A Love Letter to FreeBSD

> uptimes of over 3000+ days

Oof, that sounds scary. I’ve come to view high uptime as dangerous… it’s a sign you haven’t rebooted the thing enough to know what even happens on reboot (will everything come back up? Is the system currently relying on a process that only happens to be running because someone started it manually? Etc)

Servers need to be rebooted regularly in order to know that rebooting won’t break things, IMO.

I still remember AJG vividly to this day. He also once told me he was a FreeBSD contributor.

My journey with FreeBSD began with version 4.5 or 4.6, running in VMware on Windows and using XDMCP for the desktop. It was super fast and ran at almost native speed. I tried Red Hat 9, and it was slow as a snail by comparison. For me, the choice was obvious. Later on I was running FreeBSD on my ThinkPad, and I still remember the days of coding on it using my professor's linear/non-linear optimisation library, sorting out wlan driver and firmware to use the library wifi, and compiling Mozilla on my way home while the laptop was in my backpack. My personal record: I never messed up a single FreeBSD install, even when I was completely drunk.

Even later, I needed to monitor the CPU and memory usage of our performance/latency critical code. The POSIX API worked out of the box on FreeBSD and Solaris exactly as documented. Linux? Nope. I had to resort to parsing /proc myself, and what a mess it was. The structure was inconsistent, and even within the same kernel minor version the behaviour could change. Sometimes a process's CPU time included all its threads, and sometimes it didn't.

To this day, I still tell people that FreeBSD (and the other BSDs) feels like a proper operating system, and GNU/Linux feels like a toy.

I can sympathize. It makes sense.

But...

As a veteran admin I am tired of reading trough Docker files to guess how to do a native setup. You can never suss out the intent from those files - only do haphazardous guesses.

It smells too much like "the code is the documentation".

I am fine that the manual install steps are hidden deep in the dungeons away from the casual users.

But please do not replace Posix compliance with Docker compliance.

Look at Immich for an unfortunate example. Theys have some nice high level architecture documentation. But the "whys" of the Dockerfile is nowhere to be found. Makes it harder to contribute as it caters to the Docker crowd only and leaves a lot of guesswork for the Posix crowd.

[dead]

For my two cents, it discourages standardization.

If you run bare-metal, and instructions to build a project say "you need to install libfoo-dev, libbar-dev, libbaz-dev", you're still sourcing it from your known supply chain, with its known lifecycles and processes. If there's a CVE in libbaz, you'll likely get the patch and news from the same mailing lists you got your kernel and Apache updates from.

Conversely, if you pull in a ready-made Docker container, it might be running an entire Alpine or Ubuntu distribution atop your preferred Debian or FreeBSD. Any process you had to keep those packages up to date and monitor vulnerabilities now has to be extended to cover additional distributions.

Really great book. Among other things, I think it's the best explanation of ZFS I've seen in print.

I like the haphazardry but I think systemd veered too far into dadaism.

Yes and no. There was also some intellectual property shenanigans with FreeBSD 4.3 and then the really rough FreeBSD 5 series and their initial experiments with M:N threading with the kernel and troubles with SMP

Specifically I was talking about this not being ready for prime time: https://github.com/samuelkarp/runj

You can use Podman on FreeBSD, but the CNI providers need a bit more time cover all the amazing/crazy things the FreeBSD network stack can do.

It is a bit of a bummer if you spend quite a bit of time tracking down a very weird DNS bug and it turns out to be systemd-resolved.

And I don't want to go into all of the time spend getting systemd unit files correct. There is very active community suggesting things you can add, which then of course breaks your release for users in unexpected ways. An enormous waste of time.

The OpenSSH/XZ exploit from a year or so ago was actually a systemd exploit[1], fun fact.

Looking back on the time I spent in systemd land, I don't miss it at all. My system always felt really opaque, because the mountain of understanding systemd seemed insurmountable. I had to remember so much, all the different levers required to drive the million things systemd orchestrated... and for very little effect. I really prefer transparency in my system, I don't want abstraction layers that I have no purpose for. I don't take it as a coincidence at all that since I moved away from systemd distributions, my system has become quite a bit more reliable. When I got my Steamdeck, the first systemd setup I've used in years, one of the first things I noticed is that the jank I used to experience has showed its face once again. It might not be directly tied to poetteringware, but it's very possible that this is a simple 2nd or 3rd order effect from having a more complex system.

