00:00:38 the process isolation bit being this: https://ansible-runner.readthedocs.io/en/stable/execution_environments/ ? 00:00:40 Title: Using Runner with Execution Environments — ansible-runner documentation 00:01:05 "All aspects of running Ansible Runner in standalone mode (see: Using Runner as a standalone command line tool) are true here with the exception that the process isolation is inherently a container runtime (podman by default)." 00:01:06 ? 00:02:02 and this: https://ansible-runner.readthedocs.io/en/stable/standalone/#outputjson ? 00:02:03 Title: Using Runner as a standalone command line tool — ansible-runner documentation 00:02:17 "You can enable process isolation by providing the --process-isolation argument on the command line. Runner as of version 2.0 defaults to using podman as the process isolation executable, " 00:02:19 ? 00:02:26 koobs: https://ansible-runner.readthedocs.io/en/latest/container/ 00:02:27 Title: Using Runner as a container interface to Ansible — ansible-runner documentation 00:02:45 pedahzur: what are your other contraints/tradeoffs for making a decision here? 00:02:54 Yes. We call ansible_runner.interface.run(**runner_kwargs) which spawns a container run using the playbook. 00:03:51 koobs: Well, at this point, the product we're dealing with uses ansible-runner. We could migrate to something else, or create some custom jail-fiddling code, but then we're recreating ansible runner...but for jails. If runj and/or podman is coming to FreeBSD, we may be able to wait and just use that. 00:04:11 and bubble wrap is https://github.com/containers/bubblewrap 00:04:13 Title: GitHub - containers/bubblewrap: Unprivileged sandboxing tool 00:04:14 not pypi: bwrap? 00:04:19 im assuming it is 00:06:49 pedahzur: my take/knowledge on dfr's podman work is a) theyre taking an upstream first approach, and many if not all required support patches have already landed up stream b) theyre already at the point where theyre proposing and we're reviewing podman (& buildah) ports, so that means at least dfr believes its ready, or at least has had it working 00:07:12 Nice. 00:08:54 pedahzur: if we're on the assuming ansible-runner, and removing that (not replcing it with custom code) is not an option, and ansigle uses podman, and runner will work with any support that podman inherits/gets (ala freebsd jails), then that looks like the path of least resistance, and is a good opportunity to check dfr's work, (a real consumer), and provide feedback which will benefit everyone 00:09:17 the onlyother option id seriously consider, is using runj/containerd, and look to where/how to hook into it using what you have 00:09:26 that wouldnt be replicating podman/bwrap side stuff 00:10:00 the downside considerations for runj/containerd is, the OCi spec is not complete, but it does work (with networking and linux jail support) 00:10:13 Gotcha. Yeah, if podman is in a testable state, that would a neat path to try. 00:10:15 and samuel (runj/containerd) would love more feedback on that side too 00:10:31 certainly, runj/container is the purer path 00:10:34 as its not frontend specific 00:10:57 docker will eventually get runj support (as its a freebsd port/execution backend for jails as runc is for cgroups for linux) 00:11:09 as will anything that supports the kind of thing runj is 00:11:12 or uses containerd 00:11:23 question that comes to mind is 00:11:29 can ansible runner use containerd? 00:11:31 if not why not ? 00:12:28 Ansible Runner can invoke docker, podman, or bwrap. So, if docker uses containerd, then probably so. 00:12:46 https://github.com/geerlingguy/ansible-role-containerd 00:12:47 Title: GitHub - geerlingguy/ansible-role-containerd: Ansible Role - containerd.io 00:12:53 or is that just packaging 00:12:55 mmmm 00:13:01 yah it is 00:14:10 seems ansigle uses containd to do its kubernetes stuff 00:14:18 weird gap it cant/wont do it for anything else? 00:15:12 https://github.com/ansible/ansible-runner/blob/devel/test/fixtures/projects/containerized/project/test-container.yml#L12 00:15:13 Title: ansible-runner/test-container.yml at devel · ansible/ansible-runner · GitHub 00:15:20 note containd ref'd there (with docker/podman) 00:16:19 could jsut be test env checks and things though 00:17:10 yeh looks like it 00:17:34 https://github.com/ansible/ansible-runner/blob/devel/test/conftest.py#L13-L16 00:17:35 Title: ansible-runner/conftest.py at devel · ansible/ansible-runner · GitHub 00:17:56 pedahzur: weird, id have expected plain containerd support given its generic nature 00:18:13 perhaps it uses docker/podman features only available in higher level frontends, and not underlying runtimes 00:18:19 be nice to understand what, if so 00:18:27 opportunity for runner to support containd perhaps 00:18:45 koobs: Thanks for the all the information and all the digging. It's greatly appreciated! 