Thanks koobs

jb1277976_: np

see ksplice en.wikipedia.org/wiki/Ksplice

Title: Ksplice - Wikipedia

(a technique broadly referred to as dynamic software updating).

course oracle payed $$$ for that tech

For FreeBSD, past efforts: wiki.freebsd.org/Kload

Title: Kload - FreeBSD Wiki

Ok think I got NFSv4 done.. the whole rooted dir and relative paths was confusing... Is there a down side to V4: / ?

Outside of a untrusted machine allowing to mount something that isn't exported? They'll at best just beable to guess /'s hier but get IO/permission issues.

well, they're trusted insofar as they're in your ip range, right

Possible but just trying to figure if that's the only down side.

Using v4 from a fresh setup it seems that you would org. your fs to be a little more v4 friendly where as maybe V4: / is the easy/best option for existing setups.

What happend to gnome3 ?

pkg can't find it fresh ports can't find it

gnome42 ?

there is meta-port for it

x11/gnome

Title: Makefile « gnome « x11 - ports - FreeBSD ports tree

hello, how can i display routing table for ipsec?

pvalenta: there is no such thing

ipsec doesn't have its own routing table

are you asking about the ipsec policy database?

that can be displayed with setkey -DP (part of the base system)

if you're using strongswan (from ports) you can also use `ipsec status`

which produces a nicer output and even offers a proper API

crest, so the routing decision is made somehow in kernel? I have strongswan up and running and: ipsec status looks ok,...but packets don't go through tunnel

did you configure ipsec in tunnel or in transport mode?

i am trying to tunnel ipv6 over ipv4 because provider in not ipv6 ready

you still need a route directing the traffic

but i would recommend avoiding old fashioned ipsec tunnel mode like the plague

it's a disgusting layering violation that breaks dynamic routing by its flawed design

as there is no tunnel interface to route through

let me dig up my old strongswan config snippets

vpn-ipv6{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c46e4e60_i 0c29fe34_o

vpn-ipv6{2}: ::/0 === fd32:32:32::/64

are you familiar with routing and ipsec on any other platform?

can you share you strongswan config (just remove the private keys)

crest, yes ...on linux ..and i have strongswan working for ipv4 on many places

in that case please censor the output from `sudo ipsec statusall`

do you control both ends of the ipsec tunnel?

Title: #/usr/local/etc/ipsec.confconn vpn-ikev2 auto=add keyexcha - Pastebin.com

yes, the other side is my mikrotik wifi router

is the freebsd system intended to act as ipv6 tunnel server for the mikrotik router?

fc00::/7 is the ULA range and standards compliant systems will prefer IPv4 over IPv6 ULA if both are available

-> most (client) systems wouldn't even try to use a fd32:32:32::/64 source address unless it was the *only* option

crest, problem will be on mikrotik side,...i am not able to ping locally assigned address fd32:32:32::1/64

i still need the ipsec statusall output

ipsec status doesn't include enough details

are you running routeros v7.x?

because if you do switching both sides to wireguard is probably less painful than debugging ipsec

but their ancient linux 3.6.x kernel in routeros 6.x lacks wireguard

crest, here is ipsec statusall ... pastebin.com/9iQQsqJ4

Title: ipsec statusallStatus of IKE charon daemon (strongSwan 5.9.8, FreeBSD 13.1-REL - Pastebin.com

crest, yes, there is routeros7 on it.....i am using wireguard on freebsd nad linux, but never tried it on routeros .....but you are right, i will try it

i use it on a mikrotik hex and it fast enough to max out my upstream without saturating the cpu

i just had to throw in netwatch to reresolv dynamic dns entries if the tunnel goes down because both my endpoints have dynamic ipv6 addresses

crest, thank you for your time

it looks you already have ipsec up and running on the freebsd side

it's the mikrotik that's probably lacking a ipv6 default route pointing to your freebsd systems public ip address

but i'm not familiar with ipsec on linux (only freebsd and openbsd)

you may want to dump the poliy in the old setkey -DP format as well

or raise the logging verbosity of pfkey in strongswan at least by two

to find out the exact policies installed

what happens if you try to ping6 fd32:32:32::1 from freebsd?

did you already create a enc0 pseudo interface and bring it up to sniff the ipsec processed traffic with tcpdump?

damn it. ipsec has to many knobs to mess up

ping6 fd32:32:32::1 does not work but tcpdump on enc0 show traffic goes to tunnel ...so problem is on mikrotik side

how would you even configure a ipv6 default route to ipv4 nexthop? give up and use an interface route instead?