[1] - https://www.fortinet.com/resources/articles/xz-utils-vulnera...

I like BSD especially because it lacks systemd :)

> I'm not sure that that's the win that you think it is. Linux 10 to 20 years ago was pretty terrible, at least on desktops.

For all its usability issues, Linux 10 to 20 years ago had advantages that, for a certain kind of user, were worth the cost. Frankly Linux on the desktop today is the worst of all worlds - it doesn't have the ease-of-use or compatibility of Windows or OSX, but it doesn't have the control and consistency/reliability of BSD either.

First of all, FreeBSD has plenty of selling points compared to your typical Linux distro:

Small, well integrated base system, with excellent documentation. Jails, ZFS, pf, bhyve, Dtrace are very well integrated with eachother, which differs from linux where sure there's docker, btrfs, iptables, bpftrace and several different hypervisors to choose from, but they all come from different sources and so they don't play together as neatly.

The ports tree is very nice for when you need to build things with custom options.

The system is simple and easy to understand if you're a seasoned unix-like user. Linux distros keep changing, and I don't have the time to keep up. I have more than 2 decades of experience daily driving linux at this point, and about 3 years total daily driving FreeBSD. And yet, the last time I had a distro install shit itself(pop os), I had no idea how to fix it, due to the rube-goldberg machine of systemd, dbus, polkit, wayland AND X, etc etc that sits underneath the easy to use GUI(which was not working). On boot I was dropped into a root shell with some confusing systemd error message. The boot log was full of crazy messages from daemons I hadn't even heard of before. I was completely lost. On modern Linux distros, my significant experience is effectively useless. On FreeBSD, it remains useful.

Second, when it comes to OpenBSD, I don't actually agree that security is its main selling point. For me, the main selling point of OpenBSD is as a batteries included server/router OS, again extremely well documented in manpages, and it has all the basic network daemons installed, you just enable them. They have very simple configuration files where often all you need is a single digit number of lines, and the config files have their own manpages explaining everything. For use cases like "I just want an HTTP server to serve some static content", "I just want a router with dhcpd and a firewall", etc, OpenBSD is golden.

Out of the box ZFS is a big selling point for me. Jails are just lovely. The rc system is very easy to reason with. I've had systems that were only stable on freebsd that would crash using windows or various Linux.

It has a decent manual for a start.

I once upgraded a FreeBSD system from 8 to 12 with a single command. I don’t recall having to reboot — might have needed to.

Can you give that shot for me on Linux? Could you spin up a Ubuntu 14 VM and do a full system update to 24.04 without problems? Let me know how you go.

I once needed help with a userland utility and the handbook answered the question directly. More impressive was the conversation I had with a kernel developer, who also maintains the userland tools — not because they choose too but because the architecture dictates that the whole system is maintained as a whole.

Can you say the same for Linux? You literally cannot. Only Arch and RedHat (if you can get passed the paywall) have anything that comes close to the FreeBSD Handbook.

FreeBSD has a lot going for it. It just sits there and works forever. Linux can do the same, if you maintain it. You barely need to maintain a FreeBSD system outside of updating packages.

Most people who use containers a lot won’t find a home in FreeBSD, and that’s fine. I hope containers never come to the BSD family. Most public images are gross and massive security concerns.

But then, most people who use FreeBSD know you don’t need containers to run multiple software stacks on the same OS, regardless of needing multiple runtimes or library versions. This is a lost art because today you just go “docker compose up” and walk away because everything is taken care of for you… right? Guys? Everything is secure now, right?

Yes, so what you do is you run `freebsd-update fetch` then `freebsd-update install` or if you switch a minor version you do freebsd-update upgrade -r MAJOR.MINOR` and do the same. Minor release upgrades are not the breaking kind. ABI, etc. will stay intact. There aren't expected breakages it's just that stuff will have new features and you might have some really specific use case where that shell command version output is checked and breaks stuff when it changes.