00:20:09 pedahzur: pleasure youre welcome 00:20:21 pedahzur: see pm 00:52:26 can someone point me to documentaton that describes the best way to re-install zfs/efi boot loaders? 00:54:05 does the behavior of git bisect depend on the branch you're on? 00:58:18 i'm using freebsd-current. 01:01:31 crb: can you elaborate. It should go by commits on the branch you're on. 01:10:19 Does bsd.network Activitypub defederate Pleromata? 01:10:45 ayan: maybe under 'BOOTSTRAPPING' in the gpart manpage 01:21:57 pedahzur: I'm trying to find a bad commit between 13.0 and 13.1 releases. If do a git clone do I need to be on the 13.0 branch vs if I just clone the repo and start bisecting 01:29:21 crb: you need to have the repo; to do that you need to clone 01:30:13 rtprio, yes of course, but does it make a difference if I switch to what stable/13 before I bisect? 01:30:34 will it limit the bisect to commits only on that branch which is presumably faster? 01:30:38 and dont forget git pull --tags ... no i think you can just bisect as long as you know which two commits you're between 02:59:53 Does it make more sense to put my Maildirs in user home directories, or in a common directory outside of /home ? 03:00:57 I'm trying to figure out if there's any administration headaches I would take on or avoid with one directory layout or the other. 03:03:02 gh00p: Will it be better to have Maildirs possibly on a different zfs dataset? Do your mail users have shell accounts? How are we to know your setup or priorities? 03:06:09 gh00p: Without further information, I can't tell you. I have a mixed setup at my own site; some Maildirs are in user homes (/Users on workstations, /usr/home on servers) and some Maildirs are in /var/vmail because they're for accounts with no shell access. The only administration headaches are if you don't use Maildirs. 03:07:19 ghoti: A couple of mail users have shell accounts, but mostly not. Home directories are already on a separate dataset, so I guess "growing the Maildir filesystem" is already covered. 03:07:57 Maildirs at this point are effectively the gold standard in email storage. They work anywhere, as long as your system has vaguely UNIX filesystem semantics. 03:08:00 LXGHTNXNG, how do you put some in one directory and some in another? I'm planning to use procmail for delivery and dovecot for imap. What tools are you using? 03:08:35 On my FreeBSD server where I use dovecot imap, I am also using dovecot for delivery as myneeds are relatively simple (although I do have a farm of .qmail files) 03:09:40 On my illumos server where I do not use any IMAP, I just use the LDA inherent in Nightmare Mail, my qmail fork, which supports Maildirs just fine (though it implements an older version). 03:09:46 LXGHTNXNG, ya, Maildirs are not in question. I didn't know that dovecot could deliver too! I will have to read about that. But I want procmail for other reasons.. 03:10:08 You may have to have procmail somehow pass off onto dovecot-lda 03:10:19 Why? 03:10:38 since procmail also has its own LDA, but if you want quick notifications with dovecot that's not going to be an option 03:11:02 (My unfamiliarity with procmail is showing.) 03:11:19 What do you use procmail for, and what mailserver are you using? Postfix, I take, since that seems to be the standard on UNIX nowadays? 03:11:55 hang on, let me see if I can pull up a manpage on procmail 03:12:12 Hmm. I have only ever used procmail as an LDA. Mail server is sendmail (from ports). I looked in to postfix, but I couldn't confirm that it was capable of one of the features I need. 03:12:31 what would that feature be? 03:12:38 LXGHTNXNG, I have /usr/local/etc/procmailrc with the line `DEFAULT=$HOME/Maildir/` for delivery. 03:13:14 procmail's website just returns json. 03:13:59 I have a number of users who receive mail for tag⊙uec that sendmail's virtusertable rewrites to username+tag⊙ec and then processes as normal. The procmail documentation provided me no wisdom, and the people in their IRC channel were decidedly unfriendly. 03:14:16 gh00p: I've encountered that with postfix people too... 03:15:01 LXGHTNXNG, try https://github.com/BuGlessRB/procmail, /usr/ports/mail/procmail-bgrb 03:15:09 I found that thanks 03:16:17 ... œ 03:16:38 they have deliberately corrupted the manpages... 03:17:19 corrupted? how? 03:17:43 I can't read them with FreeBSD man(1).sh 03:18:21 sorry, I'm just slightly distraught I'm having to run gmake just to read some beautifully-typeset manpages rather than wading through man source 03:18:41 what'st've is this about lock testing?! 03:18:46 oh, procmail... 03:18:52 Er, what is man(1).sh? I am just using the standard `man`... 