gustik: the last entry is not %B (birth) but %c (status change—i.e. e.g. `chmod +x somefile`)

meena: these packages conflickt because the php binary is /usr/local/bin/php

hjf_: fun! in the python packages, that's a link (which you can install as python3)

hjf_: 8.1 is currently the default version, which means that pkgs depending on php will by default depend on php-8.1. The way out of this is to build your own pkgs where you set DEFAULT_VERSIONS= php=8.0

yes i was able to do this, i set php to 8.0 and built from source. it was taking forever, then i noticed it was actually building cmake. so i just installed cmake from pkg and everything went much faster

that said, how can I update the port? I'd like to make it use a newer upstream version.

i understand the port declares some upstream source file and then applies patches to it, right?

Hi, is it possible to create a port for a software that you have created? If so, how difficult is it and where is the best place to have a look

uskerine: docs.freebsd.org/en/books/porters-handbook

Title: FreeBSD Porter's Handbook | FreeBSD Documentation Portal

You can amend the VALID_CATEGORIES environment variable to add a custom category to put your own ports in.

Title: Maintaining port modifications in FreeBSD

uskerine: also, I've used ports-mgmt/portshaker to merge ports trees. Might be handy, depending on how you have poudriere set up.

Hey guys. I've just updates some jails from 13.0 to 13.1. So far everything went smoothly. However, in all of these jails, a simple 'curl google.com' fails due to certificate validation: SSL certificate problem: unable to get local issuer certificate

Title: Google

doing the same from the host itself works flawlessly

security/ca_root_nss 3.87 is installed in the jail (also on the host, but that shouldn't matter)

any ideas?

tct: time problems? nah, jails get their time from the host

meena, indeed. the host is running ntpd and the reported time seems correct.

so that does not appear to be the issue

maybe compare /usr/share/certs/trusted on both jail and host

specifically GTS_Root_R*

treefrob, both contain the same number of certs. However, the host seems to have files from November 14 while the jail reports May 12

all 444 root:wheel

rtprio, yep

the dates would depend on when the files were installed

where to go from here? :s

-rw-r--r-- 1 root wheel 729524 Dec 28 19:44 /usr/local/share/certs/ca-root-nss.crt

and that's ok?

rtprio: -rw-r--r-- 1 root wheel 729524 Jan 11 01:00 /usr/local/share/certs/ca-root-nss.crt

someone had ssl issues the other day, but for letsencrypt

so not really sure where to go from here

what version of curl?

7.87.0

sorry man, not sure; you can probably pass --cacert /usr/local/share/certs/ca-root-nss.crt to curl

yeah, that doesn't really solve the problem. The various jails run various services such as PHP based applications which use curl internally.

what does curl-config --ca show?

an empty line. both on the host (where stuff works) and in the jail (where it doesn't)

I've already performed the desperate full-reboot of the host

that shows /usr/local/share/certs/ca-root-nss.crt for me;

can you rebuild the port?

sure, I built it via poudriere with default options. both the host and the jail are running the same package tho.

as in the same binary pkg.

rtprio, passing --cacert /usr/local/share/certs/ca-root-nss.crt to curl makes things work as expected tho

so this doesn't seem to be a binary issue necessarily

rtprio, freshports.org/ftp/curl

Title: FreshPorts -- ftp/curl: Command line tool and library for transferring data with URLs

last commit in history states: - Disable CA_BUNDLE option by default

but surely this should work out anyway, eh?

plus again, all my other freebsd hosts (including the host running the jail itself) run the exact same packages from the same repository and there everything works.

that would explain why --ca isn't set on yours?

so how come that my hosts don't experience this problem running the exact same 13.1-RELEASE-p5 and same binary packages?

ok, compare /etc/ssl/certs on both hosts?

rtprio, the host has 129 files in there whereas the jail only has 11

these are all symlinks - do I need to rebuild a cert database or something?

it's looking like it

i'm not sure how those get made

I'm trying to figure that out right now (too)

I was hoping that a pkg install --force ca_root_nss would do this but apparently not.

rtprio, certctl rehash did it!

rtprio, thanks a lot for your help - much appreciated! :)

anyone here got a FreeBSD in podman? what does sysctl security.jail.jailed report?

