the process isolation bit being this: ansible-runner.readthedocs.io/en/stable/execution_environments ?

Title: Using Runner with Execution Environments — ansible-runner documentation

"All aspects of running Ansible Runner in standalone mode (see: Using Runner as a standalone command line tool) are true here with the exception that the process isolation is inherently a container runtime (podman by default)."

?

and this: ansible-runner.readthedocs.io/en/stable/standalone/#outputjson ?

Title: Using Runner as a standalone command line tool — ansible-runner documentation

"You can enable process isolation by providing the --process-isolation argument on the command line. Runner as of version 2.0 defaults to using podman as the process isolation executable, "

?

koobs: ansible-runner.readthedocs.io/en/latest/container

Title: Using Runner as a container interface to Ansible — ansible-runner documentation

pedahzur: what are your other contraints/tradeoffs for making a decision here?

Yes. We call ansible_runner.interface.run(**runner_kwargs) which spawns a container run using the playbook.

koobs: Well, at this point, the product we're dealing with uses ansible-runner. We could migrate to something else, or create some custom jail-fiddling code, but then we're recreating ansible runner...but for jails. If runj and/or podman is coming to FreeBSD, we may be able to wait and just use that.

and bubble wrap is github.com/containers/bubblewrap

Title: GitHub - containers/bubblewrap: Unprivileged sandboxing tool

not pypi: bwrap?

im assuming it is

pedahzur: my take/knowledge on dfr's podman work is a) theyre taking an upstream first approach, and many if not all required support patches have already landed up stream b) theyre already at the point where theyre proposing and we're reviewing podman (& buildah) ports, so that means at least dfr believes its ready, or at least has had it working

Nice.

pedahzur: if we're on the assuming ansible-runner, and removing that (not replcing it with custom code) is not an option, and ansigle uses podman, and runner will work with any support that podman inherits/gets (ala freebsd jails), then that looks like the path of least resistance, and is a good opportunity to check dfr's work, (a real consumer), and provide feedback which will benefit everyone

the onlyother option id seriously consider, is using runj/containerd, and look to where/how to hook into it using what you have

that wouldnt be replicating podman/bwrap side stuff

the downside considerations for runj/containerd is, the OCi spec is not complete, but it does work (with networking and linux jail support)

Gotcha. Yeah, if podman is in a testable state, that would a neat path to try.

and samuel (runj/containerd) would love more feedback on that side too

certainly, runj/container is the purer path

as its not frontend specific

docker will eventually get runj support (as its a freebsd port/execution backend for jails as runc is for cgroups for linux)

as will anything that supports the kind of thing runj is

or uses containerd

question that comes to mind is

can ansible runner use containerd?

if not why not ?

Ansible Runner can invoke docker, podman, or bwrap. So, if docker uses containerd, then probably so.

Title: GitHub - geerlingguy/ansible-role-containerd: Ansible Role - containerd.io

or is that just packaging

mmmm

yah it is

seems ansigle uses containd to do its kubernetes stuff

weird gap it cant/wont do it for anything else?

Title: ansible-runner/test-container.yml at devel · ansible/ansible-runner · GitHub

note containd ref'd there (with docker/podman)

could jsut be test env checks and things though

yeh looks like it

Title: ansible-runner/conftest.py at devel · ansible/ansible-runner · GitHub

pedahzur: weird, id have expected plain containerd support given its generic nature

perhaps it uses docker/podman features only available in higher level frontends, and not underlying runtimes

be nice to understand what, if so

opportunity for runner to support containd perhaps

koobs: Thanks for the all the information and all the digging. It's greatly appreciated!

pedahzur: pleasure youre welcome

pedahzur: see pm

can someone point me to documentaton that describes the best way to re-install zfs/efi boot loaders?

does the behavior of git bisect depend on the branch you're on?

i'm using freebsd-current.

crb: can you elaborate. It should go by commits on the branch you're on.