I think that's a big misunderstanding coming from other systems. Minor system updates are the kind of updates that a lot of other systems would pull in silently, while FreeBSD's major releases are a lot more like OpenBSD's releases (where minor and major version numbers don't make a difference).

Minor in FreeBSD means that stuff isn't supposed to break. It's a lot more like "Patch Level". I always want to mention Windows here for comparison, but keep thinking about how much Windows Updates break things and did so for a long time (Service Packs, etc.).

Maybe going about it from the other side makes more sense: FreeBSD got a lot of shit for not changing various default configurations for compatibility reasons - even across major versions. These are default configurations, so things where the diff is a config file change. I think they are improving this, but they really do care about their compatibility, simply because the use case of FreeBSD is in that area.

This is in contrast to eg OpenBSD where not so few people run -current, simply because it's stable enough and they want to use the latest stuff. They only support the last release (so essentially release +6 months) but again even there things do not usually break beyond having to recompile something. They all have their ports/packages collections and want stuff to run and OpenBSD being used a lot more "eating your own dogfood" style, which you can see with there being an OpenBSD gaming community, while that OS doesn't "even" support wine.

> Aditionally, those releases do not only contain FreeBSD changes but also changes to all third party open source packages that are part of the distribution

No they don't. Only major releases so, which are once every 2 years or so. And the old ones stay supported until the release after that. There's always two major releases in support. So you have about 4 years.

> The point is that for any system that has a publicly facing (internet) part you will have to keep up to date with known vulnerabilities as published in CVEs. Not doing so makes you a prime target to security breaches.

Sure, you have to be aware of them, but for something like this [1], if you don't use SO_REUSEPORT_LB, you don't have to take any further action.

The defect is likely in other FreeBSD releases that are no longer supported, but still, if you don't use SO_REUSEPORT_LB, you don't have to update.

If you do use the feature, then for unsupported releases, you could backport the fix, or update to a supported version. And you might mitigate by disabling the feature temporarily, depending on how much of a hit not using it is for your use case. Like I said, you have to be prepared for that.

You can also do partial updates, like take a new kernel, without touching the userland; or take the kernel and userland without taking any package/ports updates.

Some security advisories cover base userland or ports/packages... we can go through an example one of those and see what decision criteria would be for those, too.

[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09...

> Still, that option exists

Yes and no. If you get yourself into a position where you have servers deployed on version x.y of whatever Linux distribution you went with and now can't or won't upgrade from that, the vast majority of the time you're going to be exactly as stuck as if you were on FreeBSD. If you wanted to benefit from paid RedHat backports you had to decide to deploy your application to LTS RedHat on day 1, and the vast majority of people don't.

> in all third party open source packages/ports by taking them to the head version.

No it doesn't!

You can totally stick with the old version of packages. You are NOT forced to switch third party version numbers. And as mentioned elsewhere I did switch eg. Postgres versions interdependently of the OS.

What is being updated is the userland in the OS not in ports per se. According to the Release Notes of the latest FreeBSD release 14.3[1], OpenSSL, XZ, the file command, googletest, OpenSSH, less, expat, tzdata, zfs and spleen have been updated when it comes to third party applications as well. ps has been updated and some sysctl flags to filter for jails have been introduced.

These are the kinds of updates you'll get from point releases, not the breaking kind. These go into major releases, which is exactly why the support strategy is "The latest do release + X months and at least that long".

[1] Scroll down a bit: https://www.freebsd.org/releases/14.3R/relnotes/

So why not use jails?

I'm using openbsd on a several laptops at the moment, a dell x55, a thinkpad x230, and a thinkpad x270. Everything works on all of them - sleep, hibernate, wifi, touchpad, colume and brightness buttons, cpu throttling, etc.

On one of them I use a creative bt-w2 bluetooth dongle for audio output, openbsd removed software bluetooth support due to security concerns. The latest wifi standards are not supported on these models, which doesn't bother me. It's not the size of your network, it's what you do with it! I don't mind not having the latest flashy hardware - been there, done that.

I have to pay attention when I purchase hardware, and am happy to do so, because openbsd aligns much better with my priorities. For me that includes simplicity, security, documentation and especially stability through time - I don't want to have to rearrange my working configs every two years cuz of haphazard changes to things like audio, systemd, wayland, binary blobs, etc.

