xref: /freebsd-13-stable/RELNOTES (revision 4d93d6559697a5c3690dc5892f52a3f577337d05)
1Release notes for FreeBSD 13.0.
2
3This file describes new user-visible features, changes and updates relevant to
4users of binary FreeBSD releases.  Each entry should describe the change in no
5more than several sentences and should reference manual pages where an
6interested user can find more information.  Entries should wrap after 80
7columns.  Each entry should begin with one or more commit IDs on one line,
8specified as a comma separated list and/or range, followed by a colon and a
9newline.  Entries should be separated by a newline.
10
11Changes to this file should not be MFCed.
12
13cd597b4bb194, ee931cf4a49c, acdc59f0924a:
14	The layout of NFS file handles for the cd9660 and ext2fs file systems
15	has changed.  An NFS server that exports any of these file systems will
16	need its clients to unmount and remount the exports.
17
1835b193572545:
19	grep(1) no longer follows symbolic links by default for
20	recursive searches.  This matches the documented behavior in
21	the manual page.
22
230644746d5091:
24	Add a new "syskrb5" mount option for Kerberized NFSv4.1/4.2 mounts.
25	Without this patch, a Kerberized NFSv4.1/4.2 mount must provide
26	a Kerberos credential for the client at mount time.
27	This patch uses a feature of NFSv4.1/4.2 called SP4_NONE, which
28	allows the state maintenance operations to be performed by any
29	authentication mechanism, so that these operations may be done via
30	AUTH_SYS instead of RPCSEC_GSS (KerberosV).  As such, no Kerberos
31	credential is required at mount time.
32	See mount_nfs(8).
33
34b4805d577787 and many others:
35	Add support so that nfsd(8), nfsuserd(8), mountd(8), gssd(8)
36	and rpc.tlsservd(8) can be run in an appropriately configured
37	vnet prison.  The vnet prison must be on its own file system,
38	have the "allow.nfsd" jail parameter set on it and enforce_statfs
39	cannot be set to "0".  Use of UDP and pNFS server configurations
40	are not permitted.  (ie. The nfsd command line options "-u", "-p"
41	and "-m" are not supported.)
42	See jail(8), nfsd(8) and mountd(8).
43
4468e86d5265bc,e58dfd0de589,59f5a5cb724e,6e272a78de36,4c4a4fd4a649,ba2ae2cca63a:
45	sendmail has been updated to the latest upstream version (8.17.1).
46
47225443828ec6..c44d097dcf92:
48	bhyve now supports more than 16 vCPUs in a guest.  By default
49	bhyve permits each guest to create the same number of vCPUs as
50	the count of physical CPUs on the host.  This limit can be
51	adjusted via the loader tunable hw.vmm.maxcpu.
52
531462dc95f796:
54	Kernel TLS offload now supports receive-side offload of TLS 1.3.
55
563ee882bf21af:
57	Change handling of the lowest address on an IPv4 (sub)net so that
58	packets are not sent as a broadcast unless this has been set as the
59	broadcast address.  This makes the lowest address usable for a host.
60	The old behavior can be restored with the net.inet.ip.broadcast_lowest
61	sysctl.  For more information, see
62	https://datatracker.ietf.org/doc/draft-schoen-intarea-lowest-address/.
63
6433ff39796ffe,8719e8a951b7:
65        A new rc(8) service script zfskeys allows for automatic decryption
66        of ZFS datasets encrypted with ZFS native encryption during boot.
67        See the rc.conf(5) manual page for more information.
68
69b7a2cf0d9102 - eae02d959363:
70	Upgrade bhyve's emulation to version 1.4 of the NVMe specification
71
720a6760a1de32, 3f3676a71266, 580c04df4db6:
73	Add WiFi 6 support.
74
75various:
76	Add support for the HiFive Unmatched RISC-V board.
77
789fb6e613373c:
79	Add a sysctl called vfs.nfsd.srvmaxio that can be used to
80	increase the NFS server's maximum I/O size from 128Kbytes
81	to any power of 2 up to 1Mbyte.  It can only be set when
82	the nfsd threads are not running and will normally require
83	an increase in kern.ipc.maxsockbuf to at least the value
84	recommended by the console log message generated when
85	setting vfs.nfsd.srvmaxio is first attempted.
86
879ec7dbf46b0a:
88	Add a new NFSv4.1/4.2 mount option "nconnect" that can
89	be used to specify the number of TCP connections that
90	will be used for the mount, up to a maximum of 16.
91	The first (default) TCP connection will be used for
92	all RPCs that consist of small RPC messages.
93	The RPCs that can consist of large RPC messages
94	(Read/Readdir/ReaddirPlus/Write) will be sent on the
95	additional TCP connections in a round robin fashion.