Does bsd.network Activitypub defederate Pleromata?

ayan: maybe under 'BOOTSTRAPPING' in the gpart manpage

pedahzur: I'm trying to find a bad commit between 13.0 and 13.1 releases. If do a git clone do I need to be on the 13.0 branch vs if I just clone the repo and start bisecting

crb: you need to have the repo; to do that you need to clone

rtprio, yes of course, but does it make a difference if I switch to what stable/13 before I bisect?

will it limit the bisect to commits only on that branch which is presumably faster?

and dont forget git pull --tags ... no i think you can just bisect as long as you know which two commits you're between

Does it make more sense to put my Maildirs in user home directories, or in a common directory outside of /home ?

I'm trying to figure out if there's any administration headaches I would take on or avoid with one directory layout or the other.

gh00p: Will it be better to have Maildirs possibly on a different zfs dataset? Do your mail users have shell accounts? How are we to know your setup or priorities?

gh00p: Without further information, I can't tell you. I have a mixed setup at my own site; some Maildirs are in user homes (/Users on workstations, /usr/home on servers) and some Maildirs are in /var/vmail because they're for accounts with no shell access. The only administration headaches are if you don't use Maildirs.

ghoti: A couple of mail users have shell accounts, but mostly not. Home directories are already on a separate dataset, so I guess "growing the Maildir filesystem" is already covered.

Maildirs at this point are effectively the gold standard in email storage. They work anywhere, as long as your system has vaguely UNIX filesystem semantics.

LXGHTNXNG, how do you put some in one directory and some in another? I'm planning to use procmail for delivery and dovecot for imap. What tools are you using?

On my FreeBSD server where I use dovecot imap, I am also using dovecot for delivery as myneeds are relatively simple (although I do have a farm of .qmail files)

On my illumos server where I do not use any IMAP, I just use the LDA inherent in Nightmare Mail, my qmail fork, which supports Maildirs just fine (though it implements an older version).

LXGHTNXNG, ya, Maildirs are not in question. I didn't know that dovecot could deliver too! I will have to read about that. But I want procmail for other reasons..

You may have to have procmail somehow pass off onto dovecot-lda

Why?

since procmail also has its own LDA, but if you want quick notifications with dovecot that's not going to be an option

(My unfamiliarity with procmail is showing.)

What do you use procmail for, and what mailserver are you using? Postfix, I take, since that seems to be the standard on UNIX nowadays?

hang on, let me see if I can pull up a manpage on procmail

Hmm. I have only ever used procmail as an LDA. Mail server is sendmail (from ports). I looked in to postfix, but I couldn't confirm that it was capable of one of the features I need.

what would that feature be?

LXGHTNXNG, I have /usr/local/etc/procmailrc with the line `DEFAULT=$HOME/Maildir/` for delivery.

procmail's website just returns json.

I have a number of users who receive mail for tag⊙uec that sendmail's virtusertable rewrites to username+tag⊙ec and then processes as normal. The procmail documentation provided me no wisdom, and the people in their IRC channel were decidedly unfriendly.

gh00p: I've encountered that with postfix people too...

LXGHTNXNG, try github.com/BuGlessRB/procmail, /usr/ports/mail/procmail-bgrb

I found that thanks

... œ

they have deliberately corrupted the manpages...

corrupted? how?

I can't read them with FreeBSD man(1).sh

sorry, I'm just slightly distraught I'm having to run gmake just to read some beautifully-typeset manpages rather than wading through man source

what'st've is this about lock testing?!

oh, procmail...

Er, what is man(1).sh? I am just using the standard `man`...

man.sh is just the standard man

but because it's written in sh, and because I use it on a different OS, yeah

Ah.

Well, it works for me.

right

Any idea what is different for you?

Or are you saying, it doesn't work for you to read procmail man pages on a different OS?

correct

sorry, this is all garbage, just ignore me

hang on, I'll just go to a freebsd system and install procmail there from packages, it's not that hard

Heh. Anyway, I was just wondering about the best location for Maildirs. I think I might as well just leave them in home directories?

