EuroBSDCon 2025

Please report to EBC Helpdesk FIRST to fetch your badge.

== Registration for FreeBSD Summit ONLY ==

Developer Summit - you MUST register on the FreeBSD-wiki to join this!

Pick up your badge here! Please bring your 6 byte order code in whatever format.

Who Should Take this Course

This course provides a broad overview of how the FreeBSD kernel implements its basic services. It will be most useful to those who need to learn how these services are provided. Individuals involved in technical and sales support can learn the capabilities and limitations of the system; applications developers can learn how to effectively and efficiently interface to the system; systems programmers without direct experience with the FreeBSD kernel can learn how to maintain, tune, and interface to such systems. This course is directed to users who have had at least a year of experience using a UNIX-like system. They should have an understanding of fundamental algorithms (searching, sorting, and hashing) and data structures (lists, queues, and arrays).

Description

This course will provide a firm background in the kernel services and I/O structure of the FreeBSD kernel. The course will cover basic kernel services, locking, process structure, scheduling, signal handling, jails, capsicum sandboxing, and virtual and physical memory management. The kernel I/O structure will be described showing how I/O is multiplexed, disks are managed, special devices are configured, and system virtualization is done. The presentations will emphasize code organization, data structure navigation, and algorithms. It will not cover the machine specific parts of the system such as the implementation of device drivers.

Morning - Kernel Overview

• Process structure
• Locking
• Communications
• Process Groups and Sessions
• Jails
• Scheduling
• Signals and timers
• Virtual memory management

Afternoon - Kernel I/O structure

• I/O data structures
• Disk Management
• Multiplexing I/O
• Autoconfiguration strategy
• Configuration of a device driver

Course Text

Prior to taking the course, students are recommended to obtain a copy of the course text: Marshall Kirk McKusick, George Neville-Neil, and Robert N. M. Watson, ``The Design and Implementation of the FreeBSD Operating System'', Second Edition, Pearson Education, Boston, MA September 2014, ISBN-13: 978-0-321-96897-5, ISBN-10: 0-321-96897-2.

This practical tutorial is designed for BSD administrators and programmers to learn about automating BSD settings using Ansible. The tutorial teaches participants how to implement infrastructure as code using Ansible on FreeBSD, OpenBSD, and NetBSD systems. We will begin with some basic concepts before moving on to more advanced automation strategies specifically designed for BSD systems. The attendees will learn how to configure Ansible, write playbooks that address BSD specific concerns, use role based organization, and find the best ways to maintain safety, expandability, and simplicity of management. By the end of this tutorial, participants should be able to execute continuous deployment tests, control system configurations across multiple environments, and automate common BSD administrative tasks. This course provides BSD administrators with relevant information that can be used immediately in production environments, thus filling the gap between general Ansible material and their specific needs

Please bring a laptop running BSD or Linux where you can install and use Ansible — we’ll be getting hands-on!

Developer Summit - you MUST register on the FreeBSD-wiki to join this!

Transport Layer Security is one of the least well-understood parts of system administration. This tutorial will take you into a deep dive into the management of TLS. We'll discuss:

-how TLS Works
-what TLS provides, and what it doesn't
-assessing TLS configurations
-the ACME protocol and Let's Encrypt
-OCSP and Certificate Revocation
-CAA, HSTS, and Certificate Transparency
-debugging TLS

You'll leave with the understanding of TLS that every sysadmin should have.

I'd also like to offer a tutorial/workshop about hacking NetBSD (on NetBSD,
Linux, macOS as a host). This would basically demonstrate how to set up a
dev environment using my tools and using it to develop some example driver
and testing it on a Raspberry PI or Beaglebone. I'm also happy to answer
people's questions about specific problems they are having -- though it
would be good if they turned those in beforehand, so that I can prepare.

By way ol preparation you should:
- git clone NetBSD-current
- have a development toolchain installed
- have qemu installed

Please check back for updated instruction before the conference.

The OpenBSD Packet Filter (PF) is at the core of the network management toolset available to professionals working with the OpenBSD and FreeBSD operating systems.

Understanding the PF subsystem and the set of networking tools that interact with it is essential to building and maintaining a functional environment.

The present session will both teach networking and security principles and provide opportunity for hands-on operation of the extensive network tools available on OpenBSD and FreeBSD in a lab environment.

Basic to intermediate understanding of TCP/IP networking is expected and required for this session.

Topics covered include

The basics of and network design and taking it a bit further

Building rulesets

Keeping your configurations readable and maintainable

Seeing what your traffic is really about with your friend tcpdump(8)

Filtering, diversion, redirection, Network Address Translation

Handling services that require proxying (ftp-proxy and others)

Address tables and daemons that interact with your setup through them

The whys and hows of network segmentation, DMZs and other separation techniques

Tackling noisy attacks and other pattern recognition and learning tricks

Annoying spammers with spamd

Basics of and not-so basic traffic shaping

Monitoring your traffic

Resilience, High Availability with CARP and pfsync

Troubleshooting: Discovering and correcting errors and faults (tcpdump is your friend)

Your network and its interactions with the Internet at large

Common mistakes in internetworking and peering

Keeping the old IPv4 world in touch with the new of IPv6

The tutorial is lab centered and fast paced. Time allowing and to the extent necessary, we will cover recent developments in the networking tools and variations between the implementations in the OpenBSD and FreeBSD operating systems.

