Anyone know how to make a block device hard drive in virtualbox ? im trying to do some zfs stuff but can't

trench: You can request an account on the wiki and fix the page. #freebsd-wiki is a good place to start.

okey..

_xor, belatedly, I would. (And probably count separate processor families separately.) Assembly languages have often as much syntax as C and arguably more semantics, if you don't count the standard library. (And if you do, you should probably count the system calls or equivalents for your OS, eg SVCs and macros for IBM mainframes, in assembly complexity.)

More semantics? I mean, assemblers encode instructs into opcodes with various operands/flags. Language compilers have to actually determine semantics within context after ST is generated from the front-end.

Another way to look at it would be a compiler taking some simple lexical scope and generating instructions that implement the behavior. For example, a lot of instructions effect state (e.g. processor flags) for the subsequent instruction to read.

each instruction has semantics and you want them properly documented, how would you know what happens if you use them without that

I have applicaton jails for web, smtp, etc. The jails are on private IPs behind my single public IP. Is it reasonable to set up a different NAT instance for each jail, and set the firewall rule to use that instance as part of the jail startup? Or am I just making work for myself?

ghoti: I don't understand what is NAT instance

meka: you can `man ipfw` and search for "NAT, REDIRECT AND LSNAT". It is identified by the number in `ipfw [-q] nat number config config-options`.

Oh, PF user here, no wonder I don't understand

Ah.

ghoti: do you really need to separate them that much?

montar: meh, "need"... I'm experimenting with making self-contained jails that include a bit of required infrastructure as part of their configuration for a stand-by server.

So far I'm storing an ipfw "set" to identify particular ports and count relevant traffic, but I'm thinking I should add a NAT instance to the set.

But since it's a separate table, it jas to be stored separately.

it sounds like more work and further complication, but hey, if it works for you go nuts

ghoti: you only need one nat instance on the host, and you can use redirect_port, etc as needed

if that host is the one that has the public address

i guess if you needed specific nat instance options to be different for each jail, it may make sense to have separate nat instances (on the host, not in vnet), but probably not needed

jmnbtslsQE: Yes, but there's a different set of NAT rules for SMTP than for HTTP. My thought is to bundle the service-specific rules together, to be applied within a particular NAT instance.

That way, if for example my HTTP jail needs to move to a different host, I have the current rules on the new host, and I don't leave garbage on the old one.

I'll keep thinking about this.

seems like not a bad idea. you can delete your jail-specific nat instance when you move the jail, without having to re-configure the existing nat instances to remove the extraneous rules

Is there a security advisory about 13.1 p3 patch?

If I want to replace procmail with procmail-bgrb, should I simply delete the first and install the second, or is it better to set a new origin then ugprade?

devnull, no, only errata notices as far as I can tell. See freebsd.org/security/notices (starting with EN22:21) and freebsd.org/security/advisories.

Title: FreeBSD Errata Notices | The FreeBSD Project

Thanks V_PauAmma_V

Hi. How do I get sendmail to use procmail for local delivery? I have added MAILER(procmail) and FEATURE(local_procmail) to my mc file, I am not sure what I'm missing.

I assume you've looked at: docs.freebsd.org/en/books/handbook/mail/#mail-procmail

Title: Chapter 30. Electronic Mail | FreeBSD Documentation Portal

morn

Anybody here use Ansible? Specifically ansible-runner. We're looking to port some operations from Linux to FreeBSD, and right now Ansible-runner is our sticking point, because it uses either podman or bubblewrap (github.com/containers/bubblewrap) for process isolation. We could write a shim which would accept the bwrap arguments and use jails, but we haven't gotten to the point of dedicating resources to that.

pedahzur: podman port is WIP right now and might be usable/testable, but in the event that its not, whats the question?

podman PR: dfr/freebsd-ports #1

Title: Containers by dfr · Pull Request #1 · dfr/freebsd-ports · GitHub

Author is on #virtualization on FreeBSD Discord btw

koobs: Thanks. Pardon my absolute lack of knowledge on this, but isn't Podman designed to work with docker (OCI) images? How will that work on FreeBSD? (Doc links are great...don't feel like you have to spell it all out here.) :)

pedahzur: there's a couple of separate issues implicit in the question (and in that ecosysytem)

pedahzur: So on one hand, samuel karp is working on an OCI spec for FreeBSD contains, with an experimental (but working) 'runj' executation backend. You can see that here: github.com/samuelkarp/run

Right now, containerd officially supports runj, and runj supports basic networking, running linux jails, etc

Thats the OCI and 'runc' execution backend side of things

pedahzur: podman and whatever other container frontend tools (ala docker) use whatever their underlying container runtimes support

This basically means docker/runc/containerd but there's nothing fundamental precluding other os supports

which just need to integrate into those ecosystems

which leads us back to runj (a runc port, runc, which docker uses) and OCI specs

see also: wiki.freebsd.org/Containers

Title: Containers - FreeBSD Wiki

pedahzur: so back to your ansible question, whats the question/issue to solve/answer?

See also: wiki.freebsd.org/Docker

Title: Docker - FreeBSD Wiki

hello

I'm here now right?

there is online?

koobs: per the original question, we're looking to port some stuff to FreeBSD, and one of those things use Ansible Runner to enable process separation/sandboxing. Ansible Runner uses podman or bwrap for process isolation. I support is podman is ported, and there is an "ansible container" (that we or somebody else produces) along the lines of github.com/ansible/ansible-runner/blob/devel/Dockerfile we could port our stuff to

Title: ansible-runner/Dockerfile at devel · ansible/ansible-runner · GitHub

FreeBSD. :)

pedahzur: docs.ansible.com/ansible/latest/col…munity/general/jail_connection.html

is that useful?

Title: community.general.jail connection – Run tasks in jails — Ansible Documentation

there's also docs.ansible.com/ansible/2.9_ja/plugins/connection/iocage.html

Title: iocage – Run tasks in iocage jails — Ansible Documentation

iocage is a jail frontend (see Containers third party list earlier)

See also: docs.ansible.com/ansible/2.9_ja/plugins/connection/buildah.html - which is the podman/buildah dfr is working on (but buildah is seprate)

Title: buildah – Interact with an existing buildah container — Ansible Documentation

koobs: That's a little sparse on docs. From my reading, the plugin is for executing inside a jail on the target host. We're looking to run ansible itself in a container/jail/sandbox on the control host.

pedahzur: then you'll want any of our container/jail tools

OK, thanks.

I do appreciate the pointers.

pedahzur: presumably ansible will be fine configuration managing said host/jail software

ala any normal host

pedahzur: if youre team is docker/containerd sav, then you probably want to use runj/containerd to create them

Yes, it seems there are tools for managing jails...but not a straight forward way to run ansible inside one. :)

unless you want a specific feature in one of the other tools it doesnt have yet

it has the longest-term design

Well...I don't know how much docker expertise we have; we're relied on Ansible Runner to do all that behind the scenes for running our playbooks. :)

pedahzur: im wondering whats different about ansible in jail/container than on host?

link me to ansible runner ?

might give me a better sense of how/where it hooks in

koobs: Process isolation. The code in the playbook can't access anything on the control host. github.com/ansible/ansible-runner

Title: GitHub - ansible/ansible-runner: A tool and python library that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported. The goal is to provide a stable and consistent interface abstraction to Ansible.

and whats the thing in runner that then 'requires/uses' podman/bwrap?