Yeah, probably.

LXGHTNXNG, if you want to use procmail for local delivery with sendmail, you'd of course need to change sendmail's .mc file and recompile the config. I don't know how you'd use it for local delivery in postfix, I never got that far.

this: postfix.org/pipe.8.html

Title: Postfix manual - pipe(8)

however, I don't think postfix allows you to automatically remap username⊙tec to tenant+username⊙ec

I believe that has to be arranged manually for each `tenant`

Postfix supports regex-based maps

I was told it might be possible with a regex map, but also told that nobody would say where it would actually be configured unless I went to the trouble of migrating to postfix first. Which doesn't make sense.

let me see if I can get my iguana to tell me more about regex maps in postfix .... postfix.org/regexp_table.5.html

Title: Postfix manual - regexp_table(5)

but sendmail is still supported.

ghoti: yup. It's outlived all these upstart MTAs, like qmail, postfix, Courier, Maddy, Mailu, Mailcow, etc.

qmail has a definite expiry date as it is no longer maintained. The maintainer left three serious bugs unfixed. Postfix is still around but is newer than Sendmail. Courier is still around. The last three are new developments - and more than one friend has reported one of them causing their server to go into an open relay configuration, which I did not find reassuring.

gh00p: you don't need regexes in sendmail for this, just virtusertable entries like: @foo.example.com foo+%1⊙ec

yes, that is what I do.

Well then. If it ain't broke...

Next question, should I bother with signed certificates for imaps and starttls, or just go with self signed?

Depends on your userbase for IMAP; for ESMTPS absolutely get CA-signed certs

I was going to say, I haven't had any problems with mail delivery with self signed certs, but LXGHTNXNG sounds like he knows more than me. :)

I really don't, ghoti. I know more about one specific, kinda dumpy MTA.

But you SOUND like you do, which is usually good enough. ;) Do self-signed certs get refused by relays? I haven't noticed mail bouncing, perhaps they just back off to ESMTP without STARTTTLS?

I don't know.

That would be strange. What's the point of having encryption if you just don't encrypt when the cert can't be verified?

gh00p: I think because "keep the system running" is a higher priority than "make the system safe".

I do know that I've been using fully signed certificates ever since I finally turned up an SMTPD that I could actually figure out how to do that on.

and I've been seeing things come in over ESMTPS ever since I added the ability to know that they were doing so.

I still only send over classic SMTP, amusingly. The joys of an MTA that was last maintained in 1999.

I've been planning to learn to run lets encrypt certs for web stuff. Shouldn't be too much of a stretch to make certs for mail as well, right?

trivial in fact, I use LE certs for mail

same

hm, I wonder how plan 9 specific UPAS is...

what is UPAS?

it's the plan 9 mail server. the name is actually spelled in lowercase

wow, I haven't played with plan9 for decades. (Well, two of them.) It still exists?

I mean...

but even without retrocomputing, yeah there is a project to maintain plan 9 and make it usable for its (primarily OS researcher) user base

using VM threads in the SMTP client...

plan 9 is a whole different country

for reference: plan9.io/magic/man2html/2/thread

Title: Plan 9 /sys/man/2/thread

this got way off topic. I'll shut up.

hi, can you please point me to a solid guide of how to install a GUI on freebsd? I have put a machine together and it works nice command line only, when ever I try to install a gui though, it never loads, x-org errors out and says connection refused. I have followed a couple of videos on youtube, but I think I am missing some steps

LXGHTNXNG: pretty sure upasfs is in p9p

adossi: Have you used X before?

ccx: it seems only the spam management utilities built on my illumos system and on my HBSD workstation.

yes, I can build archlinux; opensuse; and fedora servers from scratch without any hick ups

adossi: If I'm not mistaken, `pkg install xorg-server xorg-drivers drm-kmod` should install an X11 server. You would then want to fire that up in your login shell as your regular user (`Xorg :0& DISPLAY=:0 xfce4-session` is how I go about this)

adossi: start with docs.freebsd.org/en/books/handbook/x11 then.