96	If either the NFS client or NFS server have multiple
97	network interfaces aggregated together or a network
98	interface that uses multiple queues, this can increase
99	NFS performance for the mount.
100
101various:
102	One True Awk has been updated to the latest from upstream
103	(20210215). All the FreeBSD patches, but one, have now been
104	either up streamed or discarded.  Notable changes include:
105		o Locale is no longer used for ranges
106		o Various bugs fixed
107		o Better compatibility with gawk and mawk
108
109	The one FreeBSD change, likely to be removed in FreeBSD 14, is that
110	we still allow hex numbers, prefixed with 0x, to be parsed and
111	interpreted as hex numbers while all other awks (including one
112	true awk now) interpret them as 0 in line with awk's historic
113	behavior.
114
1158a04edfdcbd2:
116	Change the default minor version used for an NFSv4 mount
117	to the highest minor version supported by the NFSv4 server.
118	This default can be overridden by using the "minorversion"
119	mount option.
120
1212c76eebca71b, 59f6f5e23c1a:
122	Add two daemons rpc.tlsclntd(8) and rpc.tlsservd(8) that provide
123	support for NFS-over-TLS as described in the Internet Draft titled
124	"Towards Remote Procedure Call Encryption By Default".
125	These daemons are only built when WITH_OPENSSL_KTLS is specified
126	and are only tested on amd64 at this time.
127	They use KTLS to encrypt/decrypt all NFS RPC message traffic, plus
128	optional verification of machine identity via X.509 certificates.
129
130f76393a6305b6:
131	Add AES-GCM support to armv8crypto(4) providing accelerated
132	support for KTLS, IPsec, and other crypto API consumers.
133
134074a91f746bd:
135	The aesni(4) and armv8crypto(4) devices are now included in
136	GENERIC on amd64, i386, and arm64.
137
1382e1c94aa1fd5:
139	Add support for enforcing W^X mapping policy for user
140	processes.  The policy is not enforced by default but can be
141	enabled by setting the kern.elf32.allow_wx and
142	kern.elf64.allow_wx sysctls to 0.  Individual binaries can be
143	exempted from the policy by elfctl(1) via the wxneeded
144	feature.
145
1464979620ece98:
147	Add AES-XTS support to armv8crypto(4) providing accelerated
148	software support for the default GELI cipher on arm64 systems.
149
150022ca2fc7fe0:
151	Add aio_writev(2) and aio_readv(2), vectored analogues of aio_write(2)
152	and aio_read(2).
153
15492bbfe1f0d1f:
155	The fusefs(5) protocol has been updated to 7.28.  Support for
156	FUSE_COPY_FILE_RANGE and FUSE_LSEEK is added.
157
158r368667:
159	GDB 6.1.1 was removed.  Users of crashinfo(8) should install the
160	gdb package or devel/gdb port.
161
162r368559:
163	The hme(4) driver was removed.
164
165r367660:
166	Fixes the case where gssd will not startup because /usr is a separate
167	local file system that is not yet mounted.  It does not fix the case
168	where /usr is a separately mounted remote file system (such as NFS).
169	This latter case can be fixed by adding mountcritremote to the
170	REQUIRED line.  Unfortunately doing so implies that all Kerberized
171	NFS mounts in /etc/fstab will need the "late" mount option.
172	This was not done, since the requirement for "late" would introduce
173	a POLA violation.
174
175r367423:
176	This commit added a new startup scripts variable called
177	nfsv4_server_only which uses the -R option on mountd added by r367026.
178	When nfsv4_server_only is set to "YES" in /etc/rc.conf, the NFS server
179	only handles NFSv4 and does not register with rpcbind.  As such, rpcbind
180	does not need to be running.  Useful for sites which consider rpcbind a
181	security issue.
182
183r366267:
184        Kernel option ACPI_DMAR was renamed to IOMMU.  amd64's IOMMU subsystem
185        was split out from amd64 DMAR support and is now generic, i.e., it can
186        be used by all architectures.
187
188r364896:
189	A series of commits ending with r364896 added NFS over TLS
190	to the kernel.  This is believed to be compatible with
191	the Internet Draft titled "Towards Remote Procedure Call Encryption
192	By Default" (expected to soon become an RFC).
193	The mount_nfs(8) and exports(5) man pages describe the mount and
194	export option(s) related to NFS over TLS.
195	For NFS over TLS to work, the rpctlscd(8) { client } or rpctlssd(8)
196	{ server } must be running on a kernel built with "options KERN_TLS"
197	on an architecture where PMAP_HAS_DMAP != 0.
198
199r364725:
200	Changes to one obscure devd event generated on resume need to
201	be documented. The old form will still be generated in 13, but not
202	in 14.
203
204r363679:
205	Applications using regex(3), e.g. sed/grep, will no longer accept
206	redundant escapes for most ordinary characters.