Participants should bring a laptop for the hands on labs part and for note taking. The format of the session will be compact lectures interspersed with hands-on lab excercises based directly on the theory covered in the lecture parts.

This session is an evolutionary successor to previous sessions. Slides for the most recent version of the PF tutorial session are up at https://nxdomain.no/~peter/pf_fullday.pdf, to be updated with the present version when the session opens.

Google and Microsoft dominate email, but it's still possible to run your own mail server provided you use modern protocols and maintain acceptable behaviors. This half-day tutorial will take you through configuring your own mail system, from a bare BSD operating system up through SPF, DKIM, and DMARC, and discuss the social rules needed to get your messages into Gmail and Outlook.

We'll discuss:

-Unix and email
-The Simple Mail Transfer Protocol
-Postfix and Dovecot setup
-Virtual domains
-MX and SPF records
-SMTP Protocol Tests
-DomainKeys Identified Email
-DMARC
-Webmail with Roundcube
-Rspamd
-Escaping and Surviving Block Lists

Attendees will leave with an understanding of how to configure a SMTP server and maintain it in an increasingly challenging environment.

Pick up your badge here! Please bring your 6 byte order code in whatever format.

Who Should Take this Course

This course provides a broad overview of how the FreeBSD kernel implements its basic services. It will be most useful to those who need to learn how these services are provided. Individuals involved in technical and sales support can learn the capabilities and limitations of the system; applications developers can learn how to effectively and efficiently interface to the system; systems programmers without direct experience with the FreeBSD kernel can learn how to maintain, tune, and interface to such systems. This course is directed to users who have had at least a year of experience using a UNIX-like system. They should have an understanding of fundamental algorithms (searching, sorting, and hashing) and data structures (lists, queues, and arrays).

Description

This course will provide a firm background in the filesystems and networking capabilities supported by the FreeBSD kernel. The course describes the VFS filesystem interface that supports multiple filesystem types. The course covers the implementation and capabilities of the UFS filesystem and the techniques for maintaining filesystem consistency. The filesystem section ends with a description of the ZFS filesystem capabilities, implementation, and integration into FreeBSD. The course also covers the socket-based network architecture, layering, and implementation. The socket communications primitives and internal layering will be discussed, with emphasis on the interfaces between the layers; the TCP/IP implementation will be used as an example. A discussion of routing issues and the netmap interface will be included. The presentations will emphasize code organization, data structure navigation, and algorithms. It will not cover the machine specific parts of the system such as the implementation of device drivers.

Morning - Filesystems Overview

• Filesystem organization
• Block I/O system (buffer cache)
• Support for multiple filesystems
• UFS Filesystem implementation
• ZFS Filesystem implementation

Afternoon - Networking Implementation

• System layers and interfaces
• Internet Protocols
• Mbufs and control blocks
• Routing issues
• TCP algorithms

Course Text

Prior to taking the course, students are recommended to obtain a copy of the course text: Marshall Kirk McKusick, George Neville-Neil, and Robert N. M. Watson, ``The Design and Implementation of the FreeBSD Operating System'', Second Edition, Pearson Education, Boston, MA September 2014, ISBN-13: 978-0-321-96897-5, ISBN-10: 0-321-96897-2.

Managing infrastructure efficiently is critical, but many automation tools feel disconnected. In this hands-on tutorial, attendees will learn how to combine Terraform, Ansible, and Salt to fully automate the provisioning, configuration, and long-term management of infrastructure—all from a FreeBSD workstation.

We will walk through:
- Terraform: Defining infrastructure as code to provision FreeBSD EC2 instances.
- Ansible: Initial configuration of servers, including network setup and package installation.
- Salt: Ongoing configuration management, patching, and long-term server maintenance.

By the end of this tutorial, attendees will have a working hybrid infrastructure using FreeBSD locally and in AWS. They will leave with practical skills to automate and maintain infrastructure efficiently using BSD-friendly tools.
Intended Audience

System administrators, DevOps engineers, and developers using FreeBSD.
Anyone interested in automating infrastructure with open-source tools.
Attendees should have basic FreeBSD and shell scripting knowledge, 
but no prior Terraform, Ansible, or Salt experience is required.

Expected Duration

3 hours (Hands-on, with live demonstrations).

Outline
1. Introduction (30 min)

Overview of Terraform, Ansible, and Salt
Why use all three together?

1. Setting Up FreeBSD Infrastructure with Terraform (55 min)

   Writing Terraform to deploy FreeBSD EC2 instances
   Managing networking and security groups

2. Configuring FreeBSD with Ansible (55 min)

   Installing software
   Setting up IPSec VPN for secure remote management
   Configuring a Lab Environment using FreeBSD Jails

3. Maintaining FreeBSD with Salt (55 min)

   Automating updates and configuration changes
   Enforcing security policies

4. Q&A and Wrap-Up (15 min)
   What Attendees Will Learn

   How to provision FreeBSD servers in AWS using Terraform.
   How to use Ansible for initial setup and configuration.
   How to use Ansible to setup a FreeBSD Jail lab environment.
   How to maintain and scale FreeBSD infrastructure with Salt.

Requirements

Laptop with SSH access
FreeBSD workstation recommended, but not required, Hypervisor works (VirtualBox, etc)
Some prior BSD experience (but no automation expertise needed)

bhyvecon is the only conference dedicated to BSD Hypervisors including FreeBSD/Illumos bhyve, FreeBSD/NetBSD Xen, OpenBSD vmm, and NetBSD Xen/nvmm/HAXM.

