mirror of
https://git.FreeBSD.org/src.git
synced 2024-11-26 07:55:01 +00:00
350f9ac5b3
Remove /^\s*\$FreeBSD\$$\n/
Similar commit in main:
(cherry picked from commit 05248206f7
)
423 lines
16 KiB
Plaintext
423 lines
16 KiB
Plaintext
Release notes for FreeBSD 13.0.
|
|
|
|
This file describes new user-visible features, changes and updates relevant to
|
|
users of binary FreeBSD releases. Each entry should describe the change in no
|
|
more than several sentences and should reference manual pages where an
|
|
interested user can find more information. Entries should wrap after 80
|
|
columns. Each entry should begin with one or more commit IDs on one line,
|
|
specified as a comma separated list and/or range, followed by a colon and a
|
|
newline. Entries should be separated by a newline.
|
|
|
|
Changes to this file should not be MFCed.
|
|
|
|
0644746d5091:
|
|
Add a new "syskrb5" mount option for Kerberized NFSv4.1/4.2 mounts.
|
|
Without this patch, a Kerberized NFSv4.1/4.2 mount must provide
|
|
a Kerberos credential for the client at mount time.
|
|
This patch uses a feature of NFSv4.1/4.2 called SP4_NONE, which
|
|
allows the state maintenance operations to be performed by any
|
|
authentication mechanism, so that these operations may be done via
|
|
AUTH_SYS instead of RPCSEC_GSS (KerberosV). As such, no Kerberos
|
|
credential is required at mount time.
|
|
See mount_nfs(8).
|
|
|
|
b4805d577787 and many others:
|
|
Add support so that nfsd(8), nfsuserd(8), mountd(8), gssd(8)
|
|
and rpc.tlsservd(8) can be run in an appropriately configured
|
|
vnet prison. The vnet prison must be on its own file system,
|
|
have the "allow.nfsd" jail parameter set on it and enforce_statfs
|
|
cannot be set to "0". Use of UDP and pNFS server configurations
|
|
are not permitted. (ie. The nfsd command line options "-u", "-p"
|
|
and "-m" are not supported.)
|
|
See jail(8), nfsd(8) and mountd(8).
|
|
|
|
68e86d5265bc,e58dfd0de589,59f5a5cb724e,6e272a78de36,4c4a4fd4a649,ba2ae2cca63a:
|
|
sendmail has been updated to the latest upstream version (8.17.1).
|
|
|
|
225443828ec6..c44d097dcf92:
|
|
bhyve now supports more than 16 vCPUs in a guest. By default
|
|
bhyve permits each guest to create the same number of vCPUs as
|
|
the count of physical CPUs on the host. This limit can be
|
|
adjusted via the loader tunable hw.vmm.maxcpu.
|
|
|
|
1462dc95f796:
|
|
Kernel TLS offload now supports receive-side offload of TLS 1.3.
|
|
|
|
3ee882bf21af:
|
|
Change handling of the lowest address on an IPv4 (sub)net so that
|
|
packets are not sent as a broadcast unless this has been set as the
|
|
broadcast address. This makes the lowest address usable for a host.
|
|
The old behavior can be restored with the net.inet.ip.broadcast_lowest
|
|
sysctl. For more information, see
|
|
https://datatracker.ietf.org/doc/draft-schoen-intarea-lowest-address/.
|
|
|
|
33ff39796ffe,8719e8a951b7:
|
|
A new rc(8) service script zfskeys allows for automatic decryption
|
|
of ZFS datasets encrypted with ZFS native encryption during boot.
|
|
See the rc.conf(5) manual page for more information.
|
|
|
|
b7a2cf0d9102 - eae02d959363:
|
|
Upgrade bhyve's emulation to version 1.4 of the NVMe specification
|
|
|
|
0a6760a1de32, 3f3676a71266, 580c04df4db6:
|
|
Add WiFi 6 support.
|
|
|
|
various:
|
|
Add support for the HiFive Unmatched RISC-V board.
|
|
|
|
9fb6e613373c:
|
|
Add a sysctl called vfs.nfsd.srvmaxio that can be used to
|
|
increase the NFS server's maximum I/O size from 128Kbytes
|
|
to any power of 2 up to 1Mbyte. It can only be set when
|
|
the nfsd threads are not running and will normally require
|
|
an increase in kern.ipc.maxsockbuf to at least the value
|
|
recommended by the console log message generated when
|
|
setting vfs.nfsd.srvmaxio is first attempted.
