00:10:25 Anyone know how to make a block device hard drive in virtualbox ? im trying to do some zfs stuff but can't 00:24:54 trench: You can request an account on the wiki and fix the page. #freebsd-wiki is a good place to start. 00:46:53 okey.. 03:15:39 _xor, belatedly, I would. (And probably count separate processor families separately.) Assembly languages have often as much syntax as C and arguably more semantics, if you don't count the standard library. (And if you do, you should probably count the system calls or equivalents for your OS, eg SVCs and macros for IBM mainframes, in assembly complexity.) 03:21:16 <_xor> More semantics? I mean, assemblers encode instructs into opcodes with various operands/flags. Language compilers have to actually determine semantics within context after ST is generated from the front-end. 03:25:21 <_xor> Another way to look at it would be a compiler taking some simple lexical scope and generating instructions that implement the behavior. For example, a lot of instructions effect state (e.g. processor flags) for the subsequent instruction to read. 11:44:08 each instruction has semantics and you want them properly documented, how would you know what happens if you use them without that 15:49:55 I have applicaton jails for web, smtp, etc. The jails are on private IPs behind my single public IP. Is it reasonable to set up a different NAT instance for each jail, and set the firewall rule to use that instance as part of the jail startup? Or am I just making work for myself? 15:50:47 ghoti: I don't understand what is NAT instance 15:55:58 meka: you can `man ipfw` and search for "NAT, REDIRECT AND LSNAT". It is identified by the number in `ipfw [-q] nat number config config-options`. 15:56:25 Oh, PF user here, no wonder I don't understand 15:56:30 Ah. 16:02:00 ghoti: do you really need to separate them that much? 16:05:19 montar: meh, "need"... I'm experimenting with making self-contained jails that include a bit of required infrastructure as part of their configuration for a stand-by server. 16:07:14 So far I'm storing an ipfw "set" to identify particular ports and count relevant traffic, but I'm thinking I should add a NAT instance to the set. 16:07:27 But since it's a separate table, it jas to be stored separately. 16:14:12 it sounds like more work and further complication, but hey, if it works for you go nuts 17:32:17 ghoti: you only need one nat instance on the host, and you can use redirect_port, etc as needed 17:32:30 if that host is the one that has the public address 17:40:44 i guess if you needed specific nat instance options to be different for each jail, it may make sense to have separate nat instances (on the host, not in vnet), but probably not needed 18:07:52 jmnbtslsQE: Yes, but there's a different set of NAT rules for SMTP than for HTTP. My thought is to bundle the service-specific rules together, to be applied within a particular NAT instance. 18:08:03 That way, if for example my HTTP jail needs to move to a different host, I have the current rules on the new host, and I don't leave garbage on the old one. 18:11:01 I'll keep thinking about this. 18:12:11 seems like not a bad idea. you can delete your jail-specific nat instance when you move the jail, without having to re-configure the existing nat instances to remove the extraneous rules 18:36:38 Is there a security advisory about 13.1 p3 patch? 18:42:22 If I want to replace procmail with procmail-bgrb, should I simply delete the first and install the second, or is it better to set a new origin then ugprade? 18:47:53 devnull, no, only errata notices as far as I can tell. See https://www.freebsd.org/security/notices/ (starting with EN22:21) and https://www.freebsd.org/security/advisories/. 18:47:54 Title: FreeBSD Errata Notices | The FreeBSD Project 18:51:59 Thanks V_PauAmma_V 20:34:22 Hi. How do I get sendmail to use procmail for local delivery? I have added MAILER(procmail) and FEATURE(local_procmail) to my mc file, I am not sure what I'm missing. 20:51:08 I assume you've looked at: https://docs.freebsd.org/en/books/handbook/mail/#mail-procmail 20:51:09 Title: Chapter 30. Electronic Mail | FreeBSD Documentation Portal 22:10:38 morn 22:23:43 Anybody here use Ansible? Specifically ansible-runner. We're looking to port some operations from Linux to FreeBSD, and right now Ansible-runner is our sticking point, because it uses either podman or bubblewrap (https://github.com/containers/bubblewrap/) for process isolation. We could write a shim which would accept the bwrap arguments and use jails, but we haven't gotten to the point of dedicating resources to that. 22:34:48 pedahzur: podman port is WIP right now and might be usable/testable, but in the event that its not, whats the question? 