Please visit https://bhyvecon.org/ for details.

Agenda:

10:30 – 11:00 Welcome!
11:00 – 11:30 CPUID/live migration Update
11:30 – 12:00 FreeBSD|illumos bhyve OS dependent independent code cleanup
12:00 – 12:15 Break
12:15 – 13:30 GPU Pass-Through Update and EDK2 Update
13:30 – 14:30 Lunch
14:30 – 15:15 Sylve Introduction, some will break for the Tesla Museum
15:15 – 16:00 Karios.ai Introduction
16:00 – 16:15 Break
16:15 – 16:30 bhyve in production
16:30 – 17:00 bhyve in Jails, New and Upcoming Jail Features
17:00 – 17:30 TrueNAS CORE Update / zVault.io Update
17:30 – Close: Clustering Goals and Brainstorming

Even in today's day and age of various free email options and commoditization of email services, there's still many good reasons for running your own mail server - privacy and security just being two of them.

In this tutorial, we'll use bhyve and jails to set up a FreeBSD lab with
- postfix smtp server with support for virtual users and multiple domains
- spam assassin spam filter
- amavis virus scanner
- cyrus imap server
- nextcloud webmail with 2-factor auth
- setting up dkim and dmarc
- improved security with pf, fail2ban, sshguard and vnet jails
- caveats and pitfalls
and we'll take a look at the usual management activities for the mail system.

Some key learnings you'll take away:
- Using bhyve inside jails
- Setting up your own mail server
- The prerequisites required to successfully run your own mail server
- how to automate the whole process - have your own mailserver up in a few minutes!

This is a closed session for members of The NetBSD Foundation - non-members may join per invite, in this case please reach out to TNF or a member. Further details on the NetBSD wiki.

Configuration management and automation tools, like ansible, can make the life of a system administrator easier both by being able to scale operations as well as help in reproducible create new deployments.

An additional advantage is that the automation will, if done consistently will also document all steps done to create the systems.

This Tutorial will focus on more advanced features of ansible to administrate FreeBSD machines and how to control the enviroment as to get functional identical results:
* installing freebsd-updates
* installing and updating packages
* configuring rc.conf
* modifying/managing config files
* using the included templating engine to generate (even complex) files.
* using dynamic inventory to get the information for the new system out of existing systems already describing the desired state of your systems, for which we will use netbox as an example in the lab environment.

Attendees will need a laptop with an SSH client to access the virtual lab environment and should ideally have basic knowledge on how to run ansible and building a basic playbook.

The awk processing language has been around for almost 50 years in the Unix space. All major BSDs include awk in the base system. It allows powerful and flexible processing of text inputs. However, users find it difficult to understand and awk-ward to use, even shying away from using it in the first place.

Pick up your badge here! Please bring your 6 byte order code in whatever format.

With warm welcome...

Lessons learned Open Sourcing the UK's Covid Tracing App

Open Source is participatory and BSD Unix is no exception, with its own unique development workflows and events. bug reporting, code proposing, and event participation are fundamental elements of the BSD Unix community and despite appearances, are open to anyone to participate.

This talk will take a pragmatic tour of effective engagement on these topics with real-world examples and tips for:

• Bug reports that are actionable and inspire attention
• Code change proposals and reviews that are more likely to review and acceptance
• Conference proposals that stand out, accurately set expectations, and are more likely to be accepted

The secret is that all of that all of these are fundamentally indistinguishable: You are tasked with persuading others of the valueof your idea, must show your work, justify your points, demonstrate sincerity, and ultimately convince others of your initiative, regardless of its size.

Current jail managers will take over a minute to deploy thick provisioned jails and can't preserve modifications to thin provisioned jails. ZFS's copy-on-write semantics are an almost perfect match for fast FreeBSD jail provisioning, but the inability to rebase ZFS clones constrains the design of efficient automations. This talk explains how ZFS channel programs can be used by a jail manager (or plain old jail.conf(5)) to make idempotent jail provisioning near instantaneous and non-destructive.

You'll learn:
- What tools can be written with the technology we already have in FreeBSD to improve jail management.
- How to write and debug your own ZFS channel programs.
- Why you should keep the base system, applications, configurations, and persistent data separate.
- Where existing FreeBSD jail managers fell behind Linux containers.
- How to provision jails in under a second.

Target audience: intermediate ZFS skills and at least a beginner's understanding of FreeBSD jails or any other container technology.

On July 19, 2024 Crowstrike issued an update for its IDS system for the Windows operating system. This fateful update happened to cause crashes of IT systems that relied on the Windows/Crowdstrike around the world with dire consequences of closing entire airports hampering health care and ending up costing potentially billions of USDs.

A common theme among those whos operations ground to a stop during this outage was, admittedly with 20/20 hindsight, was a reliance on one particular combination of technologies. Windows and crowdstrike are, presumably, both fine technologies chosen by the largest organizations on the planet. However, they are not the only combination of OS and IDS capable of operating, even in high stakes environments.

This talk will discuss how the outcome of the July 19 event and similar events causing mass outages could be less disruptive by introducing a measure of diversity in the technical solutions. We will also discuss ways to create diverse solutions while minimizing the extra cost.

Parthenope is a modular, two-step installer for the FreeBSD operating system, written primarily in Lua. The installation process is divided into two phases:

• In the first step, configuration files and installation commands are generated using a variety of interactive interfaces.
• In the second step, the actual system installation is executed based on the previously created files.

