[c2k8]: Hackathon Summary Part 7

c2k8 General Hackathon (Part 7) - June 7-15, 2008, Edmonton, Alberta, Canada Next to Google, this company employs more OpenBSD developers than any other. One of the interesting things about this company is that like Google, everyone that I spoke to loves working there! What's surprising about that you say? Well, how many of you can say: "I love going to work." Not all of the OpenBSD developers from this company work on OpenBSD at work. Moreover, they all speak so highly of their bosses. Now, how many of you can say that?

Read on to find out what is really special about this company and its employees:

This Munich based company is GeNUA and they are a long time supporter of the OpenBSD and OpenSSH Projects. At the n2k8 Network Hackathon, I had the pleasure of meeting Markus Friedl (markus@) and Marco Pfatschbacher (mpf@), both of whom work at GeNUA and are impressive and accomplished OpenSSH and OpenBSD developers. My first impression of GeNUA was that it must be special to have these two guys working there. Then I met more guys from GeNUA at the c2k8 hackathon.

One evening on icb, a few guys were planning to eat Korean food. After several days of pizza, chicken wings and more steak than I've eaten in a whole year, my Japanese blood was crying out for anything Asian :-). I met up with Rainer Giedat (rainer@), Alexander Bluhm (bluhm@) and Alexander von Gernler (grunk@) but I didn't know who they were at the time. On the way to dinner we introduced ourselves and they informed me they were all from Germany, working for the same company, GeNUA. The evening was filled with interesting and enjoyable conversations, but more importantly, it was an opportunity to lay to rest many unfounded rumours.

I had heard about GeNUA in the past but the rumours about this company seem to conflict with what I had personally experienced after meeting markus@, mpf@, rainer@, bluhm@, grunk@, Hans-Joerg Hoexer (hshoexer@) and Nikolay Sturm (sturm@). I had been told that GeNUA had its own agenda, that they were holding back diffs and that they ran something called "GeNUABSD", a fork of OpenBSD. Well, none of this is true. In fact, they are running OpenBSD but have to support much older systems; some as much as ten years old! They have to back port a lot of stuff as a result. They also have a lot of functionality written in Perl. For example, long before relayd(8), they were doing this in Perl. In time, they will start using relayd and other new functionality, but for the time being they have to support systems much longer than OpenBSD supported stable releases.

From my perspective, GeNUA is a successful Open Source based company that knows how to take care of their employees. Here is what the GeNUA OpenBSD developers had to say about their time at the c2k8 hackathon:

== Alexander Bluhm (bluhm@) ==

I have changed ipsecctl and isakmpd in a way that acquire mode can be used with ipsec.conf. Unfortunately it has not been comitted yet as I am waiting for an ok.

To use this feature, you need a 'ike passive' line and a 'flow' line with type 'acquire' or 'require' in the ipsec.conf. When an outgoing packet matches a flow but no SA exists, the kernel sends an aquire message to isakmpd. If the paramters of the 'ike' and 'flow' line in ipsec.conf are the same, the dynamic isakmpd config created after the aquire message will match the ike config. (This part is what I have implemented during c2k8). Finally the crypto parameters written down in ipsec.conf will be used.

== Alexander von Gernler (grunk@) ==

On c2k8, I worked mainly on the OpenSSH fingerprint visualization feature that got inspired by a talk given by Dan Kaminsky at 25C3. My big luck was that I was sitting at a table together with two legendary OpenSSH developers, Damien Miller (djm@) and Darren Tucker (dtucker@), who were not only certainly able, but also very friendly in answering the questions I had about the OpenSSH code. Also it was very good that Markus Friedl (markus@) read his mail very often during the hackathon and despite having lots of other work answered quickly with OKs and comments to my diffs.

I can frankly say that without their help and motivation, and the personal contact on c2k8, the feature would certainly have never gotten in this way, at least not so fast. Convincing people about a feature when you are waving your notebook with fancy pictures in front of their face is one thing, and trying to pass on the same ideas and spirit via mail is definitely another.

As for the location, I very much liked the university setting, and I found it to be better than the hotel in Calgary. Not only do I assume that it saved OpenBSD a lot of money, but also it was a much more natural setting for hackers like us. In the hotel, I guess most of us constantly felt somewhat out of place, whereas in Lister Centre, many of us were reminded of their own time as students. Speaking of this, I want to say a big "thank you" towards Bob, Jason Meltzer and all the other people working in the background providing infrastructure.

It was a very nice event -- I met many people that I only know from mail or ICB otherwise, and I consider it to be very important to communicate directly, even if it is just once a year.

== Hans-Joerg Hoexer (hshoexer@) ==

softraid(4) is a framework to implement RAID disciplines.

To provide encryption for block devices marco@, djm@ and myself have added a discipline ("C") for encryption of data blocks written to disk and for decryption of blocks when read from disk. This discipline does not provide redundancy, only confidentiality. However, it is possible to configure an encrypted softraid volume on top of another volume providing redundancy (eg. RAID 1).

For encryption we use AES-XTS, a mode of AES designed for encryption of data on sector based storage. AES-XTS is a tweakable block cipher that uses an encryption key and a "tweak key" to generate the key material for the actual encryption/decryption operation on a single block. The tweak key is used to incorporate the logical position of block into the encryption/decryption operation.

== Nikolay Sturm (sturm@) ==

I started the hackathon with the addition of NLMv4 (Network Lock Manager) to our rpc.lockd. This is the protocol that permits NFSv3 clients to lock files over NFS (OpenBSD does not support client locking, so it's only useful w/ other clients like linux).

When doing that I noticed that our rpc.lockd was in fact only a stub implementation and did not provide any locking whatsoever. Therefore I ported the NetBSD locking code, to give OpenBSD server side NFS file locking. This is lightly tested to work with linux NFSv2 and NFSv3 clients, even in mixed networks.

To complete this work, I then ported rpc.statd from NetBSD and integrated it with rpc.lockd. rpc.statd deals with client and server reboots, to give a little more robustness to this whole setup. If a client holds a lock and crashes, the lock would never be freed. But with rpc.statd, the client tells the server after reboot, that it just rebooted, so that the server can unlock all files of that client. If the NFS server itself reboots, it will tell its clients, so that they can

regain their locks. This is lightly tested to work with NFSv3 mounts on a linux client, linux NFSv2 mounts showed some problems that lead me to believe there are bugs on the linux side.

All this locking stuff is far from perfect, but mostly best effort. Our code works as designed and just needs some cleanup here and there. I hope to find some time to look at FreeBSD's implementations of these daemons as they rewrote both of them.

I would like to thank the owners of GeNUA for their great support of the OpenBSD and OpenSSH Projects. I now know that great things have come to OpenBSD and OpenSSH as a result of GeNUA. For that, I'm deeply grateful. To the GeNUA OpenBSD and OpenSSH developers, present and past, we owe you a lot of gratitude for your efforts, sacrifice and amazing code and bug squashing abilities :-). Cheers!

(c2k8 hackathon summary to be continued)