03:19:05 man.sh is just the standard man 03:19:24 but because it's written in sh, and because I use it on a different OS, yeah 03:19:34 Ah. 03:19:41 Well, it works for me. 03:19:48 right 03:19:53 Any idea what is different for you? 03:20:20 Or are you saying, it doesn't work for you to read procmail man pages on a different OS? 03:20:59 correct 03:21:11 sorry, this is all garbage, just ignore me 03:21:42 hang on, I'll just go to a freebsd system and install procmail there from packages, it's not that hard 03:21:44 Heh. Anyway, I was just wondering about the best location for Maildirs. I think I might as well just leave them in home directories? 03:21:51 Yeah, probably. 03:23:21 LXGHTNXNG, if you want to use procmail for local delivery with sendmail, you'd of course need to change sendmail's .mc file and recompile the config. I don't know how you'd use it for local delivery in postfix, I never got that far. 03:26:28 this: https://www.postfix.org/pipe.8.html 03:26:30 Title: Postfix manual - pipe(8) 03:27:03 however, I don't think postfix allows you to automatically remap username⊙tec to tenant+username⊙ec 03:27:27 I believe that has to be arranged manually for each `tenant` 03:28:27 Postfix supports regex-based maps 03:28:41 I was told it might be possible with a regex map, but also told that nobody would say where it would actually be configured unless I went to the trouble of migrating to postfix first. Which doesn't make sense. 03:30:11 let me see if I can get my iguana to tell me more about regex maps in postfix .... https://www.postfix.org/regexp_table.5.html 03:30:12 Title: Postfix manual - regexp_table(5) 03:30:15 but sendmail is still supported. 03:31:14 ghoti: yup. It's outlived all these upstart MTAs, like qmail, postfix, Courier, Maddy, Mailu, Mailcow, etc. 03:32:15 qmail has a definite expiry date as it is no longer maintained. The maintainer left three serious bugs unfixed. Postfix is still around but is newer than Sendmail. Courier is still around. The last three are new developments - and more than one friend has reported one of them causing their server to go into an open relay configuration, which I did not find reassuring. 03:32:25 gh00p: you don't need regexes in sendmail for this, just virtusertable entries like: @foo.example.com foo+%1⊙ec 03:33:08 yes, that is what I do. 03:34:00 Well then. If it ain't broke... 03:43:09 Next question, should I bother with signed certificates for imaps and starttls, or just go with self signed? 03:44:09 Depends on your userbase for IMAP; for ESMTPS absolutely get CA-signed certs 03:46:16 I was going to say, I haven't had any problems with mail delivery with self signed certs, but LXGHTNXNG sounds like he knows more than me. :) 03:46:43 I really don't, ghoti. I know more about one specific, kinda dumpy MTA. 03:51:10 But you SOUND like you do, which is usually good enough. ;) Do self-signed certs get refused by relays? I haven't noticed mail bouncing, perhaps they just back off to ESMTP without STARTTTLS? 03:51:54 I don't know. 03:52:05 That would be strange. What's the point of having encryption if you just don't encrypt when the cert can't be verified? 03:52:47 gh00p: I think because "keep the system running" is a higher priority than "make the system safe". 03:52:52 I do know that I've been using fully signed certificates ever since I finally turned up an SMTPD that I could actually figure out how to do that on. 03:53:24 and I've been seeing things come in over ESMTPS ever since I added the ability to know that they were doing so. 03:54:01 I still only send over classic SMTP, amusingly. The joys of an MTA that was last maintained in 1999. 03:54:16 I've been planning to learn to run lets encrypt certs for web stuff. Shouldn't be too much of a stretch to make certs for mail as well, right? 03:54:59 trivial in fact, I use LE certs for mail 03:55:06 same 03:55:41 hm, I wonder how plan 9 specific UPAS is... 03:55:54 what is UPAS? 03:56:27 it's the plan 9 mail server. the name is actually spelled in lowercase 03:58:53 wow, I haven't played with plan9 for decades. (Well, two of them.) It still exists? 03:59:49 I mean... 04:00:26 but even without retrocomputing, yeah there is a project to maintain plan 9 and make it usable for its (primarily OS researcher) user base 04:01:22 using VM threads in the SMTP client... 04:01:45 plan 9 is a whole different country 04:05:48 for reference: https://plan9.io/magic/man2html/2/thread 04:05:51 Title: Plan 9 /sys/man/2/thread 04:05:59 this got way off topic. I'll shut up. 04:07:09 hi, can you please point me to a solid guide of how to install a GUI on freebsd? I have put a machine together and it works nice command line only, when ever I try to install a gui though, it never loads, x-org errors out and says connection refused. I have followed a couple of videos on youtube, but I think I am missing some steps 04:08:58 LXGHTNXNG: pretty sure upasfs is in p9p 04:09:30 adossi: Have you used X before? 