The line "Many Linux® distributions use the SysV init system" on docs.freebsd.org/en/articles/linux-users is no longer accurate. Just sayin'. ;)

Title: FreeBSD Quickstart Guide for Linux® Users | FreeBSD Documentation Portal

Just had that pointed out to me by a systemd fanatic. :D

unixman_home: gosh, how many are left, actually?

Ha! :D

There's Debian, Devuan, and Slackware for big/established ones. Not sure who else - there are others that don't default to systemd but they tend to be running other things. OpenRC, runit, s6

yes, this article should be updated

Oh, I guess MX uses sysvinit. They seem to still be at the top of DistroWatch, although I don't understand the metric there. (Page loads?)

Alpine uses OpenRC, and probably can use s6

Very recent article talks about this: systranbox.com/why-mx-linux-uses-sysvinit-instead-of-systemd

Title: Why MX Linux Uses SysVinit Instead Of Systemd – Systran Box

For my part, I haven't tried MX. I don't see much point running a Linux that's not Debian, and Debian supports sysvinit, so no more digging needed. :P

voidlinux uses runit

mason: seems like bad editing there: Mx Linux uses the systemd init system as its default init system.

mason: i agree

meena: Ah, didn't know. Hrm.

meena: did you happen to look at that jail.conf and pf.conf I linked yesterday?

rtyler: gosh, no. if you didn't highlight me, i probably missed it

meena: should you have any ideas, I certainly would appreciate it gist.github.com/rtyler/359579ad03ccebcc76203d9bd9c480a3

Title: jail.conf · GitHub

(rtyler did highlight me, but not with the config)

meena: mx _includes_ systemd by default, but it is not enabled. SysVinit is the default.

dutch: then that article is wrong

see mxlinux.org/about-us under "Our Positions"

Title: About Us – MX Linux

rtyler: what do you use $id for?

that's just to make some of the naming around epairs in the pre/post start easier

rtyler: aye. this looks very similar to my config: alpha.pkgbase.live/howto/jails.html

Title: Howto: Setting up Jails

indeed, you may be surprised to learn where the inspiration came from ^_^

just you wait, until the sun comes up again in March or so, I'll have fresh inspiration energy again

rtyler: so what's the exact symptoms?

gitea -> postgresql shows "host down" when pinging, and the gitea jail cannot make a connection

and other direction? both, IPv4 and IPv6?

meena: both directions yes, gitea can reach out to the public internet of course

rtyler: right, IPv6 would basically go via the Internet (almost, but probably not quite)

the default route for both is their respective bridge interface

oh, right, you're using more than one bridge. can you show me your rc.conf, and your routing table?

meena: from the host?

rtyler: yes

rtyler: and postgres is definatly listening on the tcp port?

rtprio: it definitely is :)

what's the Right Thing to use for specifying my system using a minimum of source files (ideally just one) that i can use to spin up a fresh ec2 instance with everything install and configured on it just like i want? with stock packages, menuconfig'd packages, stuff i'd otherwise install by hand (like with configure/make), all my user dotfiles, dynamically config'd stuff (like for zerotier),

sqlite/pg/maria databases set up and seeded, passwords/keys/auth stuff Done Correctly and just everything else Working Properly

something that i can expect to be around and usable for the next 20 years. i don't expect it's gonna be ansible/chef/puppet/saltstack

A big /etc/rc.local

hjf_: I did a poudriere testport run of zoneminder, and it builds with and depends on php-8.1 for me

hjf_: That said, it should also be updated from 1.36.12 to 1.36.32. There's almost a year between those two versions.

doug: do you expect ec2 to be around in 20 years?

doug: I use cloud-init for the basic bootstrap, and then config management, tho these days I'm looking into getting my jails under control from podman

meena: i recently used your cloud-init-devel for my 13.1 image for openstack. works just fine.

otis: yay!!!!

otis: I'm really happy my code works.

keep up the good work.

otis: okay. thanks 💜

20 years, eh