The project is simple, extensible, and designed to be flexible. It currently supports multiple frontends, languages, installation modes ("Auto", "Easy", and "Expert"), interactive levels, and logging options.

Parthenope began as a personal project to answer a simple question: "What features would I want when installing FreeBSD on my laptop?" It has since evolved into an open source tool that anyone can use, adapt, or extend to meet their own requirements.

This talk will feature numerous screenshots and practical examples, covering:

• The motivation behind the two-step installation approach
• The internal design and architecture of Parthenope
• Real-world use cases for end users, system administrators, and developers
• The current state of the project
• Future development plans and ideas for improvement

Attendees will gain insight into how Parthenope aims to enhance the FreeBSD installation experience by combining simplicity, flexibility, and user control.

Confidential computing is a family of techniques to enhance security and confidentiality for data in use. One technical approach is strong isolation for virtual machines.

AMDs Secure Encrypted Virtualization (SEV) offers several feature sets for isolation of guest virtual machines from an non-trusted host hypervisor and operating system. These feature sets include memory encryption, encryption of guest state including CPU registers and an attestation framework.

With OpenBSD 7.6 released in October 2024 we are now able to use the memory encryption features of AMD SEV to run OpenBSD as both

• a confidential guest VM and
• as a hypervisor providing a confidential execution environment.

Now, thanks to memory encryption the hypervisor is not able to peek into a guests memory and is not able to retrieve sensitive information. However, the state of the CPU registers used by the guest is still visible to the hypervisor.

Therefore, we implemented support of AMDs "Secure Encrypted Virtualization with State Encryption" (SEV-ES) for OpenBSD guests and hypervisor. With SEV-ES all CPU guest state is encrypted and hidden from the hypervisor.

In this talk we will explain the fundamentals of SEV and SEV-ES. Then we explore the challenges imposed by SEV-ES for both guest and hypervisor. Finally we will take a closer look into selected implementation details.

Over the past several months I've been working on improving the support for FreeBSD in the OpenJDK project, as well as setting up infrastructure for building and testing the FreeBSD OpenJDK port. All sponsored by The FreeBSD Foundation.

The work has involved closely working with the upstream OpenJDK project, fiddling with arcane configure scripts, unfamiliar CPU architectures and learning a lot about the internals – both of OpenJDK and FreeBSD (and other BSD's as well.)

In this presentation I will give a quick overview and status on where the project stands at this time, what the road ahead looks like, and talk about the process, and what I've learned along the way.

Managing multiple FreeBSD machines can be time-consuming, but automation makes it effortless. In this talk, I will demonstrate how I use Ansible to set up my FreeBSD lab and Salt to maintain and scale it across multiple machines—including how I configured a second FreeBSD laptop with just SSH access.

Attendees will see how automation enables:
- Seamless FreeBSD system setup using Ansible.
- Automated configuration management with Salt.
- Effortless scaling to new machines, reducing manual setup to a few commands.

By the end of the talk, attendees will understand how to leverage Ansible and Salt to build a reproducible and maintainable FreeBSD infrastructure.
Intended Audience

FreeBSD users interested in automating system setup and maintenance.
System administrators managing multiple FreeBSD machines.
Anyone curious about Ansible and Salt for FreeBSD automation.

Attendees should have basic FreeBSD knowledge, but no prior experience with automation tools is required.
Outline
1. Introduction (5 min)

Why automate?
My FreeBSD lab & laptop setup overview.

1. Building My FreeBSD Lab with Ansible (15 min)

   Bootstrapping a new system.
   Automating system installation & package setup.
   Adding a second laptop with just SSH access.

2. Maintaining & Scaling with Salt (15 min)

   Managing configs, packages, and updates.
   Enforcing system state across multiple machines.
   How I maintain consistency between multiple devices.

3. Lessons Learned & Challenges (5 min)

   Why this method works well for FreeBSD.
   Troubleshooting automation quirks.

4. Q&A (5 min)
   What Attendees Will Learn

   How to use Ansible to set up FreeBSD machines quickly.
   How Salt makes long-term configuration management effortless.
   How to automate multiple FreeBSD machines with minimal manual work.

One long-standing issue in package buildings is the handling of parallel builds.
I've designed a simple network protocol (build-control) that allows real-time scaling of make/ninja processes job control.

Contrary to gmake's "jobserver" paradigm, build-control assumes that the end-user is in control and can tweak each build's job count in real time.

Make-like builds will react rather quickly, because usual compilations only last seconds.

This allows cluster schedulers a level of control that can't be achieved through automated means.

Moreover, it also extends to pervasive computing. I will present several use-cases besides dpb that can benefit from outside sources besides the coarse-grain heuristics of job-control servers, in any case where arbitrating between build sources with extra information will give you an obvious advantage

IMUNES is an open-source network emulation and simulation tool, using FreeBSD's features we all love - like jails, netgraph, VNET, and unionfs. Originally created by Dr. Sc. Marko Zec at the University of Zagreb's Faculty of Electrical Engineering and Computing (FER), IMUNES has evolved into a key resource for testing and simulating real-world network topologies and protocols. IMUNES has been used in collaborations with companies like Boeing and Ericsson Nikola Tesla, providing a practical environment for testing network devices, applications, and configurations in different scenarios.