04:09:56 ccx: it seems only the spam management utilities built on my illumos system and on my HBSD workstation. 04:10:04 yes, I can build archlinux; opensuse; and fedora servers from scratch without any hick ups 04:10:45 adossi: If I'm not mistaken, `pkg install xorg-server xorg-drivers drm-kmod` should install an X11 server. You would then want to fire that up in your login shell as your regular user (`Xorg :0& DISPLAY=:0 xfce4-session` is how I go about this) 04:10:52 adossi: start with https://docs.freebsd.org/en/books/handbook/x11/ then. 04:10:53 Title: Chapter 5. The X Window System | FreeBSD Documentation Portal 04:10:55 i know the steps to install the x org server, and configure the rc file, but it beats me why when xorg tries to load i get the connection refused error 04:11:01 LXGHTNXNG: not that i want to use qmail, but what are those bogs? 04:11:02 I put a sleep between the Xorg and the DISPLAY=:0 xfce4-session thing 04:11:24 thank you Vim, i will read that, and I will try LXGH your suggesting as well 04:11:53 adossi: VimDiesel is a bot that gives us the titles of posted URLs. 04:12:01 rtprio: https://www.helpnetsecurity.com/2020/05/20/qmail-rce/ 04:12:02 oh ok sorry , lol 04:12:02 Title: Vulnerability in Qmail mail transport agent allows RCE - Help Net Security 04:13:16 ghoti, i don't think i tried the drm-kmod, is that a login manager like sddm or something? 04:13:28 no, it's for the 3d acceleration 04:13:35 adossi: what GPU do you have? 04:13:48 so you can play games (to wit: FlightGear. that's it.) on your shiny new FreeBSD box 04:14:02 ok, the box i have is an older one that has intel chips and cpu, but it has a basic amd card 04:14:17 This is how I pull up Xfce4 on my workstation. I use `dtach` to avoid hogging my login terminal. dtach -A ~/.desktopsession zsh -c 'export DISPLAY=:0.0; X $DISPLAY& (sleep 1; xfce4-session)' 04:14:27 I believe dtach is available in packages. 04:14:34 oh, weird, I got it from pkgsrc. 04:14:39 LXGHTNXNG: you don't use .xinitrc or .xsession ? 04:14:48 which starts those things for you 04:14:50 adossi: ok, the drm-kmod package is drivers for intel and amd GPUs (for nvidia, there's a separate driver) 04:15:12 rtprio: this is just the way that works for me. I've had nothing but problems with those methods. 04:15:13 ok that might be the issue, thank you for that, don't have any rigs with nvidia 04:15:26 you can run without drm-kmod but you only get framebuffer performance 04:15:26 I'm aware it's a race condition 04:16:28 i see, on a separate question is there something like dbeaver that runs on freebsd? I downloaded both dbeaver and navicat, but they were both non starters, 04:17:05 by the way, I installed a gui version, i think it was nightbsd on a spare laptop, hence my second question about dbeaver or navicat 04:17:51 not aware of software like that; if it ran on freebsd you'd probably have heard of it as it'd work on linux too 04:18:43 so what do you guys used on freebsd to do database development? I am running postgresql and mariadb databases 04:18:59 asmodai: psql and mysql 04:19:08 er 04:19:10 command line then 04:19:15 adossi: psql and mysql 04:19:16 yep 04:20:07 so you use command line to write queries? or use a text editor and you cut an paste? 04:20:27 yeah; you know psql you can edit queries in the command line 04:20:33 or \e myfile.sql 04:21:03 yes, honestly i love postgre, mariadb i have to use due to work, 04:21:22 i think mysql/mariadb took a dive after oracle got involved as usual 04:21:22 I use both. PG has been kinda heartbreaking for me because I could never figure out replication 04:21:25 * RhodiumToad mutters at "postgre" 04:21:35 No match. 04:21:46 call it pg or pgsql or postgres or postgresql, but never "postgre" 04:21:54 LXGHTNXNG: slony but i think there's also a half dozen others 04:22:05 replication is built in these days 04:22:14 RhodiumToad: oh cool 04:22:32 best one i ever heard was the "microsoft squirrel server" 04:22:34 I don't know if slony is still maintained :-) 04:22:47 yes as long as your role can do replication , it is not a big deal with pg 04:23:43 for the life of me i cannot write a decent trigger on mariadb lol, but I can do one in pg with my eyes closed 04:23:57 rtprio: beep boop? 04:24:27 I mean at some point I just want to write my own rdbms. And then turn off theworkstation for the last time and go out into the sticks. 04:25:22 I wonder if a satisfactory RDBMS can be written using only a UNIX filesystem. 04:25:35 probably not 04:25:53 No, I'll do you one harder: using only a standard Plan 9 filesystem as the backing store, and with very thin shims to actually do the thing. 