207
208r363253:
209	SCTP support has been removed from GENERIC kernel configurations.
210	The SCTP stack is now built as sctp.ko and can be dynamically loaded.
211
212r363233:
213	Merge sendmail 8.16.1: See contrib/sendmail/RELEASE_NOTES for details.
214
215r363180:
216	The safexcel(4) crypto offload driver has been added.
217
218r363084:
219	nc(1) now implements SCTP mode, enabled by specifying the --sctp option.
220
221r362681:
222	A new implementation of bc and dc has been imported. It offers
223	better standards compliance, performance, localization and comes
224	with extensive test cases that are optionally installed.
225	Use WITHOUT_GH_BC=yes to build and install the world with the
226	previous version instead of the new one, if required.
227
228r362158, r362163:
229	struct export_args has changed so that the "user" specified for
230	the -maproot and -mapall exports(5) options may be in more than
231	16 groups.
232
233r361884:
234	sed(1) has learned about hex escapes (e.g. \x27) and will now do the
235	right thing with them, removing the need for printf magic or obnoxious
236	escaping in many scenarios.
237
238r361238, r361798, r361799:
239	ZFS will now unconditionally reject read(2) of a directory with EISDIR.
240	Additionally, read(2) of a directory is now rejected with EISDIR by
241	default and may be re-enabled for non-ZFS filesystems that allow it with
242	the sysctl(8) MIB 'security.bsd.allow_read_dir'.
243
244	Aliases for grep to default to '-d skip' may be desired if commonly
245	non-recursively grepping a list that includes directories and the
246	possibility of EISDIR errors in stderr is not tolerable.  Example
247	aliases, commented out, have been installed in /root/.cshrc and
248	/root/.shrc.
249
250r361066:
251	Add exec.prepare and exec.release hooks for jail(8) and jail.conf(5).
252	exec.prepare runs before mounts, so can be used to populate new jails.
253	exec.release runs after unmounts, so can be used to remove ephemeral
254	jails.
255
256r360920,r360923,r360924,r360927,r360928,r360931,r360933,r360936:
257	Remove support for ARC4, Blowfish, Cast, DES, Triple DES, MD5,
258	MD5-KPDK, MD5-HMAC, SHA1-KPDK, and Skipjack algorithms from
259	the kernel open cryptographic framework (OCF).
260
261r360562:
262	Remove support for ARC4, Blowfish, Cast, DES, Triple DES,
263	MD5-HMAC, and Skipjack algorithms from /dev/crypto.
264
265r360557:
266	Remove support for DES, Triple DES, Blowfish, Cast, and
267	Camellia ciphers from IPsec(4).  Remove support for MD5-HMAC,
268	Keyed MD5, Keyed SHA1, and RIPEMD160-HMAC from IPsec(4).
269
270r359945:
271	Remove support for Triple DES, Blowfish, and MD5 HMAC from
272	geli(4).
273
274r359786-r359787:
275	Remove support for DES, Triple DES, and RC4 from in-kernel GSS
276	authentication.
277
278r357627:
279	remove elf2aout.
280
281r357560-r357565:
282	init(8), service(8), and cron(8) will now adopt user/class environment
283	variables (excluding PATH, by default, which will be overwritten) by
284	default.  Notably, environment variables for all cron jobs and rc
285	services can now be set via login.conf(5).
286
287r357455:
288	sparc64 has been removed from FreeBSD.
289
290r355677:
291	Adds support for NFSv4.2 (RFC-7862) and Extended Attributes
292	(RFC-8276) to the NFS client and server.
293	NFSv4.2 is comprised of several optional features that can be supported
294	in addition to NFSv4.1. This patch adds the following optional features:
295	- posix_fadvise(POSIX_FADV_WILLNEED/POSIX_FADV_DONTNEED)
296	- posix_fallocate()
297	- intra server file range copying via the copy_file_range(2) syscall
298	--> Avoiding data tranfer over the wire to/from the NFS client.
299	- lseek(SEEK_DATA/SEEK_HOLE)
300	- Extended attribute syscalls for "user" namespace attributes as defined
301	  by RFC-8276.
302
303	For the client, NFSv4.2 is only used if the mount command line option
304	minorversion=2 is specified.
305	For the server, two new sysctls called vfs.nfsd.server_min_minorversion4
306 	and vfs.nfsd.server_max_minorversion4 have been added that allow
307	sysadmins to limit the minor versions of NFSv4 supported by the nfsd
308	server.
309	Setting vfs.nfsd.server_max_minorversion4 to 0 or 1 will disable NFSv4.2
310	on the server.
311
312r356263:
313	armv5 support has been removed from FreeBSD.
314
315r354517:
316	iwm(4) now supports most Intel 9260, 9460 and 9560 Wi-Fi devices.
317
318r354269:
319	sqlite3 is updated to sqlite3-3.30.1.