The project leverages FreeBSD's capabilities to create lightweight virtual nodes within the kernel, supporting detailed emulation of network components, and enabling the testing of unmodified user-level applications such as routing daemons and [insert your favourite FreeBSD/Linux tools here]. While relatively unknown, IMUNES is used globally in both research and educational settings, with a growing community of users.

Currently maintained by Denis, IMUNES continues to evolve and support the research community. The project is open-source, BSD-licensed, and still in active use for teaching network concepts and conducting simulations. With its support for multiprotocol environments, IMUNES is an invaluable tool for anyone working in networked and distributed systems research.

The talk will consist of these parts:
- IMUNES history and its present state.
- How IMUNES runs on FreeBSD.
- Future plans and goals for the project.
- Live demonstration.
- Discussion about FreeBSD features we would love to see.

"Echtzeit - Digitale Kultur" (https://www.echtzeitkultur.org) is a small Swiss NGO created to aid the demoscene (https://demoscene-the-art-of-coding.net/the-demoscene). As many organizations, we wish to not further rely on the SaaS solutions by too-big-to-fail technology providers. With around 10 active and 100 passive members, our resources - time, money and capabilities - are severely limited. This talk presents how we built our own infrastructure based on FreeBSD, Jails, PF, ZFS and other OSS and goes into the challenges - some technical, but most organizational and financial - that we faced by this approach as well as the benefits. The talk further lays out how we wish to share our acquired know-how with other NGOs to enable them to gain digital autonomy themselves.

In my talk, I will demonstrate how to utilize pkgbase to perform FreeBSD OS updates.
By building pkgbase packages locally, it is easy to upgrade large numbers of hosts.

I will begin by explaining what pkgbase is and how to get started using it, using the FreeBSD Foundation's PKGBasify Script to convert existing hosts to be pkgbase-ready, and then using pkgbase to perform future upgrades.

The goal is to show the audience how to set up a build server to construct pkgbase packages and publish them to the network via NGINX, as well as use that server to consume pkgbase packages.

I will walk through how to configure a client to upgrade from FreeBSD 13.3 to 13.4, as well as how to perform major version upgrades, such as from 13.3 to 14.2. The same process can also be used to apply quick patch-level updates if the host is already set up with pkgbase.

Lastly, I will highlight some common pitfalls to watch out for during the upgrade process, as well as when using pkgbase for the first time.

I use this approach on a day-to-day basis in a production environment that is not directly connected to the Internet; therefore, freebsd-update is not an option. On this behalf, pkgbase is a valid option to perform OS upgrades.

The "wifi" (net80211) stack in NetBSD is aging (to put it polietly).
We have been working to adapt the FreeBSD stack (and keep that in sync) for multiple years now.

This is one of the longest running merge / update projects we ever had and it was also used to test some of our new repository infrastructure.

This talk will try to show the obstacles we ran into, the original problems we envisioned before starting and how many of them are still open. It will explain decisions where we opted to deviate from FreeBSD (e.g. in locking rules) and how we try to make the result future-proof and long-lasting by being able to feed back some of the changes and localize (i.e. hide from code shared with FreeBSD) others.

Parts of the FreeBSD stack are a "fast" moving target in order to deal with fast moving Linux upstream drivers. We are trying to track this as well, but it creates additional challenges as we are trying to avoid duplicating code that already exists in NetBSD to deal with DRM/KMS drivers also using a kind of "Linux compat shim".

Finaly the present state and a (hopefully) realistic plan how (and when) this branch finally will be merged into NetBSD-current will be presented.

While Linux containers benefit from a rich ecosystem of Container Network Interface (CNI) plugins such as Calico and Cilium, FreeBSD Jails have lacked native, standardized solutions for advanced networking. As a result, users have relied on manual, error-prone configurations, which limit scalability and integration with modern orchestration platforms.
This presentation introduces porting Calico, a widely adopted CNI plugin, to the FreeBSD operating system. Our approach replaced Linux-specific components with FreeBSD-native equivalents: iptables with ipfw, netlink sockets with routing sockets, and Linux network namespaces with FreeBSD’s vnet.
This work aims to bridge the gap between Linux and BSD container networking. By providing scalable, policy-driven capabilities that are compatible with existing Linux-centric infrastructure, FreeBSD will be empowered to participate more fully in the broader container networking ecosystem.

FreeBSD WiFi development has regained traction catching up with 15 years.

In this talk I will walk you through the journey of the last years:
* LinuxKPI and wireless drivers. Why I decided to go that route and how it is working out.
* What has taken so long or what came up my away to keep me away from just doing WiFi.
* Let's talk a bit how WiFi development looks like.
* FreeBSD standards support. What's supported now and what's on the way.
* What is missing and where I hope the journey will go.

The Fediverse is the reclaimed, social web. With federated social platforms like Mastodon and Peertube everyone is able to host their community on the Fediverse, communicating with others on different communities, without borders. In this talk Jeroen and Stefano go over their experiences hosting the Fediverse and other services on *BSD instances. What are the lessons learned and how is the experience administering an instance, a couple of years in?

Stefano is the admin for bsd.cafe, Jeroen is the admin for exquisite.social. Both run on BSD and are beacons for the BSD minded folks on the Fediverse.

Subtitled: Mistakes I may have Allegedly Made

25 years ago I designed my first resilient system, addressing failures with networks, infrastructure, applications, operator errors, and with a considerable dose of youthful hubris and ignorance. I'm still building them today.