04:25:57 For some variation of "satisfactory" perhaps 04:26:34 depends how you want to do transactions, I guess 04:27:00 I mean I want it to be that I don't report success until everything is safely on the platters 04:27:08 but that's just a normal thing in any6thing that touches data 04:27:40 sorry asking too many questions, so ZFS, when i use zpool on the linux side, i can add a drive on a stripe zpool without any issues, but on the freebsd side the machines become non bootable, do i really have to 'move' the system expand the zpool, and move the system back just to add a a physical drive (a.k.a. pvcreate xxxx on the lvm world) 04:28:17 I really should be hacking on suitcase (my& project of Yet Another C Unstandard Library) 04:28:22 becomes non bootable in what way? 04:28:24 At my first ISP job, I was tasked with maintaining the customer billing system, which was built in shell, awk, sed and ghostscript. "satisfactory" is relative. 04:28:47 ghoti: *clears throat* What? 04:29:07 sh, awk, sed, and ghostscript? You didn't use the AGPL components, at least? 04:29:30 LXGHTNXNG: this was 1992. 04:29:39 right. There must not have been an agpl in '92 04:30:12 I think I, for some value of I, wrote a shim around Heirloom mailx in shell once. 04:30:29 not exactly sure what was up with that. 04:35:27 hm 04:36:56 ghostscript was a mess backthen, with gpl, Aladdin, then agpl, and no documentation to tell us if there were practival differences between them. 04:40:01 .oO( Hmm. Nod ) 04:42:49 Well, I never found any significant difference between them besides licenses. Ancient history now of course. 04:44:59 So, is there a guide on how to use letsencrypt to make certs for sendmail? I see a bunch of moving parts I don't quite understand. 04:45:27 the https guides are plentiful, but not so much starttls. 04:45:45 personally I use acme.sh 04:47:04 the main thing with doing certs for email only is that if you don't also have https on the same hostname, you'd want to use some other method to verify the domain, such as DNS 04:47:23 Is there any handy replacement for Linux-style `watch`? 04:50:21 I like that acme.sh is in shell, but who the heck runs commands like `curl -o- somewhere | sh` ? 04:50:42 ...? 04:50:50 ccx: `while sleep 1; do $@; done` ? 04:52:37 That's viable, though fairly ugly. (add date and clear to be more faithful, but still pretty hard to spot changes) 04:52:56 gh00p: many many many people. Convenience always seems to trump security. 04:53:25 last I looked (which was admittedly a long time ago), there was a port for acme.sh 04:53:55 hence no need to mess with dangerous installation practices 04:53:58 There's a port for quite a few LE/ACME clients. I think I'll deploy uacme soon. 04:54:37 RhodiumToad that would be better, I was looking at the "How to install" section from the README. 05:02:17 ccx: gwatch should be in ports, though I am unsure of its name (maybe cmdwatch). 05:03:23 LXGHTNXNG: thanks 05:03:35 Somehow I've missed it in my search 05:04:49 I don't have it installed at my site. 05:23:04 yeah, cmdwatch 05:23:35 watch(8) confused me for a solid minute when I switched to freebsd 05:35:54 I have threads on the brain 05:51:55 that sounds painful 05:52:20 * parv snorts 06:22:04 kevans: it is 06:22:09 not the way you think 07:02:22 LXGHTNXNG: do you mean gnu-watch, in ports? 07:04:09 rtprio: why, yes 07:07:44 yes, i've seen "watch: snp module not available: Operation not permitted" more times than i can count 07:07:51 maybe i should set an alias 08:44:34 wow, that sure is a delay between freebsd-security@ mail exchangers 08:45:36 Received: from mlmmj.nyi.freebsd.org by mx1.freebsd.org Tue, 8 Nov 2022 08:37:04 +0000 (UTC) // Received: from mlmmj.nyi.freebsd.org by mlmmj.nyi.freebsd.org Tue, 9 Aug 2022 22:35:39 +0000 (UTC) 08:46:01 possibly just a queue run problem 08:46:05 these things do get stuck sometimes 08:46:06 (this is "FreeBSD Security Advisory FreeBSD-SA-22:11.vm") 08:46:24 yeah I just got several of these 08:46:32 for p1 and p3 08:59:50 the emails keep on coming haha 09:01:40 that's quite a regular thing unfortunately. i've reported it to postmaster@ a few times, queue gets fixed and then a few months it'll break again 09:02:12 mails might be getting held up in a spam quarantine or something until someone presses a button? no idea 09:25:21 Hi there :) anyone else receiving mails from the freebsd-security mailinglist, which are weeks old (e. g. FreeBSD Security Advisory FreeBSD-SA-22:11.vm)? 09:34:00 Not yet? 09:35:26 danel1: as i'm reading on some other channel, you're not alone. apparently, there was some issue with the mail systems. 