On OpenBSD right now with a Dell Latitude 7490. Works fine.

The reason I like the BSD is that they are easily understood. Have you tried to troubleshoot ALSA? Or use libvirt? Linux has a lot of features, but most of them are not really useful to to general computer user. It felt like a B2B SaaS, lot of little stuff that you wonder why they are included in the design or why they're even here in the first place.

For some reason I had a much easier time getting OpenBSD working on one specific laptop (a Thinkpad E585 where I had replaced the stock Wifi with an Intel card). A lot of Linux distributions got into weird states where they forgot where the SSD was, and there was chicken-and-egg about Wifi firmware.

OpenBSD at least booted far enough that I could shim the Wifi firmware in as needed. I probably picked the wrong Linux distribution to work with, since I've had okay luck with Debian and then Devuan on that machine's replacement (a L13)

Lenovo T480s works great with FreeBSD.

No, I was talking mostly about perception of hardware support, package management, and a pre-systemd init system.

But which DE you run is entirely up to you. I'm writing this with FreeBSD running fvwm. On my laptops I run dwm.

Also:

> enlightenment

I haven't kept up with recent developments, but this is the most 1990s WM that ever 1990s'd.

Home computers seem more scarce to me today than they did ~25 years ago.

Sure: People have smart TVs and tablets and stuff, which variously count as computing devices. And we've broadly reached saturation on pocket supercomputers adoption.

But while it was once common to walk into a store and find a wide array of computer-oriented furniture for sale, or visit a home and see a PC-like device semi-permanently set up in the den, it seems to be something that almost never happens anymore.

So, sure: Still-usable computers are cheap today. You've got computers wherever you want them, and so do I. But most people? They just use their phone these days.

(The point? Man, I don't have a point sometimes. Sometimes, it's just lamentations.)

> Do you ever apply kernel patches?

For my personal machines, I just run GENERIC kernels and that includes a lot, so I need to do a lot of updates. I also reboot every time I update the OS (even when it's an update that doesn't touch the kernel) so that I'm sure reboots will be fine... but I did setup my firewalls with carp and pfsync so I can reboot my firewall machines one at a time with minimal disruption.

For work machines, I use a crafted kernel config that only includes stuff we use, although so far I've usually had one config for all boxes, because it's simpler. If there's a security update for part of the kernel that we don't use, we don't need to update. Security update in a driver we don't have, no update; security update in tcp, probably update. Some security updates include mitigation steps to consider instead of or until updating... Sometimes those are reasonable too. Sometimes you do need to upgrade the whole fleet.

When there's an update that's useful but also has an effective mitigation, I would mitigate on all machines, run the update and reboot test on one or a few machines, and then typically install on the rest of the machines and if they reboot at some point, great, they don't need the mitigation anymore. If they are retired with 1000 days of uptime and a pending kernel update, that's fine too.

I would not update a machine just because support for the minor release it was on timed out. Only if there was an actual need. Including a security issue found in a later release that probably affects the older one or at least can't be ruled out. Yes, there's a risk of unpublished security issues in unsupported releases; but a supported release also has a risk of unpublished security issues too.

Fair question! But why am I -1 on this?

Risk is relative and not just about THAT security. I worked at an AV vendor and the joke internally was our security threat lists were the scoreboard for bad actors. But if you asked our salespeople you are an irresponsible hack if you don't keep up to date. They never account for the person who really can do it himself -- that is not their customer.

Yes I used to build custom FreeBSD kernels a lot. I manually made security patches on a few occasions and I put in many work-arounds by reading the security mailing list etc. Yes I went well past EOLs a few times for sure.

Always behind a firewall, workloads always in a Jail.

IIRC the release cycles used to be longer and it was less of an issue ~10 years ago. Can anyone confirm?

Most of my downtimes started with a power issue in the datacenter or a need for a hardware upgrade.

Some of the largest orgs have large amounts of IT infrastructure for OT and ISS that is not connected to the Internet. This infra is air gapped or often times on a completely separate physical LAN which is not accessible without passing through multiple physical security controls.

One of my four colocated servers is at something 1200 days+ of uptime running on 12-BETA.

