still unofficial installation images could be found on the project's download servers. Nevertheless, as has been the custom with FreeBSD for decades: Last-minute changes could still be incorporated; FreeBSD 15.0-RELEASE is only official when the GPG-signed RELEASE-Announcement has been published -- which has now happened on Tuesday at 01:08 AM our time.
Relief for Laptops: Installer with Firmware
Those who have been using FreeBSD for a long time will be delighted to notice the installer bsdinstall(8)'s ability to independently download necessary firmware during installation. This greatly simplifies installation on systems with various host adapters, special network cards, and especially on laptops via WLAN. What is needed is the selection of the country-specific WLAN regulatory standard; in Europe, this is ETSI (European Telecommunications Standards Institute). ETSI2 and ETSI3 are further restricted standards for special hardware; FCC applies to the USA. The WLAN card then scans for available WLAN networks and asks for the appropriate passphrase -- and FreeBSD 15 can be installed on the laptop without a network cable.
To recognize and download the firmware packages for the running system during installation, fwget(8), available since FreeBSD 14, is called. The tool supports PCI and USB devices. Under FreeBSD 14/15 started as a live system, you can get a list of required firmware packages with fwget -nv without installing them.
Cutting-Edge File System: OpenZFS 2.4rc4
Since FreeBSD 7.0 in 2008, the powerful ZFS file system has been a fully integrated part of the operating system. Until FreeBSD 12, it was based on the stable and secure codebase of Illumos. With FreeBSD 13, the switch was made to OpenZFS, which is developed much more aggressively -- including associated problems due to sometimes hastily implemented features. FreeBSD 15 now even implements Release Candidate 4 of the upcoming OpenZFS 2.4.0. There are again many new features such as default quotas, uncached I/O, and even better encryption. OpenZFS 2.4.0 is expected to be compatible with Linux 4.18 to 6.17 and FreeBSD 13.3 to 14.x (and hopefully FreeBSD 15.0).
Videos by heise
Zero-Trust Builds and Reproducible Builds
Unfortunately, trust is a hollow concept today. You can believe -- but don't have to -- that downloaded open-source binaries were actually created from the provided source code. Due to the popular supply chain attacks, FreeBSD developers are also relying on a transparent build concept in the form of zero-trust builds. The approach builds on established reproducible builds, where binary files can be rebuilt bit-for-bit from the published source code.
While reproducible builds primarily ensure verifiability, the zero-trust model goes a step further and removes trust from the build process itself. What individual servers, maintainers, or compilers produce can be verified by yourself. Independently, deterministic build environments produce the same artifacts, whose agreement is cryptographically verified. Manipulations in the build process or in the toolchain are immediately apparent. This creates a consistently verifiable production process in which manipulations in toolchains, CI systems, or signature processes become recognizable. This is a consistent step towards a software world where security is not based on trust undermined by governments and intelligence agencies, but on verifiability.
FreeBSD 15 now also knows "precious machines"
A somewhat amusing detail with a serious practical benefit at the end: In the configuration file /etc/rc.conf, the option precious_machine="YES" can be set to prevent accidental system shutdown. This creates the file /var/run/noshutdown. To shut down or restart the computer nonetheless, this file must be removed or the command shutdown(8) must be called with the parameter -f. The file /var/run/nologin, which has been known for a long time and prevents user logins when present, works similarly.
For FreeBSD standards, FreeBSD 15 is a huge step forward. Many detailed changes also occurred in previous releases, but the "experimental" transition of package management, the almost massive improvements for use on laptops, and the courage -- or madness -- of a rather conservative development towards "cutting-edge" components (OpenZFS 2.4.0-rc4) make FreeBSD appear in a new light. This is primarily driven by strong support from industry and organizations like the Sovereign Tech Agency, which speaks to the growing need for alternatives. With the still gigantic growth prospects in the IT sector, there should be enough room for more than one player and a diversified infrastructure.
The developers describe all new features in the Release Notes. FreeBSD 15.0, released under the free BSD license, is now available free of charge from the project page for the hardware platforms amd64, aarch64, armv7, powerpc64/le, and riscv64.
(mack)