22:37:05 podman PR: https://github.com/dfr/freebsd-ports/pull/1 22:37:09 Title: Containers by dfr · Pull Request #1 · dfr/freebsd-ports · GitHub 22:37:36 Author is on #virtualization on FreeBSD Discord btw 22:43:18 koobs: Thanks. Pardon my absolute lack of knowledge on this, but isn't Podman designed to work with docker (OCI) images? How will that work on FreeBSD? (Doc links are great...don't feel like you have to spell it all out here.) :) 22:49:52 pedahzur: there's a couple of separate issues implicit in the question (and in that ecosysytem) 22:50:35 pedahzur: So on one hand, samuel karp is working on an OCI spec for FreeBSD contains, with an experimental (but working) 'runj' executation backend. You can see that here: https://github.com/samuelkarp/run 22:50:54 Right now, containerd officially supports runj, and runj supports basic networking, running linux jails, etc 22:51:10 Thats the OCI and 'runc' execution backend side of things 22:51:46 pedahzur: podman and whatever other container frontend tools (ala docker) use whatever their underlying container runtimes support 22:53:29 This basically means docker/runc/containerd but there's nothing fundamental precluding other os supports 22:53:38 which just need to integrate into those ecosystems 22:53:51 which leads us back to runj (a runc port, runc, which docker uses) and OCI specs 22:54:00 see also: https://wiki.freebsd.org/Containers 22:54:01 Title: Containers - FreeBSD Wiki 22:54:17 pedahzur: so back to your ansible question, whats the question/issue to solve/answer? 22:54:37 See also: https://wiki.freebsd.org/Docker 22:54:39 Title: Docker - FreeBSD Wiki 23:35:22 hello 23:35:30 I'm here now right? 23:35:56 there is online? 23:44:51 koobs: per the original question, we're looking to port some stuff to FreeBSD, and one of those things use Ansible Runner to enable process separation/sandboxing. Ansible Runner uses podman or bwrap for process isolation. I support is podman is ported, and there is an "ansible container" (that we or somebody else produces) along the lines of https://github.com/ansible/ansible-runner/blob/devel/Dockerfile we could port our stuff to 23:44:53 Title: ansible-runner/Dockerfile at devel · ansible/ansible-runner · GitHub 23:44:53 FreeBSD. :) 23:53:24 pedahzur: https://docs.ansible.com/ansible/latest/collections/community/general/jail_connection.html 23:53:27 is that useful? 23:53:27 Title: community.general.jail connection – Run tasks in jails — Ansible Documentation 23:53:55 there's also https://docs.ansible.com/ansible/2.9_ja/plugins/connection/iocage.html 23:53:56 Title: iocage – Run tasks in iocage jails — Ansible Documentation 23:54:04 iocage is a jail frontend (see Containers third party list earlier) 23:54:31 See also: https://docs.ansible.com/ansible/2.9_ja/plugins/connection/buildah.html - which is the podman/buildah dfr is working on (but buildah is seprate) 23:54:32 Title: buildah – Interact with an existing buildah container — Ansible Documentation 23:56:29 koobs: That's a little sparse on docs. From my reading, the plugin is for executing inside a jail on the target host. We're looking to run ansible itself in a container/jail/sandbox on the control host. 23:56:49 pedahzur: then you'll want any of our container/jail tools 23:56:58 OK, thanks. 23:57:05 I do appreciate the pointers. 23:57:08 pedahzur: presumably ansible will be fine configuration managing said host/jail software 23:57:14 ala any normal host 23:57:35 pedahzur: if youre team is docker/containerd sav, then you probably want to use runj/containerd to create them 23:57:44 Yes, it seems there are tools for managing jails...but not a straight forward way to run ansible inside one. :) 23:57:45 unless you want a specific feature in one of the other tools it doesnt have yet 23:57:59 it has the longest-term design 23:58:14 Well...I don't know how much docker expertise we have; we're relied on Ansible Runner to do all that behind the scenes for running our playbooks. :) 23:58:18 pedahzur: im wondering whats different about ansible in jail/container than on host? 23:58:28 link me to ansible runner ? 23:58:39 might give me a better sense of how/where it hooks in 23:58:58 koobs: Process isolation. The code in the playbook can't access anything on the control host. https://github.com/ansible/ansible-runner 23:58:59 Title: GitHub - ansible/ansible-runner: A tool and python library that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported. The goal is to provide a stable and consistent interface abstraction to Ansible. 23:59:08 and whats the thing in runner that then 'requires/uses' podman/bwrap?