Title: Chapter 5. The X Window System | FreeBSD Documentation Portal

i know the steps to install the x org server, and configure the rc file, but it beats me why when xorg tries to load i get the connection refused error

LXGHTNXNG: not that i want to use qmail, but what are those bogs?

I put a sleep between the Xorg and the DISPLAY=:0 xfce4-session thing

thank you Vim, i will read that, and I will try LXGH your suggesting as well

adossi: VimDiesel is a bot that gives us the titles of posted URLs.

rtprio: helpnetsecurity.com/2020/05/20/qmail-rce

oh ok sorry , lol

Title: Vulnerability in Qmail mail transport agent allows RCE - Help Net Security

ghoti, i don't think i tried the drm-kmod, is that a login manager like sddm or something?

no, it's for the 3d acceleration

adossi: what GPU do you have?

so you can play games (to wit: FlightGear. that's it.) on your shiny new FreeBSD box

ok, the box i have is an older one that has intel chips and cpu, but it has a basic amd card

This is how I pull up Xfce4 on my workstation. I use `dtach` to avoid hogging my login terminal. dtach -A ~/.desktopsession zsh -c 'export DISPLAY=:0.0; X $DISPLAY& (sleep 1; xfce4-session)'

I believe dtach is available in packages.

oh, weird, I got it from pkgsrc.

LXGHTNXNG: you don't use .xinitrc or .xsession ?

which starts those things for you

adossi: ok, the drm-kmod package is drivers for intel and amd GPUs (for nvidia, there's a separate driver)

rtprio: this is just the way that works for me. I've had nothing but problems with those methods.

ok that might be the issue, thank you for that, don't have any rigs with nvidia

you can run without drm-kmod but you only get framebuffer performance

I'm aware it's a race condition

i see, on a separate question is there something like dbeaver that runs on freebsd? I downloaded both dbeaver and navicat, but they were both non starters,

by the way, I installed a gui version, i think it was nightbsd on a spare laptop, hence my second question about dbeaver or navicat

not aware of software like that; if it ran on freebsd you'd probably have heard of it as it'd work on linux too

so what do you guys used on freebsd to do database development? I am running postgresql and mariadb databases

asmodai: psql and mysql

er

command line then

adossi: psql and mysql

yep

so you use command line to write queries? or use a text editor and you cut an paste?

yeah; you know psql you can edit queries in the command line

or \e myfile.sql

yes, honestly i love postgre, mariadb i have to use due to work,

i think mysql/mariadb took a dive after oracle got involved as usual

I use both. PG has been kinda heartbreaking for me because I could never figure out replication

No match.

call it pg or pgsql or postgres or postgresql, but never "postgre"

LXGHTNXNG: slony but i think there's also a half dozen others

replication is built in these days

RhodiumToad: oh cool

best one i ever heard was the "microsoft squirrel server"

I don't know if slony is still maintained :-)

yes as long as your role can do replication , it is not a big deal with pg

for the life of me i cannot write a decent trigger on mariadb lol, but I can do one in pg with my eyes closed

rtprio: beep boop?

I mean at some point I just want to write my own rdbms. And then turn off theworkstation for the last time and go out into the sticks.

I wonder if a satisfactory RDBMS can be written using only a UNIX filesystem.

probably not

No, I'll do you one harder: using only a standard Plan 9 filesystem as the backing store, and with very thin shims to actually do the thing.