|
|
|
|
9ec7dbf46b0a:
|
|
Add a new NFSv4.1/4.2 mount option "nconnect" that can
|
|
be used to specify the number of TCP connections that
|
|
will be used for the mount, up to a maximum of 16.
|
|
The first (default) TCP connection will be used for
|
|
all RPCs that consist of small RPC messages.
|
|
The RPCs that can consist of large RPC messages
|
|
(Read/Readdir/ReaddirPlus/Write) will be sent on the
|
|
additional TCP connections in a round robin fashion.
|
|
If either the NFS client or NFS server have multiple
|
|
network interfaces aggregated together or a network
|
|
interface that uses multiple queues, this can increase
|
|
NFS performance for the mount.
|
|
|
|
various:
|
|
One True Awk has been updated to the latest from upstream
|
|
(20210215). All the FreeBSD patches, but one, have now been
|
|
either up streamed or discarded. Notable changes include:
|
|
o Locale is no longer used for ranges
|
|
o Various bugs fixed
|
|
o Better compatibility with gawk and mawk
|
|
|
|
The one FreeBSD change, likely to be removed in FreeBSD 14, is that
|
|
we still allow hex numbers, prefixed with 0x, to be parsed and
|
|
interpreted as hex numbers while all other awks (including one
|
|
true awk now) interpret them as 0 in line with awk's historic
|
|
behavior.
|
|
|
|
8a04edfdcbd2:
|
|
Change the default minor version used for an NFSv4 mount
|
|
to the highest minor version supported by the NFSv4 server.
|
|
This default can be overridden by using the "minorversion"
|
|
mount option.
|
|
|
|
2c76eebca71b, 59f6f5e23c1a:
|
|
Add two daemons rpc.tlsclntd(8) and rpc.tlsservd(8) that provide
|
|
support for NFS-over-TLS as described in the Internet Draft titled
|
|
"Towards Remote Procedure Call Encryption By Default".
|
|
These daemons are only built when WITH_OPENSSL_KTLS is specified
|
|
and are only tested on amd64 at this time.
|
|
They use KTLS to encrypt/decrypt all NFS RPC message traffic, plus
|
|
optional verification of machine identity via X.509 certificates.
|
|
|
|
f76393a6305b6:
|
|
Add AES-GCM support to armv8crypto(4) providing accelerated
|
|
support for KTLS, IPsec, and other crypto API consumers.
|
|
|
|
074a91f746bd:
|
|
The aesni(4) and armv8crypto(4) devices are now included in
|
|
GENERIC on amd64, i386, and arm64.
|
|
|
|
2e1c94aa1fd5:
|
|
Add support for enforcing W^X mapping policy for user
|
|
processes. The policy is not enforced by default but can be
|
|
enabled by setting the kern.elf32.allow_wx and
|
|
kern.elf64.allow_wx sysctls to 0. Individual binaries can be
|
|
exempted from the policy by elfctl(1) via the wxneeded
|
|
feature.
|
|
|
|
4979620ece98:
|
|
Add AES-XTS support to armv8crypto(4) providing accelerated
|
|
software support for the default GELI cipher on arm64 systems.
|
|
|
|
022ca2fc7fe0:
|
|
Add aio_writev(2) and aio_readv(2), vectored analogues of aio_write(2)
|
|
and aio_read(2).
|
|
|
|
92bbfe1f0d1f:
|
|
The fusefs(5) protocol has been updated to 7.28. Support for
|
|
FUSE_COPY_FILE_RANGE and FUSE_LSEEK is added.
|
|
|
|
r368667:
|
|
GDB 6.1.1 was removed. Users of crashinfo(8) should install the
|
|
gdb package or devel/gdb port.
|
|
|
|
r368559:
|
|
The hme(4) driver was removed.
|
|
|
|
r367660:
|
|
Fixes the case where gssd will not startup because /usr is a separate
|
|
local file system that is not yet mounted. It does not fix the case
|
|
where /usr is a separately mounted remote file system (such as NFS).