09:36:03 tao: yes it is annoying because these are security advisories :\ 09:36:23 danel1: I am getting those from August 09:37:03 yes. it made me add "freebsd-update cron" into my crontab, as that way if there are any patches i get informed via email rather than depending on the mailing list 09:37:29 this has happened more than once. and it's always the patch announcment emails that get stuck 09:39:34 Remilia same here.. 09:41:24 We are also not just relating on the mailing list, but it's still very uncool that this happens for the security-realted-mails... that should be really looked at imho 09:52:21 hahaha 09:52:35 I was complaining about these security advisories elsewhere. 09:53:33 LXGHTNXNG, of course, is right - the mails were stuck in the queue and now released, said someone 09:53:57 tao: pressing buttons is important <3 09:54:58 it's my guess. because the announcement emails don't look like normal user written messages, so I wonder if a spam checker has held them back in quarantine until someone notices and presses a release button 09:56:02 "Some mail was queued up on mx1 [...] I've released the messages from the queue." 12:30:12 you could also use the atom feed https://www.freebsd.org/security/feed.xml 12:30:13 Title: FreeBSD Security Advisories and Errata noticesFreeBSD Security Advisories and Errata noticesFreeBSD-EN-22:27.loaderFreeBSD-EN-22:26.camFreeBSD-EN-22:25.tcpFreeBSD-EN-22:24.zfsFreeBSD-EN-22:23.vmFreeBSD-EN-22:22.tzdataFreeBSD-EN-22:21.zfsFreeBSD-EN-22:20.tzdataFreeBSD-EN-22:19.pam_execFreeBSD-EN-22:18.wifiFreeBSD-SA-22:13.zlibFreeBSD-SA-22:12.lib9pFreeBSD-SA-22:11.vmFreeBSD-SA-22:10.aioFreeBSD-SA-22:09.elfFreeBSD- (1 more message) 12:31:53 hm, VimDiesel` should probably only use rss > channel > title for that and not all titles 15:59:14 so, I have a mail server in one jail and haproxy in another jail, and I want letsencrypt certs applied to both. Can I use a single multiple-name cert for everything, or should I have a separate cert per service? (i.e. one for smtp, one for imap, one for http) 16:00:02 If it's safe/reasonable/possible to use just one cert for all of them, I can run acme.sh on the jail host, then deploy directly into each of the guests, I think. 16:01:36 Hm, or maybe I just make it a wildcard certificate? Will that work for sendmail and dovecot? 16:02:24 i use a wildcard *.example.com certificate for everything. it works fine. the only thing to consider is if you ever lose the key or have to revoke it for any reason it means it affects all services and not just one 16:04:11 if all of the services were owned by me i prefer it that way, single cert. if all of the services were owned by different people, I would do one cert per service 16:04:36 good to know it works, thanks. All my stuff is me, I'm very small. :) 16:05:23 Now I just have to figure out how to do this... 16:06:40 tao, do you use acme.sh? If so, did you issue with`acme.sh --issue -d example.com -d \*.example.com` ? 16:07:28 gh00p: i don't think acme.sh will do the wildcard certs 16:07:40 because verification is more complicated 16:08:14 acme.sh --issue --server letsencrypt -k ec-256 --syslog 6 --dns dns_gandi_livedns --dnssleep 300 --always-force-new-domain-key -d example.com -d *.example.com 16:08:57 ok, it might work if gandi is your dns provider 16:08:58 then i install that into a directory like /var/certs , and point nginx, dovecot, postfix etc. at it. and use --reloadcmd to restart all three at once 16:09:26 hmm. If I make a multiname (SAN?) cert, do I need to verify ownership of each hostname specified? They all resolve to the same IP... 16:10:31 rtprio, what is special about gandi? I just run bind9. 16:10:59 gh00p: to use a wildcard cert, you need to use a specified dns provider 16:11:14 so I cant run my own dns?! 16:11:30 sure you can, you'd just have one cert per name 16:12:13 so .. you're saying that if I want to use a wildcard cert, I have to purchase DNS service from a third party rather than running my own? 16:12:32 That doesn't sound right. 16:12:51 you can use your own DNS server to do it, it just means you have to do some scripting 16:13:18 https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins 16:13:19 Title: User Guide — Certbot 1.31.0 documentation 16:14:04 if you only have two names, just do two certs; it's not like you've got 1000 hostnames 16:14:05 you basically need to make a plugin that would script adding and removing a DNS entry, and you would use it like --dns dns_my_plugin , there may already be an example one. i haven't checked 16:14:22 or use multiple SAN rather than wildcard, then you can use HTTP validation 16:16:32 rpthms: acme.sh also provides a list of third parties, but includes nsupdate (which I think is rfc2136 and ssh, which is completely scriptable. 16:17:19 rtprio I mean 16:19:04 ssh what are you talking about man? 16:19:48 rtprio: https://github.com/acmesh-official/acme.sh/blob/master/deploy/ssh.sh 16:19:50 Title: acme.sh/ssh.sh at master · acmesh-official/acme.sh · GitHub 16:20:50 rtprio, I have {mailhost,smtp,imap}.example.com in one jail and {www,git,test,etc}.example.com in another jail. And I spin up other subdomains on demand. 