Very carefully, I imagine.

crest, it's working with wireguard, thank you once again

hi all

hey

Is fd32:32:32::1 in your neighbor cache?

Hi folks. I'm using "pkg -r $jaildir install X" to install package X into a "micro jail". A "micro jail" is a jail which exclusively contains the data necessary to run a process – as opposed to the whole FreeBSD base.

That works fine for remote packages. Some packages I need to customize, so I build them from ports. I thought I could run "make package" and then do "pkg -r $jaildir add X.pkg" on the result, but that does not work.

I can use "pkg add -f --relocate $jaildir X.pkg", but that will mess up the system a bit, in that data is installed in the jail, but all install scripts (e.g. addition of new users) are run on the host system.

The best approximation I found so far is to "cheat" with "tar -xf X.pkg -C $jaildir". That does not run the install scripts altogether, so I need to manually reproduce the behavior missing from them. Highly suboptimal. Any idea how I can do that better?

PS: "DESTDIR=$jaildir make install" does not work because $jaildir is a microjail, not a full system – so make fails to find its makefiles after chroot-ing.

anyone using unifi in jail? I get 400 bad request and nothing weird from what I can see in logs

sopparus: yes, but quite an old version

my host is on digitalocean (13.1-RELEASE). i have a couple jails with laravel web services that are super snappy until the memory gets dumped into SWAP. then performance completely tanks. any idea how to prevent the jails' memory from being swapped?

mason: ok im trying with the current version

scoobybejesus, have more memory?

michelem: host your own repo for the customized packages? poudriere+nginx, perhaps?

i'm not running out of memory, depending on how you define that. it's a 2G system. if everything stayed in memory, I'd be using 1.2G or so

UFS or ZFS?

scoobybejesus: Digging into swap means you're using more memory than you've got. How to not do that depends on lots of different things. Tune the software, cap ARC usage, etc.

ZFS

scoobybejesus: Realize that capping ARC can have some unpleasant consequences for performance.

i'd like to think i could put these jails' processes or memory off limits, so the system can then decide what to swap based on everything else

Hm, do sticky bits still say "don't swap this process?"

Seems like "no" which is a shame.

Sticky bits as in file perms?

No.

Oh, hrm, it looks like I misunderstood the use anyway: en.wikipedia.org/wiki/Sticky_bit#History

Title: Sticky bit - Wikipedia

seems like potentially a big rabbit hole to go down. a bit (a lot) above my paygrade. but the system seems to be doing things in a way that is suboptimal for me. the system should run perfectly fine without doing any swapping for those jails

scoobybejesus, You need to learn that your system has a virtual memory map and a physical memory map.

scoobybejesus: Something you might be able to consider is just not having swap. Of course, then when things get tight they just pop. ARC should vacate quickly enough on demand, but setting a low ARC cap might help.

Like when you turn top. ..

scoobybejesus: That you're seeing a performance hit from swap suggests that your actual working set on the system is bigger than your physical memory.

Compare the SIZE & RES columns.

RESident

i greatly appreciate this input

there's a mysql reflecting 2013M in SIZE with 37M in RES, for example

scoobybejesus: You can order by RESident if you want to see the big hitters.

scoobybejesus: top, 'o', 'res'

i'm used to htop :) i'm trying to get it to sort differently. i toggled to show swap usage, but none of the top processes are using any

ah thanks!

scoobybejesus: swap usage isn't something that's shown

but you can infer stuff from how much virtual space is allocated

(SIZE)

supposedly `w` will toggle the usage of swap

Oh, fascinating. TIL.

