FreeBSD 15.1-RELEASE: Upgrade Plan and Harness Revalidation
Table of Contents
1. Overview
FreeBSD 15.1-RELEASE was announced 2026-06-16. This note tracks the upgrade from 15.0-RELEASE on nexus (the machine that publishes wal.sh) and the revalidation of all harnesses, containers, and build tooling.
| Field | Value |
|---|---|
| Current | FreeBSD 15.0-RELEASE amd64 (nexus) |
| Target | FreeBSD 15.1-RELEASE amd64 |
| Announced | 2026-06-16 |
| 15.0 EOL | 2026-09-30 |
| 15.1 EOL | 2027-03-31 |
| 15-series EOL | 2029-12-31 |
| Beads | www.wal.sh-mg0 |
Dedicated to Peter G. Neumann's memory for contributions to capability-based security research.
2. Changes relevant to this site
2.1. Jails and containers
- New
allow.vmm_pptjail knob for PCI passthrough in bhyve jails - bhyve: UNIX domain socket support for remote framebuffer, enabling graphical console in jailed instances without networking
- Virtio GPU driver compatibility with Parallels Desktop
Impact: the bhyve framebuffer change is relevant for our X11 headless screenshot workflow (Xvfb + ffmpeg). If we move to bhyve jails for sandboxed builds, graphical output is now possible without network exposure.
2.2. Capsicum and security
SA-26:28.capsicum:sigqueue(2)missing capability mode restrictionSA-26:25.thr: missing permission check inthr_kill2(2)- Multiple privilege escalation and RCE fixes
Impact: Capsicum is enabled on nexus (kern.features.security_capability_mode: 1).
The sigqueue fix is relevant for any sandboxed process that uses signals.
2.3. ZFS
- Minimum scrub/resilver times reduced to sub-second
- New
zfs_arc_evict_batches_limitfor parallel eviction - OpenZFS updated to 2.4.2
- SONAME bump:
libzfs7/libzpool7(ABI-breaking)
Impact: the ABI break means any software linking libzfs directly needs rebuild. Our toolchain (emacs, graphviz, clojure) does not link libzfs, so no impact expected.
2.4. Networking and firewall
- IPv6 packet divert socket support
ipfw(8)masked IP address lookups (non-contiguous prefixes)- RFC 7217 stable IPv6 address generation
net.inet.ipf.jail_allowedsysctl for jail ipfilter management
Impact: the jail ipfilter management sysctl is relevant for containerized builds with network isolation.
2.5. Base system
- Default shell changed from csh to sh for root
pkg(7)now installed on VM/cloud images with packaged base- Unicode 17.0.0 + CLDR 48 (4,803 new characters)
- C23 compliance progress
3. Pre-upgrade: current system state (15.0)
Snapshot taken 2026-06-21 before upgrade.
3.1. Installed harnesses
| Agent | Version | Install method | Status |
|---|---|---|---|
| Claude Code | 2.1.89 | npm | working |
| Gemini CLI | 0.47.0 | npm | working |
| Goose | 0.9.11 | pip | working |
| Aider | 0.86.1 | pkg | working |
3.2. Key runtimes
| Runtime | Version |
|---|---|
| Emacs | 30.2 (/usr/local/bin/emacs) |
| Graphviz | 14.1.4 |
| Node.js | 24.14.1 |
| Deno | 2.6.6 |
| Python | 3.11.15 |
| GHC | 9.10.3 |
| Clojure | 1.12.0.1488 |
| Babashka | 1.12.206 |
| Racket | 9.0 |
| Lean 4 | 4.27.0-pre |
| Z3 | 4.16.0 |
| Podman | 5.8.1 |
| Bastille | 1.4.3 |
3.3. Container publish baseline
# Verified working on 15.0 (2026-06-21) sudo podman run --rm --os=freebsd freebsd/freebsd-runtime:15.0 uname -a # Output: FreeBSD ... 15.0-RELEASE ... amd64
4. Upgrade procedure
# 1. Snapshot ZFS (rollback point) sudo zfs snapshot zroot/ROOT/default@pre-15.1 # 2. Fetch and install update sudo freebsd-update fetch sudo freebsd-update install # 3. Reboot sudo reboot # 4. Post-reboot install sudo freebsd-update install # 5. Rebuild ports (ABI break in libzfs) sudo pkg upgrade -f
5. Post-upgrade revalidation checklist
After upgrading to 15.1, verify each layer:
| # | Check | Command | Expected |
|---|---|---|---|
| 1 | Kernel version | uname -a |
15.1-RELEASE |
| 2 | Capsicum enabled | sysctl kern.features.security_capability_mode |
1 |
| 3 | ZFS pool healthy | zpool status |
ONLINE |
| 4 | Emacs batch | emacs --batch --eval '(message "ok")' |
ok |
| 5 | Graphviz | dot -V |
14.1.x |
| 6 | Diagram rebuild | gmake diagrams |
0 errors |
| 7 | Local publish | gmake publish-local |
HTML in ~/public_html/ |
| 8 | Remote publish | gmake publish |
TRAMP to DreamHost |
| 9 | Claude Code | claude --version |
2.1.x |
| 10 | Gemini CLI | gemini --version |
0.47.x |
| 11 | Goose | goose --version |
0.9.x |
| 12 | Aider | aider --version |
0.86.x |
| 13 | Podman | sudo podman run --rm --os=freebsd freebsd/freebsd-runtime:15.1 uname -a |
15.1-RELEASE |
| 14 | Container publish | sudo gmake container-publish |
HTML in build/ |
| 15 | Site live | curl -s https://wal.sh/version.json |
current SHA |
| 16 | Sitemap audit | clj REPL: sm/read-sitemap + curl |
660+ URLs, 0 404s |
6. Podman image update
Once 15.1 container image is available:
# Pull 15.1 image sudo podman pull freebsd/freebsd-runtime:15.1 # Update scripts/container-publish.sh sed -i '' 's/freebsd-runtime:15.0/freebsd-runtime:15.1/g' scripts/container-publish.sh # Test container publish on 15.1 sudo gmake container-publish
7. Related
- Emacs 32.0 on FreeBSD 15.0 – pre-upgrade Emacs build
- Diagram Generation on FreeBSD – graphviz backend audit
- CLI Coding Agents 2026 Q2 – harness comparison with FreeBSD column
- Agent Sandbox Practical Configs – jail/container credential isolation
- Org-Graphviz Publish Workflow – the pipeline this upgrade must not break