16:20:51 ok 16:21:02 gh00p: right i get that 16:22:49 tao: ah, "then you can use HTTP validation". A vital piece of information, thanks - I wasn't aware that DNS validation was required for wildcard certs. I'll steer in that direction then. 16:24:06 yes. DNS is required for wildcard. can't use HTTP 16:36:42 anyone did the BSD specialist cert from LPI? 16:41:47 gh00p: I terminate all TLS with haproxy and haproxy handles the ACME back-end (just sends everything to a lo0 certbot port), works quite well in my case with some deploy hooks that install certificates in other jails/restart affected services 16:49:39 nimaje: using Atom is not as convenient as email via an IMAP4 server in my case :\ 16:52:05 plus the feed is just links to the website… 16:56:33 what atom feed? 16:56:54 freebsd.org/security/feed.xml 16:57:13 with www in front 16:57:39 there's a security mailling list, you should probably use that; 16:57:43 entries look like this: https://i.koumakan.jp/2022-11-08/1667926653.png 16:57:47 rtprio: uhhh 16:58:27 I am not sure if you are making fun of me now but the entire discussion was about the fact that emails from that list got held up in the FreeBSD MX mail queue since August 16:59:18 i wasn't; it's too early in the morning and i didn't follow the scrollback very far, sorry 17:00:55 I am subscribed to the security mailing list haha it is just that this morning I started getting emails with SAs from August and from a week ago that I never received before 17:01:22 so nimaje suggested RSS 17:01:57 * Remilia does not like RSS because every now and then she sees the feeds suddenly pop unread duplicates 17:05:50 that's the fault of the feed creator rather than RSS itself. happens if the GUID changes when it should be permanent and never change 17:10:17 yep, that the EN/SA feed doesn't contain the actual announcment is the reason, that I get them via email too 17:42:13 Is the answer to "sshd[92188]: error: maximum authentication attempts exceeded for invalid" fail2ban? 17:53:57 I am trying to mount an ISO file in order to extract some content. I do "mdconfig -a -t vnode -f foo.iso", and the device is created as md0, but when I try to mount it with "mount -t cd9660 /dev/md0 /mnt", I get the error "mount_cd9660: /dev/md0: Invalid argument". What am I missing? 17:54:48 boy, that ".zfs/snapshot/-over-nfs" bugfix in 13.1-RELEASE-p3 had me doing a happy dance. i was sure it was some systemd-related bullshit on the Linux side that would never get resolved. i wasn't even aware it was being tracked as a FreeBSD bug! 17:56:08 yashi: depends on the full question and there is blacklistd too, which is in the base system 17:56:17 iio7: that's the right procedure; are you certain the iso is good? 17:57:59 nimaje: The question is "what to do in response to these lines appearing in my log"? 17:58:20 fail2ban would reduce them, sure 18:01:31 as you probably not in control of who- or whatever exceeds maximum authentication attempts for ssh connections you could probably only reduce them via blacklistd or fail2ban or something similar 18:05:21 rtprio, yes, the ISO is fine, I can mount it on both Linux and Windows. 18:06:30 I see, thank you very much. 18:07:37 Or I should simply entirely disable password logins? 18:08:47 that wouldn't hurt either 18:08:51 yashi: it wouldn't stop malicious connection attempts, but it would make them much, much less likely to succeed. i've done that regularly on all my servers for years, never regretted it 18:09:06 just keep your keys on the other side safe, so you don't lock yourself out ;) 18:09:42 right 18:09:43 thanks:) 18:12:57 Is there some kind of website that will scan my host for holes? 18:48:07 How do I find out what, of my laptop's BIOS, ACPI, a (13.1) driver or kernel module, or XFCE, dims the display when I unplug the AC connector but fails to restore its brightness when I plug it back in? I could rule out XFCE by testing without it running, but that won't tell me which of the other 3. (My goal is to make it brighten back - and subsidarily make the dim and brighten buttons work, in case 18:48:13 that's an XY thing.) 18:50:21 I'd bet on xfce first 18:50:35 then the bios 18:50:51 I would try without X/Wayland running. If it also happens in tty, it's probably not the OS 18:50:52 sounds acpi related to me 18:53:49 OK, let me try without X. 18:56:19 hello, is there a simple way of showing total memory usage of some concrete jail? 18:57:20 attribution of memory usage to processes is hard, attributing it to jails is even harder 18:57:37 memory is frequently shared 18:59:32 basically, any attempt to show memory usage of only parts of the system will return inflated results due to double-counting 19:03:00 How do I enable a flag for ports when building with portmaster? I want to enable PORTS_READLINE for shells/bash 19:03:25 (Well, I want to get shells/bash to compile and it seems to be related to that 19:04:30 easiest way is probably to do make config in the individual port dir first 19:04:42 Will that carry through when using portmaster? 