This talk covers the journey, the lessons, and current practice for building robust & resilient systems, that don't need to wake you up when they go bump in the night. It has a sprinkling of humour, of war stories, of operations, and some computer science theory.

This talk comprises 7 main themes, presented as a journey from your typical single server deployment, through to a modern distributed system spanning continents, multiple servers & applications.

The FreeBSD Ports Collection has long been one of the project’s most defining features — a gateway to thousands of third-party applications across use cases and architectures. But as the ecosystem has grown past 30,000 ports, core questions of sustainability, security, and stewardship have become increasingly urgent.

This talk presents a critical but constructive examination of the state of the Ports tree today: legacy components like Python 2.7 and GTK2 lingering far past end-of-life; security-sensitive libraries such as libxml2 frozen due to dependency sprawl; and a governance model struggling to adapt to modern software lifecycle realities. Examples will include cases where well-intentioned cleanup or modernization efforts have been blocked by inertia, policy gaps, or lack of strategic direction.

Rather than focus on blame, this session invites forward-looking dialogue. How should a curated operating system balance flexibility with trust? How can FreeBSD better align with evolving supply chain expectations — from reproducible builds to SBOMs? What tradeoffs must be made when quality, not quantity, becomes the primary metric of success?

While the views presented are personal, they reflect years of active involvement in the Ports infrastructure, including past membership on portmgr@. The session will aim to leave ample space for community discussion and propose specific paths toward a more sustainable, auditable, and maintainable future for the Ports Collection.

Social Event has Doors Open at 1900 at the Restaurant "Lobby Food+Mood" which
is located close to the venue and across the street from the known "Fakin" Craft Pub.

https://maps.app.goo.gl/SqppEz5GSKz1uzXs7
or
https://osm.org/go/0IsmjltNQ

Please bring your badge!!

Get your badges or pick up your bag/jacket

AI slop attacks on the curl project

This talk tells the history of the BSD Daemon. It starts with the first renditions in the 1970s of the daemons that help UNIX systems provide services to users. These early daemons were the inspiration for the well-known daemon created by John Lasseter in the early 1980s that became synonymous with BSD as they adorned the covers of the first three editions of `The Design and Implementation of the BSD Operating System' textbooks. The talk will also highlight many of the shirt designs that featured the BSD Daemon.

NetManager is an extensible general-purpose server product based on NetBSD with a particular focus on web-filtering and storage. Dating back to 1996 on NetBSD/acorn32, it progressed to NetBSD/cats and then to NetBSD/i386. Now it mainly targets NetBSD/amd64 on both virtual and physical hardware. This talk will discuss how the product evolved including how it is built, upgraded and maintained as well as typical use cases.

... but because they are a bloody nuisance and we want them to be
easy.

In this talk I will reminisce on more than a decade of being an
OpenBSD developer. With over 2,047 commits and more than 75,000 lines
of code deleted, there are stories to tell. Like that one time when
we... Or back in..., when I made this off-hand remark...

I will talk about how I got my OpenBSD account, how I chose what to
work on and how things like slowcgi(8), unwind(8), or sysupgrade(8)
came to be.

The focus will be on the day-to-day of being a volunteer developer,
how I run my own infrastructure (hint, it is all OpenBSD-current) and
how the six-month release cycle ties in to that.

In the last years we outsourced much of our hosting server and data centre infrastructure to external suppliers for reasons of cost, efficiency, but also fast availability of new systems and frequent updates of hardware to match the current state of the market.

Yet at the same time we still want to serve our customers with our tried and true full managed hosting environment "proServer" as well as additional services like external firewalls, VPN connections, high availability and load-balancing, etc.

This talk will present how we achieved all of that using only the standard dedicated server hosting product "Robot" provided by German company Hetzner Online GmbH.

Topics covered will include:

• Installing FreeBSD from a Linux live system
• Routing IPv4 and IPv6
• Conserving IPv4 addresses
• Managing bridged networking and connecting VNET jails
• Private links over physical media and virtual switches
• HA setups using CARP over virtual switches

I'd like to give a talk about a standardized development environment for
hacking on netbsd on linux and macOS by crosscompiling.

• how the enviroment is set up
• what supporting software is used
• best pracices like logging build output etc.
• how to do netbsd development on it
• cross compiling on the host
• debugging in the vm
• testing in the vm

Background:

For my 2025 GSoC student I wanted us both to work in a standardized
development environment. So that I could more easily troubleshoot the
problems he would be having and to make it easier for him to do things the
right way. Afterall, he was in southern India and I'm in Europe and I don't
have remote access to his workstation.

Also he was running Ubuntu while my main laptop runs macOS. I do have a
machine running Debian that I can accesss over the network, however.

To that end I formalized the historically grown scripts I use for netbsd
development into something that could be shared with my student.

That worked out rather well.

This year I started to convert the instructions and documentation from last
year into documents that are to be published on the netbsd wiki.
I also updated and enhanced my tools for this year's student.

I do have a large collection of notes that I'd like to use as basis for the
talk.

Last Christmas holidays I decided to switch my home network to IPv6 only using DNS64 and NAT64. Additionally I wanted to set up a wifi using dual stack and DHCP Option 108 (IPv6-mostly).

Since the OpenBSD documentation is known for its quality I decided to set myself the challenge of setting this up without using the internet, solely by reading manual pages and example configurations on a freshly installed OpenBSD, without installing any additional packages. In my talk I'll tell you about how this went touching on:

• a brief intro what DNS64, NAT64 and DHCP Option 108 are;
• what my home setup looks like (living in a part of Switzerland where you still have to rely on VDSL to get native IPv6);
• how far I got without using any OpenBSD packages;
• what services I used, what their config looks like and whether I was able to configure it without consulting internet resources.