|
|
This latter case can be fixed by adding mountcritremote to the
|
|
REQUIRED line. Unfortunately doing so implies that all Kerberized
|
|
NFS mounts in /etc/fstab will need the "late" mount option.
|
|
This was not done, since the requirement for "late" would introduce
|
|
a POLA violation.
|
|
|
|
r367423:
|
|
This commit added a new startup scripts variable called
|
|
nfsv4_server_only which uses the -R option on mountd added by r367026.
|
|
When nfsv4_server_only is set to "YES" in /etc/rc.conf, the NFS server
|
|
only handles NFSv4 and does not register with rpcbind. As such, rpcbind
|
|
does not need to be running. Useful for sites which consider rpcbind a
|
|
security issue.
|
|
|
|
r366267:
|
|
Kernel option ACPI_DMAR was renamed to IOMMU. amd64's IOMMU subsystem
|
|
was split out from amd64 DMAR support and is now generic, i.e., it can
|
|
be used by all architectures.
|
|
|
|
r364896:
|
|
A series of commits ending with r364896 added NFS over TLS
|
|
to the kernel. This is believed to be compatible with
|
|
the Internet Draft titled "Towards Remote Procedure Call Encryption
|
|
By Default" (expected to soon become an RFC).
|
|
The mount_nfs(8) and exports(5) man pages describe the mount and
|
|
export option(s) related to NFS over TLS.
|
|
For NFS over TLS to work, the rpctlscd(8) { client } or rpctlssd(8)
|
|
{ server } must be running on a kernel built with "options KERN_TLS"
|
|
on an architecture where PMAP_HAS_DMAP != 0.
|
|
|
|
r364725:
|
|
Changes to one obscure devd event generated on resume need to
|
|
be documented. The old form will still be generated in 13, but not
|
|
in 14.
|
|
|
|
r363679:
|
|
Applications using regex(3), e.g. sed/grep, will no longer accept
|
|
redundant escapes for most ordinary characters.
|
|
|
|
r363253:
|
|
SCTP support has been removed from GENERIC kernel configurations.
|
|
The SCTP stack is now built as sctp.ko and can be dynamically loaded.
|
|
|
|
r363233:
|
|
Merge sendmail 8.16.1: See contrib/sendmail/RELEASE_NOTES for details.
|
|
|
|
r363180:
|
|
The safexcel(4) crypto offload driver has been added.
|
|
|
|
r363084:
|
|
nc(1) now implements SCTP mode, enabled by specifying the --sctp option.
|
|
|
|
r362681:
|
|
A new implementation of bc and dc has been imported. It offers
|
|
better standards compliance, performance, localization and comes
|
|
with extensive test cases that are optionally installed.
|
|
Use WITHOUT_GH_BC=yes to build and install the world with the
|
|
previous version instead of the new one, if required.
|
|
|
|
r362158, r362163:
|
|
struct export_args has changed so that the "user" specified for
|
|
the -maproot and -mapall exports(5) options may be in more than
|
|
16 groups.
|
|
|
|
r361884:
|
|
sed(1) has learned about hex escapes (e.g. \x27) and will now do the
|
|
right thing with them, removing the need for printf magic or obnoxious
|
|
escaping in many scenarios.
|
|
|
|
r361238, r361798, r361799:
|
|
ZFS will now unconditionally reject read(2) of a directory with EISDIR.
|
|
Additionally, read(2) of a directory is now rejected with EISDIR by
|
|
default and may be re-enabled for non-ZFS filesystems that allow it with
|
|
the sysctl(8) MIB 'security.bsd.allow_read_dir'.
|
|
|
|
Aliases for grep to default to '-d skip' may be desired if commonly
|
|
non-recursively grepping a list that includes directories and the
|
|
possibility of EISDIR errors in stderr is not tolerable. Example
|
|
aliases, commented out, have been installed in /root/.cshrc and
|
|
/root/.shrc.
|
|
|
|
r361066:
|
|
Add exec.prepare and exec.release hooks for jail(8) and jail.conf(5).
|
|
exec.prepare runs before mounts, so can be used to populate new jails.
|
|
exec.release runs after unmounts, so can be used to remove ephemeral
|
|
jails.