19:05:04 I am not clear how that works in relation to editing individual ports. 19:05:14 portmaster should use any options already set, iirc it'll then prompt you for ports where you haven't yet set the options 19:05:31 I see. OK Thx. Trying 19:05:52 what error did you get when building? 19:06:12 Scrolled off now, but it said try disabling that (I had it backwards) it was enabled in the conf) 19:06:26 It said imcompatible readline 19:06:41 ah right 19:06:42 This is 14 19:07:00 I think it is going now. We'll see what other issues I have. 19:07:17 It's mainly a test machine, on current 19:07:52 That seems to be working. Thanks. 19:08:00 these days poudriere is probably a better approach than portmaster 19:09:05 RhodiumToad, thank you 19:09:48 pvalenta: you might look into racct / rctl though 19:10:35 RhodiumToad, yes, I am reading man rctl right now :-) 19:11:33 <_xor> Is sysctl going to be my best bet for getting the CPU frequency? 19:12:15 to get the current frequency? yes 19:12:43 <_xor> Hmm, good point on current. 19:14:09 <_xor> Halfway through implementing this lib that needs to get basic hardware info. It's part of an orchestration/scheduling system that already supports docker, and I'm implementing this to add support for jails. 19:14:51 <_xor> The lib needs to report hardware info, among which is CPU frequency. Since you mentioned current, I realized that it's probably going to be better to report the max CPU frequency instead of the current clock. 19:16:10 <_xor> How much more involved is it going to be to determine the max CPU frequency? 19:20:32 sysctl also shows the available frequency settings 19:21:17 sysctl dev.cpu.0.freq_levels 19:22:34 <_xor> Ah nice, that'll do. 19:22:47 <_xor> Though is it safe to assume that string format? 19:22:53 RhodiumToad: poudriere, yes. Probbaly need to focus on that. I had gotten portmaster off the handbook, but haven't spent much time with ports on FreeBSD. 19:30:14 OK, still dims with no XFCE (or X). So I'm guessing, per suggestions, either BIOS or ACPI. BIOS is probably unfixable in practice. ACPI... might be able to do something through devd.conf. 19:30:33 Thanks all. 19:31:28 try booting single-user (specifically, make sure that powerd is not in play) 19:41:52 ps auxww | grep power says it's not running. (And it's disabled by default and not overriden.) 19:42:34 look for bios settings then? 19:43:38 Yeah, that's probably the next step. 20:56:26 hi guys 20:56:49 How's FreeBSD life? :) 20:57:19 Btw, I trashed my headless FreeBSD notebook some time ago and switched to Linux. ;--) 20:57:51 Adjusting leap seconds manually on FreeBSD, good memories! ;) 20:57:58 Or something like it, can't remember, ehe 20:59:26 yay! dma replacing sendmail 21:00:14 :))) 21:01:18 Nothing in BIOS setup jumps out to me, and xbrightness doesn't do anything. (So even if I could use devd.conf, I'd have no way to set the brightness that I can think of.) Guess I'm out of luck. 21:13:55 Demosthenex: woot? 21:47:06 - 21:48:34 V_PauAmma_V: you could try dumping the ACPI tables, find the method that changes the brightness, and use sysutils/acpi_call to change it back? :) 21:54:38 LXGHTNXNG: the commit make HN 21:54:56 I don't read HN 21:57:00 hn? 21:59:14 Hacker News 22:00:15 ah 22:12:08 Any one know of the plans|roadmap (of FreeBSD) to be able to use "mixed CPU layout" like Intel 12th generation with P- & E-cores? 22:12:59 ... and what are they? 22:14:04 is that something similar to that little-big stuff some arm chips do? 22:14:10 Yes 22:15:23 A CPU with smaller number of more powerful cores|chips|"subCPU(?)" along with larger number of less powerful ones 22:16:50 In near future it may be more probable to buy a AMD (homogeneous) CPU ThinkPad laptop than Intel one I think 22:17:22 ... and then I awould also need to worry about GPU support 22:23:50 it would most likely be amdgpu 22:23:54 so not much of a worry yeah? 22:36:32 Sure hope so 23:09:20 Hamilton BSD User Group online meeting starting in ~25 minute: https://twitter.com/hambug_ca/status/1590096226774831106 23:09:21 Title: HAMBug on Twitter: "Join the Hamilton BSD User Group online (https://t.co/xEAKtuMPeV) tonight at 6:30 pm EST for open discussion on #FreeBSD #OpenZFS #OpenBSD #NetBSD and more!! https://t.co/xz7tv3osFl" / Twitter 23:43:59 ... wow was not getting any sound :-| 23:59:01 parv: What is Hamilton?