In the end you should know how to set up a IPv6 only network. On the way I hope to convince you why you should do this - not only at home but also at work.

Link to the slides

In this talk, we will present a project that aims at allowing controlled process credentials transitions without using setuid executables but instead leveraging FreeBSD's MAC framework, and which practical functionalities it brings to administrators and users.

Traditional credentials-changing programs, such as sudo(8), have a non-negligible attack surface as they often include a lot of infrequently used features and mechanisms that can be dangerous from a security standpoint (e.g., loadable modules). As these programs have to run as 'root', compromising them can have catastrophic consequences.

The mac_do(4) kernel module has been introduced to allow unprivileged processes to change credentials, provided the requested changes are explicitly allowed by rules set by an administrator. It has recently undergone major changes. First, thanks to a redesign of rules, it is now possible to specify full sets of user and group IDs that must be present or absent in the final credentials for a transition to be accepted. Second, each jail can be configured with a different set of rules, allowing different transitions to be allowed as needed, or to inherit from the parent jail.

Its companion program, mdo(1), serves to request credentials changes. Initially limited to changing the user, and possibly switching to his groups, it has been under ongoing development to include common credentials-changing program's functionalities (such as those of doas(1) or sudo(8)) thanks to a Google Summer of Code project.

We will describe how mac_do(4)'s credentials rules work, what the role of the mdo(1) companion program is and how it has evolved, and what you can do with them in practice.

We will also touch on some aspects of the implementation, notably why we needed to introduce the new setcred(2) system call, which allows to change all process credentials in a single call, and, time-permitting, those that are related to the use of some FreeBSD's kernel sub-systems (notably, sysctl, jails and OSD).

Computing has its warts, fun and rewards, but sometimes other creative urges come to light, such as DJing and music production. How do we leverage our favourite operating system family to act on said creative urges?

This programme will cover the tooling and setup needed for anyone to start DJing and producing music, using as much open source as possible. Those familiar with or interested in other aspects of signal processing may see some parallels in concepts like flowgraph design and implementation.

Following BSDCan 2024's overview of DJing and music production in FreeBSD, plus BSDCan 2025's audio stack overview, this programme dives further into how MIDI fits into the picture. Instead of turntables and specially-crafted timecode on records, MIDI controllers will feature for the demo.

This talk will cover PIE code generation mode and motivations for its
use (including copy relocations and canonical PLT entries). I will also
cover indirect functions ("ifuncs"). Depending on time, I may also
discuss Thread Lock Storage (TLS) and how it is implemented in ELF for
modern architectures.

Attendees of this talk will likely benefit from watching my BSDCan 2025 talk
beforehand which introduces several concepts from ELF linkage.

(Or: Fighting denial-of-service for fun and profit.)

For fun:

I want to run a BBS on an old 386 machine, but exposing it to the Internet via Telnet will turn any drive-by portscan into a potential DoS (not DOS).

I'm sure we've all been there. Right?

For profit:

Someone realises that throwing hundreds of thousands of TLS handshakes per second at us is worth it, and I don't have more CPU to throw at the problem.

That's what we get for placing ourselves in the line of fire, I guess?

Dirty tricks

So what can be done about this? Well it turns out that with Lua and Nginx, I can solve both problems. Join me for a brief excursion into the world of retro-BBSes, an introduction to some Internet Scumbags and their shenanigans, and some possible solutions to these problems.

I'm not an active Lua coder, and I don't know nginx nearly well enough despite having used it for 15 years. So here's fair warning: Anyone who actually knows these things may catch a bout of nausea.

This talk goes over the productionisation of a distributed filesystem for OpenBSD. The talk touches on FUSE and the raft consensus algorithm, although the focus of the talk is on steps taken to increase reliability, handle edge cases, and simplify operations.

While an introduction to FUSE and Raft will be provided, the main emphasis will be on the steps taken to make the system a viable option for others. This includes handling failure cases, hardening security, and providing administrative tooling.

We live in the age of the centralized internet. It is bigger than ever in terms of content, but looks and feels smaller and more uniform with every passing year. Most of online discourse is concentrated within a handful of giant platforms, which for many people comes with technical, ethical and sociopolitical concerns. But it also makes the internet a ...bland and boring place to be in.

"Great, but this is a BSD conference. What does BSD have to do with all this?"

The talk will be both philosophical, as well as technical. It will first go through why people need to host their own platforms, and will then showcase how BSDs are great at achieving that with minimal hassle, including a guide on how to get started.

This talk attempts to sum up the past, present, and possibly future state of the art when a highly available networked storage system is needed.

On FreeBSD with a lack of an up to date port of Ceph options are fewer than in penguin land, but they still exist. Also just maybe Ceph is not the best contender, anyway.

Apparently there's a new kid in town - Garage [1] by French hosting service provider Deuxfleurs. With a current and maintained FreeBSD port, it looks like the most promising option today.

I'll give a historical overview with implementation details for each alternative discussed, ending up with a working Garage cluster deployed with Ansible.

[1] https://garagehq.deuxfleurs.fr

The Game of Trees Hub is a transparently funded Git repository hosting
service based on OpenBSD and the Game of Trees version control system.