For some variation of "satisfactory" perhaps

depends how you want to do transactions, I guess

I mean I want it to be that I don't report success until everything is safely on the platters

but that's just a normal thing in any6thing that touches data

sorry asking too many questions, so ZFS, when i use zpool on the linux side, i can add a drive on a stripe zpool without any issues, but on the freebsd side the machines become non bootable, do i really have to 'move' the system expand the zpool, and move the system back just to add a a physical drive (a.k.a. pvcreate xxxx on the lvm world)

I really should be hacking on suitcase (my& project of Yet Another C Unstandard Library)

becomes non bootable in what way?

At my first ISP job, I was tasked with maintaining the customer billing system, which was built in shell, awk, sed and ghostscript. "satisfactory" is relative.

ghoti: *clears throat* What?

sh, awk, sed, and ghostscript? You didn't use the AGPL components, at least?

LXGHTNXNG: this was 1992.

right. There must not have been an agpl in '92

I think I, for some value of I, wrote a shim around Heirloom mailx in shell once.

not exactly sure what was up with that.

hm

ghostscript was a mess backthen, with gpl, Aladdin, then agpl, and no documentation to tell us if there were practival differences between them.

.oO( Hmm. Nod )

Well, I never found any significant difference between them besides licenses. Ancient history now of course.

So, is there a guide on how to use letsencrypt to make certs for sendmail? I see a bunch of moving parts I don't quite understand.

the https guides are plentiful, but not so much starttls.

personally I use acme.sh

the main thing with doing certs for email only is that if you don't also have https on the same hostname, you'd want to use some other method to verify the domain, such as DNS

Is there any handy replacement for Linux-style `watch`?

I like that acme.sh is in shell, but who the heck runs commands like `curl -o- somewhere | sh` ?

...?

ccx: `while sleep 1; do $@; done` ?

That's viable, though fairly ugly. (add date and clear to be more faithful, but still pretty hard to spot changes)

gh00p: many many many people. Convenience always seems to trump security.

last I looked (which was admittedly a long time ago), there was a port for acme.sh

hence no need to mess with dangerous installation practices

There's a port for quite a few LE/ACME clients. I think I'll deploy uacme soon.

RhodiumToad that would be better, I was looking at the "How to install" section from the README.

ccx: gwatch should be in ports, though I am unsure of its name (maybe cmdwatch).

LXGHTNXNG: thanks

Somehow I've missed it in my search

I don't have it installed at my site.

yeah, cmdwatch

watch(8) confused me for a solid minute when I switched to freebsd

I have threads on the brain

that sounds painful

kevans: it is

not the way you think

LXGHTNXNG: do you mean gnu-watch, in ports?

rtprio: why, yes

yes, i've seen "watch: snp module not available: Operation not permitted" more times than i can count

maybe i should set an alias

wow, that sure is a delay between freebsd-security@ mail exchangers

Received: from mlmmj.nyi.freebsd.org by mx1.freebsd.org Tue, 8 Nov 2022 08:37:04 +0000 (UTC) // Received: from mlmmj.nyi.freebsd.org by mlmmj.nyi.freebsd.org Tue, 9 Aug 2022 22:35:39 +0000 (UTC)

possibly just a queue run problem

these things do get stuck sometimes

(this is "FreeBSD Security Advisory FreeBSD-SA-22:11.vm")

yeah I just got several of these

for p1 and p3

the emails keep on coming haha

that's quite a regular thing unfortunately. i've reported it to postmaster@ a few times, queue gets fixed and then a few months it'll break again

mails might be getting held up in a spam quarantine or something until someone presses a button? no idea

Hi there :) anyone else receiving mails from the freebsd-security mailinglist, which are weeks old (e. g. FreeBSD Security Advisory FreeBSD-SA-22:11.vm)?

Not yet?

danel1: as i'm reading on some other channel, you're not alone. apparently, there was some issue with the mail systems.

tao: yes it is annoying because these are security advisories :\

danel1: I am getting those from August

yes. it made me add "freebsd-update cron" into my crontab, as that way if there are any patches i get informed via email rather than depending on the mailing list

this has happened more than once. and it's always the patch announcment emails that get stuck

Remilia same here..