320
321r352668:
322	cron(8) now supports the -n (suppress mail on succesful run) and -q
323	(suppress logging of command execution) options in the crontab format.
324	See the crontab(5) manpage for details.
325
326r352304:
327	ntpd is no longer by default locked in memory. rlimit memlock 32
328	or rlimit memlock 0 can be used to restore this behaviour.
329
330r351863:
331	rc.subr(8) now honors ${name}_env in all rc(8) scripts.  Previously,
332	environment variables set by a user via ${name}_env were ignored
333	if the service defined a custom *_cmd variable to control the behavior
334	of the run_rc_command function, e.g., start_cmd, instead of relying on
335	the variables like command and command_args,
336
337r351770,r352920,r352922,r352923:
338	dd(1) now supports conv=fsync, conv=fdatasync, oflag=fsync, oflag=sync,
339	and iflag=fullblock flags, compatible with illumos and GNU.
340
341r351522:
342	Add kernel-side support for in-kernel Transport Layer Security
343	(KTLS).  KTLS permits using sendfile(2) over sockets using
344	TLS.
345
346r351397:
347	WPA is updated from 2.8 to 2.9.
348
349r351361:
350	Add probes for lockmgr(9) to the lockstat DTrace provider, add
351	corresponding lockstat(1) events, and document the new probes in
352	dtrace_lockstat.4.
353
354r351356:
355	Intel RST is a new 'feature' that remaps NVMe devices from
356	their normal location to part of the AHCI bar space.  This
357	will eliminate the need to set the BIOS SATA setting from RST
358	to AHCI causing the nvme drive to be erased before FreeBSD
359	will see the nvme drive. FreeBSD will now be able to see the
360	nvme drive now in the default config.
361
362r351201, r351372:
363	Add a vop_stdioctl() call, so that file systems that do not support
364	holes will have a trivial implementation of lseek(SEEK_DATA/SEEK_HOLE).
365	The algorithm appears to be compatible with the POSIX draft and
366	the implementation in Linux for the case of a file system that
367	does not support holes.  Prior to this patch, lseek(2) would reply
368	-1 with errno set to ENOTTY for SEEK_DATA/SEEK_HOLE on files in
369	file systems that do not support holes.
370	r351372 maps ENOTTY to EINVAL for lseek(SEEK_DATA/SEEK_HOLE) for
371	any other cases, such as a ENOTTY return from vn_bmap_seekhole().
372
373r350665:
374	The fuse driver has been renamed to fusefs(5) and been substantially
375	rewritten.  The new driver includes many bug fixes and performance
376	enhancements, as well as the following user-visible features:
377	* Optional kernel-side permissions checks (-o default_permissions)
378	* mknod(2), socket(2), and pipe(2) support
379	* server side locking with fcntl(2)
380	* FUSE operations are now interruptible when mounted with -o intr
381	* server side handling of UTIME_NOW during utimensat(2)
382	* mount options may be updated with "mount -u"
383	* fusefs file system may now be exported over NFS
384	* RLIMIT_FSIZE support
385	* support for fuse file systems using protocols as old as 7.4
386
387	FUSE file system developers should also take note of the following new
388	features:
389	* The protocol level has been raised from 7.8 to 7.23
390	* kqueue support on /dev/fuse
391	* server-initiated cache invalidation via FUSE_NOTIFY_REPLY
392
393r350471:
394	gnop(8) can now configure a delay to be applied to read and write
395	request delays.  See the -d, -q and -x parameters.
396
397r350315, r350316:
398	Adds a Linux compatible copy_file_range(2) syscall.
399
400r350307:
401	libcap_random(3) has been removed.  Applications can use native
402	APIs to get random data in capability mode.
403
404r349529,r349530:
405	Add support for using unmapped mbufs with sendfile(2).
406
407r349352:
408	nand(4) and related components have been removed.
409
410r349349:
411	The UEFI loader now supports HTTP boot.
412
413r349335:
414	bhyve(8) now implements a High Definition Audio (HDA) driver, allowing
415	guests to play to and record audio data from the host.
416
417r349286:
418	swapon(8) can now erase a swap device immediately before enabling it,
419	similar to newfs(8)'s -E option.  This behaviour can be specified by
420	adding -E to swapon(8)'s command-line parameters, or by adding the
421	"trimonce" option to a swap device's /etc/fstab entry.
422
423r347908-r347923:
424	The following network drivers have been removed: bm(4), cs(4), de(4),
425	ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4),
426	vx(4), wb(4), xe(4).
427
428r347532:
429	Wired page accounting has been split into kernel wirings and user
430	wirings (e.g., by mlock(2)).  Kernel wirings no long count towards
431	the global limit, which is renamed to vm.max_user_wired.  bhyve -S
432	allocates user-wired memory and is now subject to that limit.
433