RES adds up to less than a GB right now

scoobybejesus: Could be ARC then.

thanks very much. i will research a while and hopefully come up with settings that improve things (or at least don't bork anything)

Actually, top(1) does show if processes are swapped.

In the COMMAND column - swapped process names will be wrapped in <>s.

43840 j0ker 1 20 0 14M 0B wait 0 0:00 0.00% <bash>

One of my users has a bash process that's swapped.

How goes it

what do if there is no response to a proposed port patch for half a year or more (250787 in particular)

I am considering filing a bug w/a patch for postgresql-rum which has not been updated for a good long while and I wonder if the same thing will happen

Remilia: docs.freebsd.org/en/books/porters-h…book/makefiles/#makefile-maintainer

Title: Chapter 5. Configuring the Makefile | FreeBSD Documentation Portal

see the rules in there

(you should have waited much less before asking :D)

that part do not really help me, I read it before :\

does*

also I am quite patient so have just been locally patching phpfpm-exporter for the past 2 years lol

how so? just ask a committer to integrate your patch, it does not require maintainer approval any longer

well, I do not know whom to ask, for starters, and I am unsure if my patch is correct (it working for me means nothing)

try the ports@ mailing lists, i usually see others asking there

thanks, will try later

next step in server maintenance and suffering is upgrading Python 3.10 to 3.11, with the accursed virtual environments

I've got a host w/ 3 interfaces, one with internet access, the other two may use DHCP. Is this sufficient to keep the host from getting multiple default routes? bsd.to/rbXn

Title: dpaste/rbXn (Plain Text)

jschmidt3786: i don't think it's possible to get multiple default routes with dhclient, but depending on the order that responses are received on those interfaces, maybe you will receive a default route on the wrong interface. not sure

good to know. that's been my experience so far w/ a test host in bhyve (just one def route). CentOS isn't quite so bright. :^)

I just need to make sure that my two other NICs don't try to hijack my route out.

hi

can anyone tellme what version of FreeBSD is the latest one of pfSense?

I think it's 12.3 but #pfsense exists.

ah ok thanks im gonna ask there

2.6.0-RELEASE (amd64) FreeBSD 12.3-STABLE

From pfsense

okey thanks!!!

np

ah you beat me...

Forgot the password on one... trying a second in a different city..

ipfw add 5 count udp from any to any

ipfw: unrecognised option [-1] udp

anyone know what causes this ?

Sorry but nope

Does it do all the time?

flous: just inside jails on a stock 12.3 VM that i'm setting up for some tests

I expect the ipfw option `gid` to work one way, which I suspect is not the way that it will work.

I've created a group named _Epmd and inserted the firewall rules that executing these commands would insert: umbrellix.net/~ellenor/ipfwgid.txt

i suspect it will work as you expect, but i have never used gid, but i use uid with success

What I expect to happen is that users that are members of the group numbered 85, which is _Epmd, will be able to contact port 4369 locally - and nobody else. I do not expect remote access to be affected by these rules.

but the manual says it applies also to packets being received

so if you want to restrict that, you should be able to do that as usual (with in, out, etc)

I expect I will have to treat remote traffic separately.

I'm mostly trying to provide a degree of access control to the EPMD locally. It can't be made to listen on a filesystem-domain socket, so that's not an option.

i would just add a drop rule to be executed for packets that originate remotely before these rules

The EPMD only listens on the loopback interface - which is why they've such low numbers.

It would seem that the EPMD cannot respond...

Strange.

Hi! Anybody know the status fro nouveau project in FreeBSD? Any oportunnity for have NVENC support native without Linuxulator?

it's just hanging.

If I uninsert the firewall rules, EPMD works fine.