We are also not just relating on the mailing list, but it's still very uncool that this happens for the security-realted-mails... that should be really looked at imho

hahaha

I was complaining about these security advisories elsewhere.

LXGHTNXNG, of course, is right - the mails were stuck in the queue and now released, said someone

tao: pressing buttons is important <3

it's my guess. because the announcement emails don't look like normal user written messages, so I wonder if a spam checker has held them back in quarantine until someone notices and presses a release button

"Some mail was queued up on mx1 [...] I've released the messages from the queue."

you could also use the atom feed freebsd.org/security/feed.xml

Title: FreeBSD Security Advisories and Errata noticesFreeBSD Security Advisories and Errata noticesFreeBSD-EN-22:27.loaderFreeBSD-EN-22:26.camFreeBSD-EN-22:25.tcpFreeBSD-EN-22:24.zfsFreeBSD-EN-22:23.vmFreeBSD-EN-22:22.tzdataFreeBSD-EN-22:21.zfsFreeBSD-EN-22:20.tzdataFreeBSD-EN-22:19.pam_execFreeBSD-EN-22:18.wifiFreeBSD-SA-22:13.zlibFreeBSD-SA-22:12.lib9pFreeBSD-SA-22:11.vmFreeBSD-SA-22:10.aioFreeBSD-SA-22:09.elfFreeBSD- (1 more message)

hm, VimDiesel` should probably only use rss > channel > title for that and not all titles

so, I have a mail server in one jail and haproxy in another jail, and I want letsencrypt certs applied to both. Can I use a single multiple-name cert for everything, or should I have a separate cert per service? (i.e. one for smtp, one for imap, one for http)

If it's safe/reasonable/possible to use just one cert for all of them, I can run acme.sh on the jail host, then deploy directly into each of the guests, I think.

Hm, or maybe I just make it a wildcard certificate? Will that work for sendmail and dovecot?

i use a wildcard *.example.com certificate for everything. it works fine. the only thing to consider is if you ever lose the key or have to revoke it for any reason it means it affects all services and not just one

if all of the services were owned by me i prefer it that way, single cert. if all of the services were owned by different people, I would do one cert per service

good to know it works, thanks. All my stuff is me, I'm very small. :)

Now I just have to figure out how to do this...

tao, do you use acme.sh? If so, did you issue with`acme.sh --issue -d example.com -d \*.example.com` ?

gh00p: i don't think acme.sh will do the wildcard certs

because verification is more complicated

acme.sh --issue --server letsencrypt -k ec-256 --syslog 6 --dns dns_gandi_livedns --dnssleep 300 --always-force-new-domain-key -d example.com -d *.example.com

ok, it might work if gandi is your dns provider

then i install that into a directory like /var/certs , and point nginx, dovecot, postfix etc. at it. and use --reloadcmd to restart all three at once

hmm. If I make a multiname (SAN?) cert, do I need to verify ownership of each hostname specified? They all resolve to the same IP...

rtprio, what is special about gandi? I just run bind9.

gh00p: to use a wildcard cert, you need to use a specified dns provider

so I cant run my own dns?!

sure you can, you'd just have one cert per name

so .. you're saying that if I want to use a wildcard cert, I have to purchase DNS service from a third party rather than running my own?

That doesn't sound right.

you can use your own DNS server to do it, it just means you have to do some scripting

Title: User Guide — Certbot 1.31.0 documentation

if you only have two names, just do two certs; it's not like you've got 1000 hostnames

you basically need to make a plugin that would script adding and removing a DNS entry, and you would use it like --dns dns_my_plugin , there may already be an example one. i haven't checked

or use multiple SAN rather than wildcard, then you can use HTTP validation

rpthms: acme.sh also provides a list of third parties, but includes nsupdate (which I think is rfc2136 and ssh, which is completely scriptable.

rtprio I mean

ssh what are you talking about man?