Tightly firewall'd to my VPN and SSH is restricted to certificates. There are no services on the host that would allow users to upload inject, the most you could achieve is a DDoS.

I run bHyve in a jail and any legacy services that could jump out of bHyve stack would straightly go to jail.

GPL does not mandate upstreaming your drivers.

Right you can add gpl code on top, but the base is still BSD

BSD was mired in the uncertainty of a lawsuit over some of their code at the time that Linux was getting started, and the FUD around that gave Linux a head start that BSD had up until that point, so you can't infer much about the reasons Linux's early success over BSD through that fog. If Linux had been dealing with the same problem that BSD had instead, BSD almost certainly would be in Linux's place right now.

To be fair, GCC's design was motivated by the same thing as the license. They intentionally didn't modularize GCC so that it couldn't be used by non-free code.

> Anything that makes it easier to use GCC back ends without GCC front ends--or simply brings GCC a big step closer to a form that would make such usage easy--would endanger our leverage for causing new front ends to be free.

https://gcc.gnu.org/legacy-ml/gcc/2000-01/msg00572.html

Correct, it’s not the license.

I need to tinker less because there's no distro maintainers that constantly change stuff.

It did take a while to set it up but then it runs fine. I don't view my OS as a hobby, but I do want to have full control over it and to be able to understand how it works. I don't want to have to trust a commercial party to act in my best interests, because they don't. The current mess that is windows, full of ads and useless ai crap, mandatory telemetry, forced updates, constantly trying to sell their cloud services etc is a good example. FreeBSD doesn't do any of those things.

Most Linuxes don't either but there's still a lot of corpo influence. I feel like it's becoming a playing ball of big tech. You only need to see how many corp suits are on the board of the Linux foundation, how many patches are pushed by corp employees as part of their job etc. I don't want them to have that much influence over my OS. I don't believe in a win-win concerning corporate involvement in open-source.

FreeBSD has a little bit of that (netgate's completely botched wireguard is and example) but lessons are learned.

That used to be the argument for Windows over Linux.

FreeBSD has always required far less tweaking or maintenance than Linux, though.

No, it’s just you having some strange prejudices about these words (probably driven by blind faith in some overhyped technologies), so go better overregulate your preferred echo chamber.

They now provide at least somehow working x86_64 images. It’s of course funny for a project started in the 90s to get x86_64 support only in the 2020s, but it’s still progress in relative terms.

Honest question - if it comes in binary form, how can you know it's the same core ZFS code BSD uses?

Debian only distributes it in DKMS form, not binary form.

Sure, but ZFS is much better integrated into FreeBSD. It supports ZFS on root with boot environments out of the box.

And when running a Samba server, it's helpful that FreeBSD supports NFSv4 ACLs when sitting between ZFS and SMB clients; on Linux, Samba has to hack around the lack of NFSv4 ACL support by stashing them in xattrs.

You can arguably get even better ZFS and SMB integration with an Illumos distribution, but for me FreeBSD hits the sweet spot between being nice to use and having the programs I need in its package library.

But on Linux you need to load external modules. Before upgrading or changing kernels you need to check if ZFS supports it. Specially bad in rolling distros.

IME the integration with FreeBSD and ZFS just works better than BTRFS and linux distors, and I've read far too many reports about data loss with BTRFS to trust it.

But I definitely believe that everything you can do on FreeBSD, you can also do on Linux. For me it's the complete package though that comes with FreeBSD, and everything being documented in the man pages and the handbook.

> everything

Firstly, FreeBSD already supports x86 Mac Minis. Servers? M-series Minis and Studios are very good servers. Lastly, FreeBSD has an Apple Silicon port which has stalled.

https://wiki.freebsd.org/AppleSilicon

I'll ignore your last point.

The original, unedited version of the grandparent was bemoaning the lack of vendor support behind FreeBSD so the parent's comment made a lot more sense in-context.

And, again, "pkg install <your_favorite_desktop>" done. Quit pulling blurbs out of thin air when you don't know how it works.

I do not like KDE, I'd rather user Gnome, but KDE is massively better at fractional scaling on 4k and hidpi monitors.

I think it is just trolls and fanboys who want to troll really.

There is fanboyism on every OS, pretty much like soccer fans or religious zealots.