Yukiteru: i don't think anyone is working on it, at least guessing by github.com/freebsd/drm-kmod contents

Title: GitHub - freebsd/drm-kmod: drm driver for FreeBSD

Yukiteru: can't you do the same with nvidia provided driver?

yuripv: nvenc not work in native only using linuxulator

yuripv: in nouveau is merging code from open-kernel-nvidia for support GSP finrmware, with this, nvenc and cuda is possible using nouveau but is experimental and only boot cards for the moment

open-kernel-nvidia complie over Solaris, but GSP firmware is problematic

yuripv, do you have any ideas regarding the matter of the gid option to an ipfw rule?

mmm drm-kmod is only for intel and amd :/

it seems to permission gate correctly, but the users that are permitted still can't actually make the connection - instead the applications just hang forever

Has anyone here actually messed or used virtual_oss ? i tried it but really didn't understand it. appreantly it can re-route the audio / microphone to a diffrent outlet or virtual device. anyone got some experience?

morning

hi koobs

jb1277976_: freshports.org/audio/virtual_oss_ctl might be useful

Title: FreshPorts -- audio/virtual_oss_ctl: Graphical control panel for the virtual OSS daemon

Reinhilde: hiya, how are you

jb1277976_: there's also freshports.org/audio/virtual_oss

sup koobs

Title: FreshPorts -- audio/virtual_oss: Virtual OSS multi device mixer application

jb1277976_: morning, coffee kicking in

koobs, i just am

koobs: Tried to use that guide for virtual_oss it but really didn't understand it

which guide?

Reinhilde: roger that

koobs: wiki.freebsd.org/Sound#virtual_oss_.28advanced.29

Title: Sound - FreeBSD Wiki

jb1277976_: links i provided are tools for virtual_oss including GUI config, so may prove handy

gotta refresh that wiki page tho

huuuuuuuuge

meep?

oo a gui ?

koobs: if it works then my mic should be fine and i can return that cheap microphone/usb dongle i got from amazon. cost me like $7.00 i don't have

jb1277976_: i think we established your digital mic is going to need special config to get working

though i certainly dont think it would be impossible to hack things to make it work (but its going to require some pretty hardcode audio/register/pin debugging and deep diving

jb1277976_: i think the most likely route forward is to collab/partner with a base dev with sound exp, to help you figure it out

difficult to make happen but not impossible with the right context/info

Thanks again

np

koobs: how did you figure that the virtual_oss had a gui ?

it wa sin my browser history, configuring sound easily quickly by users gets brought up regularly

Got it

let me install it

speaking of installing is there a way to compile a package with all the defaults instead of staring at the screen picking different options I know nothing about?

jb; pkg's (pkg install <foo>) uses the remote/offical package repoistories, which are prebuilt ports with the default OPTIONS

jb1277976_: if the question is 'how do i build a port without being asked about options?' ...

Per the ports(7) manual page, there's a BATCH environment variable that can be set if you wish to not have to do any interaction when building.

jb1277976_: you can use make BATCH=1 install in a port to skip interactive things

ah debdrup already mentioned

!man ports

ports(7) - contributed applications freebsd.org/cgi/man.cgi?query=ports

not a great title

Thanks, yea I was compiling my printer drivers cause there was no port and I was asked like 20x about stuff I didn't know about. Thought I could put it in screen and detach

if its a custom compile of a driver (not in ports), our answer doesnt apply

Wow got so much to learn

That'll probably be true until you draw your last breath. :)

"A good pilot is always learning."

is there a good way to trace what happens to a packet when it's evaluated at a specific ipfw rule? i have a packet that should be getting nat'ed, but instead seems to be dropped, at the nat rule (without incrementing that rule's counter)

hi there. i woke up yesterday to find my 13.1 machine complaining about uncorrectable I/O failures on zroot. the machine is still happily serving NFS, but i can't log in via ssh or console (which makes sense because /etc/passwd is in the failed ZFS pool). my plan is to hard reboot, insert a bootable thumbdrive, see if i can learn anything about the pool from there. maybe clear the errors, depending

on what they say. and maybe reinstall on the same drive and hope the errors were transient. but prepare for the eventuality that they will. thoughts?

thorongil: your plan sounds reasonable to me. if you intend to continue using that disk you should scrub the pool