rtprio: github.com/acmesh-official/acme.sh/blob/master/deploy/ssh.sh

Title: acme.sh/ssh.sh at master · acmesh-official/acme.sh · GitHub

rtprio, I have {mailhost,smtp,imap}.example.com in one jail and {www,git,test,etc}.example.com in another jail. And I spin up other subdomains on demand.

ok

gh00p: right i get that

tao: ah, "then you can use HTTP validation". A vital piece of information, thanks - I wasn't aware that DNS validation was required for wildcard certs. I'll steer in that direction then.

yes. DNS is required for wildcard. can't use HTTP

anyone did the BSD specialist cert from LPI?

gh00p: I terminate all TLS with haproxy and haproxy handles the ACME back-end (just sends everything to a lo0 certbot port), works quite well in my case with some deploy hooks that install certificates in other jails/restart affected services

nimaje: using Atom is not as convenient as email via an IMAP4 server in my case :\

plus the feed is just links to the website…

what atom feed?

freebsd.org/security/feed.xml

with www in front

there's a security mailling list, you should probably use that;

entries look like this: i.koumakan.jp/2022-11-08/1667926653.png

rtprio: uhhh

I am not sure if you are making fun of me now but the entire discussion was about the fact that emails from that list got held up in the FreeBSD MX mail queue since August

i wasn't; it's too early in the morning and i didn't follow the scrollback very far, sorry

I am subscribed to the security mailing list haha it is just that this morning I started getting emails with SAs from August and from a week ago that I never received before

so nimaje suggested RSS

that's the fault of the feed creator rather than RSS itself. happens if the GUID changes when it should be permanent and never change

yep, that the EN/SA feed doesn't contain the actual announcment is the reason, that I get them via email too

Is the answer to "sshd[92188]: error: maximum authentication attempts exceeded for invalid" fail2ban?

I am trying to mount an ISO file in order to extract some content. I do "mdconfig -a -t vnode -f foo.iso", and the device is created as md0, but when I try to mount it with "mount -t cd9660 /dev/md0 /mnt", I get the error "mount_cd9660: /dev/md0: Invalid argument". What am I missing?

boy, that ".zfs/snapshot/-over-nfs" bugfix in 13.1-RELEASE-p3 had me doing a happy dance. i was sure it was some systemd-related bullshit on the Linux side that would never get resolved. i wasn't even aware it was being tracked as a FreeBSD bug!

yashi: depends on the full question and there is blacklistd too, which is in the base system

iio7: that's the right procedure; are you certain the iso is good?

nimaje: The question is "what to do in response to these lines appearing in my log"?

fail2ban would reduce them, sure

as you probably not in control of who- or whatever exceeds maximum authentication attempts for ssh connections you could probably only reduce them via blacklistd or fail2ban or something similar

rtprio, yes, the ISO is fine, I can mount it on both Linux and Windows.

I see, thank you very much.

Or I should simply entirely disable password logins?

that wouldn't hurt either

yashi: it wouldn't stop malicious connection attempts, but it would make them much, much less likely to succeed. i've done that regularly on all my servers for years, never regretted it

just keep your keys on the other side safe, so you don't lock yourself out ;)

right

thanks:)

Is there some kind of website that will scan my host for holes?

How do I find out what, of my laptop's BIOS, ACPI, a (13.1) driver or kernel module, or XFCE, dims the display when I unplug the AC connector but fails to restore its brightness when I plug it back in? I could rule out XFCE by testing without it running, but that won't tell me which of the other 3. (My goal is to make it brighten back - and subsidarily make the dim and brighten buttons work, in case

that's an XY thing.)

I'd bet on xfce first

then the bios

I would try without X/Wayland running. If it also happens in tty, it's probably not the OS

sounds acpi related to me

OK, let me try without X.

hello, is there a simple way of showing total memory usage of some concrete jail?

attribution of memory usage to processes is hard, attributing it to jails is even harder

memory is frequently shared

basically, any attempt to show memory usage of only parts of the system will return inflated results due to double-counting

How do I enable a flag for ports when building with portmaster? I want to enable PORTS_READLINE for shells/bash

(Well, I want to get shells/bash to compile and it seems to be related to that

easiest way is probably to do make config in the individual port dir first

Will that carry through when using portmaster?