Game of Trees servers interoperate with any Git client. Users access Git
repositories securely via Git's SSH protocol, based on OpenSSH, and manage
their repository space by committing a configuration file to a special-purpose
Git repository. The configuration file controls user accounts, repositories,
access permissions, and more.

Each Game of Trees Hub project space runs in a dedicated virtual machine on top of the OpenBSD vmm hypervisor. Git repository services in virtual machines are
implemented by the Game of Trees gotd, gotwebd, and gotsysd servers.

Our service is funded by its users, and we want our users to know how the money they contribute is used by us. All financial transactions related to the service are published
on a public ledger on our Open Collective page.

This talk presents our motivation for starting a shared Git hosting project
based on Game of Trees, discuss our community structure, financial aspects,
and some technical internals.

USB Type-C is not just a different connector type but also a different internal structure in the system. For example, a USB Type-A port on your laptop is usually a USB host, not a USB device. In the case of USB Type-C, the host/device role cannot be determined since the cable has no pre-defined direction. This role selection is resolved by a controller on your laptop, and it is independent of the USB host controller interface, such as xHCI.

This talk covers the technical aspects of USB-C systems and hardware structure, and then the author's development experience of device drivers for USB-C port control on FreeBSD and other *BSD operating systems. Most operating systems support Intel USB Type-C Connector System Software Interface (UCSI), which enables the OS to communicate with the embedded controller. More specifically, USB-PD charging direction control, DisplayPort alt mode, and other useful functionality can be supported with the software implementation on the OS side.

The misuse of AI in education for cheating purposes has created challenges in assessing students' authentic contributions in the last couple of years. Another issue we identified is that University labs rarely teach problem-solving skills for a real-world scenario that students have to deal with in their post-academic working life (i.e. fixing production issues). Traditional assignments lacked real-world relevance (and were easily solved with the help of AI), leaving students unprepared for professional challenges in their later jobs. To address this, we developed as part of a master's thesis for University of Applied Sciences, Darmstadt, Germany a new teaching framework leveraging Chaos Engineering and Gamification elements to modernize Unix education on FreeBSD. With our new system, real-world problems can be simulated by instructors and allows students to use system administrator permissions to solve them. We also developed this system to make it difficult for participants to "cheat" using AI and evaluated the system towards that end with a group of students.

This talk will introduce our new "Chaos education system" tested in the "Unix for Software Developers" course at the University. The name stems from the chaos monkey systems that intentionally "wreak havoc" on production systems to improve their resiliency and train the sysadmins managing them to find and fix them. Our approach lets instructors inject intentional faults (error scenarios) into student-managed FreeBSD jails. The students must then identify, resolve, and prevent these issues from occurring again using standard system administration tools, including root permissions. To increase student motivation to solve these scenarios quickly (and to create artificial "production system is at stake" pressure), a global highscore list is used as a gamification element: each time an issue is solved, points are awarded to that team based on the elapsed time and an instructor-defined difficulty bonus. A post-mortem group discussion with the instructor lets students talk through various ways of solving the issue, giving the group deeper insights on possible solutions each group had used. Using the system, the students gain practical skills like troubleshooting, system recovery, and proactive system management with real-world scenarios, something that traditional "one size fits all" assignments lack.

We built the whole system using BSD-licensed open source components: FreeBSD, pf, VNET, bastille jails and templates. Shells scripts act as the glue to tie them together and implement the logic for the rest of the chaos monkey system. The prototype system has been tested with two student groups of 16 students each in January 2025. One group was allowed to use ChatGPT during the scenarios to see how AI-support helps them (if at all). Insights from this testing was used to enhance the system further.

This talk will introduce the chaos education system idea, implementation, demonstrate its functionality, and discuss future work in this area. FreeBSD proved to be an excellent building platform for this system, due to its great modularity, open source, low resource overhead, and available documentation. The system can be enhanced further and used outside of an academic environment, like employee training or workshop-style challenges at events. It is easy for instructors to construct a custom scenario for participants and inject it into the training jails. The system can scale to a number of parallel users due to the lightweight nature that FreeBSD jails provide.

Audience: Educators, trainers, and system administrators interested in modernizing Unix/Linux education through hands-on, interactive methods. Managers may find the system interesting for training their own employees by constructing scenarios mimicking their own environment.

With security vulnerabilities rapidly rising each year, program security is more important than ever. One solution to keeping your program from being the victim of the next big CVE is FreeBSD's Capsicum.

Originally developed at the University of Cambridge Computer Laboratory, Capsicum is a lightweight capability and sandbox framework built into the FreeBSD base system. It is designed around the principle of least privilege - where programs only have access to resources that are required for operation.

This talk will follow my blog post, which outlines the process of Capsicumization, or sandboxing your program using Capsicum. I will cover capability violation detection, restructuring existing programs for Capsicum, and filesystem/networking access inside of the capability sandbox.

Since my previous talk about this topic in 2022 major improvements
in the OpenBSD network stack have been achieved. The socket API
has been unlocked in the kernel. This means that multiple userland
threads can do system calls on distinct sockets in parallel on
different CPUs. Input and output processing of packets in the
protocol layer can also run in parallel. This talk will give insight
which locks are used to prevent chaos. TCP has much more state and
timeouts which require other locking strategies than UDP. Multiple
input and output queues in the network drivers allow to distribute
packets over CPUs. Measurements make this effect visible and help
to identify bottlenecks.

Farewwell, Auction and 2026 reveal