|
|
|
|
r360920,r360923,r360924,r360927,r360928,r360931,r360933,r360936:
|
|
Remove support for ARC4, Blowfish, Cast, DES, Triple DES, MD5,
|
|
MD5-KPDK, MD5-HMAC, SHA1-KPDK, and Skipjack algorithms from
|
|
the kernel open cryptographic framework (OCF).
|
|
|
|
r360562:
|
|
Remove support for ARC4, Blowfish, Cast, DES, Triple DES,
|
|
MD5-HMAC, and Skipjack algorithms from /dev/crypto.
|
|
|
|
r360557:
|
|
Remove support for DES, Triple DES, Blowfish, Cast, and
|
|
Camellia ciphers from IPsec(4). Remove support for MD5-HMAC,
|
|
Keyed MD5, Keyed SHA1, and RIPEMD160-HMAC from IPsec(4).
|
|
|
|
r359945:
|
|
Remove support for Triple DES, Blowfish, and MD5 HMAC from
|
|
geli(4).
|
|
|
|
r359786-r359787:
|
|
Remove support for DES, Triple DES, and RC4 from in-kernel GSS
|
|
authentication.
|
|
|
|
r357627:
|
|
remove elf2aout.
|
|
|
|
r357560-r357565:
|
|
init(8), service(8), and cron(8) will now adopt user/class environment
|
|
variables (excluding PATH, by default, which will be overwritten) by
|
|
default. Notably, environment variables for all cron jobs and rc
|
|
services can now be set via login.conf(5).
|
|
|
|
r357455:
|
|
sparc64 has been removed from FreeBSD.
|
|
|
|
r355677:
|
|
Adds support for NFSv4.2 (RFC-7862) and Extended Attributes
|
|
(RFC-8276) to the NFS client and server.
|
|
NFSv4.2 is comprised of several optional features that can be supported
|
|
in addition to NFSv4.1. This patch adds the following optional features:
|
|
- posix_fadvise(POSIX_FADV_WILLNEED/POSIX_FADV_DONTNEED)
|
|
- posix_fallocate()
|
|
- intra server file range copying via the copy_file_range(2) syscall
|
|
--> Avoiding data tranfer over the wire to/from the NFS client.
|
|
- lseek(SEEK_DATA/SEEK_HOLE)
|
|
- Extended attribute syscalls for "user" namespace attributes as defined
|
|
by RFC-8276.
|
|
|
|
For the client, NFSv4.2 is only used if the mount command line option
|
|
minorversion=2 is specified.
|
|
For the server, two new sysctls called vfs.nfsd.server_min_minorversion4
|
|
and vfs.nfsd.server_max_minorversion4 have been added that allow
|
|
sysadmins to limit the minor versions of NFSv4 supported by the nfsd
|
|
server.
|
|
Setting vfs.nfsd.server_max_minorversion4 to 0 or 1 will disable NFSv4.2
|
|
on the server.
|
|
|
|
r356263:
|
|
armv5 support has been removed from FreeBSD.
|
|
|
|
r354517:
|
|
iwm(4) now supports most Intel 9260, 9460 and 9560 Wi-Fi devices.
|
|
|
|
r354269:
|
|
sqlite3 is updated to sqlite3-3.30.1.
|
|
|
|
r352668:
|
|
cron(8) now supports the -n (suppress mail on succesful run) and -q
|
|
(suppress logging of command execution) options in the crontab format.
|
|
See the crontab(5) manpage for details.
|
|
|
|
r352304:
|
|
ntpd is no longer by default locked in memory. rlimit memlock 32
|
|
or rlimit memlock 0 can be used to restore this behaviour.
|
|
|
|
r351863:
|
|
rc.subr(8) now honors ${name}_env in all rc(8) scripts. Previously,
|
|
environment variables set by a user via ${name}_env were ignored
|
|
if the service defined a custom *_cmd variable to control the behavior
|
|
of the run_rc_command function, e.g., start_cmd, instead of relying on
|
|
the variables like command and command_args,
|
|
|
|
r351770,r352920,r352922,r352923:
|
|
dd(1) now supports conv=fsync, conv=fdatasync, oflag=fsync, oflag=sync,
|
|
and iflag=fullblock flags, compatible with illumos and GNU.
|
|
|
|
r351522:
|
|
Add kernel-side support for in-kernel Transport Layer Security
|
|
(KTLS). KTLS permits using sendfile(2) over sockets using
|
|
TLS.