I am not clear how that works in relation to editing individual ports.

portmaster should use any options already set, iirc it'll then prompt you for ports where you haven't yet set the options

I see. OK Thx. Trying

what error did you get when building?

Scrolled off now, but it said try disabling that (I had it backwards) it was enabled in the conf)

It said imcompatible readline

ah right

This is 14

I think it is going now. We'll see what other issues I have.

It's mainly a test machine, on current

That seems to be working. Thanks.

these days poudriere is probably a better approach than portmaster

RhodiumToad, thank you

pvalenta: you might look into racct / rctl though

RhodiumToad, yes, I am reading man rctl right now :-)

Is sysctl going to be my best bet for getting the CPU frequency?

to get the current frequency? yes

Hmm, good point on current.

Halfway through implementing this lib that needs to get basic hardware info. It's part of an orchestration/scheduling system that already supports docker, and I'm implementing this to add support for jails.

The lib needs to report hardware info, among which is CPU frequency. Since you mentioned current, I realized that it's probably going to be better to report the max CPU frequency instead of the current clock.

How much more involved is it going to be to determine the max CPU frequency?

sysctl also shows the available frequency settings

sysctl dev.cpu.0.freq_levels

Ah nice, that'll do.

Though is it safe to assume that string format?

RhodiumToad: poudriere, yes. Probbaly need to focus on that. I had gotten portmaster off the handbook, but haven't spent much time with ports on FreeBSD.

OK, still dims with no XFCE (or X). So I'm guessing, per suggestions, either BIOS or ACPI. BIOS is probably unfixable in practice. ACPI... might be able to do something through devd.conf.

Thanks all.

try booting single-user (specifically, make sure that powerd is not in play)

ps auxww | grep power says it's not running. (And it's disabled by default and not overriden.)

look for bios settings then?

Yeah, that's probably the next step.

hi guys

How's FreeBSD life? :)

Btw, I trashed my headless FreeBSD notebook some time ago and switched to Linux. ;--)

Adjusting leap seconds manually on FreeBSD, good memories! ;)

Or something like it, can't remember, ehe

yay! dma replacing sendmail

:)))

Nothing in BIOS setup jumps out to me, and xbrightness doesn't do anything. (So even if I could use devd.conf, I'd have no way to set the brightness that I can think of.) Guess I'm out of luck.

Demosthenex: woot?

-

V_PauAmma_V: you could try dumping the ACPI tables, find the method that changes the brightness, and use sysutils/acpi_call to change it back? :)

LXGHTNXNG: the commit make HN

I don't read HN

hn?

Hacker News

ah

Any one know of the plans|roadmap (of FreeBSD) to be able to use "mixed CPU layout" like Intel 12th generation with P- & E-cores?

... and what are they?

is that something similar to that little-big stuff some arm chips do?

Yes

A CPU with smaller number of more powerful cores|chips|"subCPU(?)" along with larger number of less powerful ones

In near future it may be more probable to buy a AMD (homogeneous) CPU ThinkPad laptop than Intel one I think

... and then I awould also need to worry about GPU support

it would most likely be amdgpu

so not much of a worry yeah?

Sure hope so

Hamilton BSD User Group online meeting starting in ~25 minute: twitter.com/hambug_ca/status/1590096226774831106

Title: HAMBug on Twitter: "Join the Hamilton BSD User Group online (t.co/xEAKtuMPeV) tonight at 6:30 pm EST for open discussion on #FreeBSD #OpenZFS #OpenBSD #NetBSD and more!! t.co/xz7tv3osFl" / Twitter

... wow was not getting any sound :-|

parv: What is Hamilton?