|
|
|
|
r351397:
|
|
WPA is updated from 2.8 to 2.9.
|
|
|
|
r351361:
|
|
Add probes for lockmgr(9) to the lockstat DTrace provider, add
|
|
corresponding lockstat(1) events, and document the new probes in
|
|
dtrace_lockstat.4.
|
|
|
|
r351356:
|
|
Intel RST is a new 'feature' that remaps NVMe devices from
|
|
their normal location to part of the AHCI bar space. This
|
|
will eliminate the need to set the BIOS SATA setting from RST
|
|
to AHCI causing the nvme drive to be erased before FreeBSD
|
|
will see the nvme drive. FreeBSD will now be able to see the
|
|
nvme drive now in the default config.
|
|
|
|
r351201, r351372:
|
|
Add a vop_stdioctl() call, so that file systems that do not support
|
|
holes will have a trivial implementation of lseek(SEEK_DATA/SEEK_HOLE).
|
|
The algorithm appears to be compatible with the POSIX draft and
|
|
the implementation in Linux for the case of a file system that
|
|
does not support holes. Prior to this patch, lseek(2) would reply
|
|
-1 with errno set to ENOTTY for SEEK_DATA/SEEK_HOLE on files in
|
|
file systems that do not support holes.
|
|
r351372 maps ENOTTY to EINVAL for lseek(SEEK_DATA/SEEK_HOLE) for
|
|
any other cases, such as a ENOTTY return from vn_bmap_seekhole().
|
|
|
|
r350665:
|
|
The fuse driver has been renamed to fusefs(5) and been substantially
|
|
rewritten. The new driver includes many bug fixes and performance
|
|
enhancements, as well as the following user-visible features:
|
|
* Optional kernel-side permissions checks (-o default_permissions)
|
|
* mknod(2), socket(2), and pipe(2) support
|
|
* server side locking with fcntl(2)
|
|
* FUSE operations are now interruptible when mounted with -o intr
|
|
* server side handling of UTIME_NOW during utimensat(2)
|
|
* mount options may be updated with "mount -u"
|
|
* fusefs file system may now be exported over NFS
|
|
* RLIMIT_FSIZE support
|
|
* support for fuse file systems using protocols as old as 7.4
|
|
|
|
FUSE file system developers should also take note of the following new
|
|
features:
|
|
* The protocol level has been raised from 7.8 to 7.23
|
|
* kqueue support on /dev/fuse
|
|
* server-initiated cache invalidation via FUSE_NOTIFY_REPLY
|
|
|
|
r350471:
|
|
gnop(8) can now configure a delay to be applied to read and write
|
|
request delays. See the -d, -q and -x parameters.
|
|
|
|
r350315, r350316:
|
|
Adds a Linux compatible copy_file_range(2) syscall.
|
|
|
|
r350307:
|
|
libcap_random(3) has been removed. Applications can use native
|
|
APIs to get random data in capability mode.
|
|
|
|
r349529,r349530:
|
|
Add support for using unmapped mbufs with sendfile(2).
|
|
|
|
r349352:
|
|
nand(4) and related components have been removed.
|
|
|
|
r349349:
|
|
The UEFI loader now supports HTTP boot.
|
|
|
|
r349335:
|
|
bhyve(8) now implements a High Definition Audio (HDA) driver, allowing
|
|
guests to play to and record audio data from the host.
|
|
|
|
r349286:
|
|
swapon(8) can now erase a swap device immediately before enabling it,
|
|
similar to newfs(8)'s -E option. This behaviour can be specified by
|
|
adding -E to swapon(8)'s command-line parameters, or by adding the
|
|
"trimonce" option to a swap device's /etc/fstab entry.
|
|
|
|
r347908-r347923:
|
|
The following network drivers have been removed: bm(4), cs(4), de(4),
|
|
ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4),
|
|
vx(4), wb(4), xe(4).
|
|
|
|
r347532:
|
|
Wired page accounting has been split into kernel wirings and user
|
|
wirings (e.g., by mlock(2)). Kernel wirings no long count towards
|
|
the global limit, which is renamed to vm.max_user_wired. bhyve -S
|
|
allocates user-wired memory and is now subject to that limit.
|