ok, convince me, why should i bother to put a partition table on a disk i'm going to access as FDE with geli and zfs

my only concern was gpart says corrupt, meh

good evening everyone im running freebsd 13.1 and sometimes my network connection just drops on both my laptop desktop on my laptop even when using an ethernet dongle i lose connectivity has anyone else run into this issue and if so how did you go about fixing it

this is the error message that im seeing in the messages file

dhclient[342]: send_packet: Network is down

Hi. How to check if my ZFS system auto trimming the NVMe disk, or not?

bsdbandit: what's the drivers?

Demosthenex: Full disk encryption wants partitions to look plausible. geom wants partitions because that's what its smallest work unit is. you want partitions because all the tools rely on it

Regarding the trim, when I run: zpool status -t zroot - it shows: nvd0p3 ONLINE 0 0 0 (100% trimmed, completed at Tue Dec 13 01:55:27 2022) (I guess that date I manually trimmed), so does this mean actually auto trim never works?

tercaL: zpool trim would need to be called by cron or periodic man.freebsd.org/cgi/man.cgi?query=z…URRENT&arch=default&format=html#end

Title: zpool-trim

helpfully, this man page tells you how to do it with systemd times

timers

meena: If I activate autotrim with: zpool set autotrim=on zroot

how often it does trim?

and is this the recommended way, (the server has nginx, php, mysql database, a busy wordpress site - a busy server)

or you'd suggest running it through cron?

that just sets a property, which a periodic process would act on, i think

but see man.freebsd.org/cgi/man.cgi?query=z….0-CURRENT&arch=default&format=html

Title: zpoolprops

meena: its not a boot drive, is only an encrypted zfs member. i just can't see any reason to throw a partition on

meena: if i had a freebsd box, and assigned it a 1TB LUN on a SAN, would i bother with partitioning if it's zfs only?

So, bear in mind I'm old and started using ZFS on solaris eons ago but it was always the recommendation (at least under solaris) to give zfs the entire drive sans partition table. Even for boot drives.

Every zfs server I've built since then I've done that, but again, always solaris/illumos based stuff so I don't know how well that applies to the current state of FreeBSD

the recommendation I know is always put some swap partition on the drive to control how large the zfs partition is, so that replacing drives isn't a problem when there is some small size mismatch

nimaje: not a boot disk, no other partitions needed.

still, drives don't have the size they are advertised with but are somewhat larger and that is diffrent from model to model (maybe even drive to drive), you will have a problem if your replacement drive is smaller than your current drive, if you put a small swap partition on it you can have a fixed size for the zfs partition and give the rest to swap and you know exactly how large the part zfs

gets is

hi folks how much time make buildworld would takes on 3 cores 4GB Ram system ?

Its almost been 4 hrs since i started build

add 8gp swap min before build

u select num of cores by -j param

dang it now I will wait for it to finish

next time I will do this ^

nimaje: i can see the wisdom in having a placeholder, but i expect to only replace with the same model or larger... i'll have to go reread the zfs replacement docs

so, i'm thinking of using bastille with zfs to put each of my services in a jail, but how does one maintain the software in that jail?

same as on regular box

i had the impression that bastille was using zfs to share files across jails on the same release

but i suppose that means i can do fetch and update in the jail and it'll just apply the changes

but what a huge relief to compartmentalize all the stupid dependencies, i won't have to worry about one upgrade breaking another service

*looking at python, web crap, etc*

so, i'm trying to get this serial console fixed. i have idrac redirecting at boot, i can interact with the bsd loader and enter my geli passwords via SOL at boot, great. but once booted, i can't get a login to come up

i removed all serials from ttys, ensured there's no getty on /dev/ttyu*, and am connected to a serial port. i've tried echoing to the /dev/ttyu* ports and see no response.

right, got it. my trying to echo to the terminal was blocking getty starting. duh.

awesome!

It seems running the manual trim *needs* a lowest load time on server, but when it's a dedicated web server with very busy visitors, (the server has nginx, php, mysql database, a busy wordpress site - a busy server), is there any side effects of running trim manually? What to do in such case?

you'd think at minimum it'd increase io latency

worst case freeze io until trim is done

Demosthenex: I suggest pure /etc/jail.conf and something like Saltstack rather than Bastille, iocage, etc

Demosthenex: Can manual trim process, actually (when needed) freeze I/O on the system? So this means no response from webserver (temporarily), right?

tercaL: o

tercaL: i'm guessing... i have no evidence

i said those are potential outcomes

it'd be by drive manufacturer and firmware, i don't think bsd caresa

mage: i've had limited success with bastille, and the zfs idea is cool

i was looking at salt, may be a good time to set it up

mage: bastille has it's templates, which is only a half-cfgmgmt solution. i was considering using the bastille template to get salt setup, and then dispatch orders into the jails via saltstack

Demosthenex: I use github.com/silenius/jails-formula

Title: GitHub - silenius/jails-formula: SaltStack FreeBSD jails formula

but I guess Bastille is ok too

mage: one of the reasons i'm considering salt over puppet (what i use today), is i get completely gut this annoying AF YAML infested ecosystem.

why ever write salt in anything but py or pyobjects

yaml should die

what's wrong with yaml?

regarding Salt the issue with yaml is more with jinja

what isn't wrong with yaml? it's like someone asked a windoze admin to come up with an alternate to ini files

and they thought "hey, spaces are cool"

yeah

Yaml is often a PITA

yaml is completely informal with a ton of edge cases, and it's just not suitable for modeling data

that's why it's riddled with jinja in salt

yaml is trash, i won't use it.

hell, if i had to, i'd write my data in s-expressions (LISP) and dump to yaml

google "yaml norway problem"

like most things "just so simple"

it's not well considered and has tons of issues

like json :P

i like that salt has the python and pyobjects to bypass the whole yaml/jinja mess.

not that i really enjoyed puppet's ruby-esque syntax, but it had few edge cases.

fyi, that's a cool jails formula once you get past the jinja ;]

but in Salt you usually do everything in a map.jinja file and keep the yaml "clean"

mage: have you looked at pyobjects?

not yet

Title: salt.renderers.pyobjects

our infrastructure is ~ 30000+ yaml lines.. so it'll not be replaced tomorrow :p

collapse that file object from 10 lines to 1 :P

i was reading in some of the salt docs, they were saying that yaml and jinja didn't scale, which is why they had alternate "renderers"

I think I would prefer a pure Python renderer over pyobjects

there is pure python too ;]

the pyobjects is just a DSL over common salt objects, it's still python

it's an OO DSL over salt code

mage: are you using "onedir" or the single executable salt on freebsd?

also, skylightcyber.com/2023/02/09/a-salt-attacking-saltstack was interesting reading using a salt minion to attack whole infrastructure

Title: Skylight Cyber | A-Salt: attacking SaltStack

tldr; don't autoregister minions, and don't share pillar files in the main salt file distribution directory

Demosthenex: onedir ..?

we have a dedicated poudriere repository

mage: so in salt 3005 and up, they were supposed to start using something called onedir, to package the salt minion as a single binary

Title: Salt 3005 release notes - Codename Phosphorus

ah ok.. what's the idea?

its a compiled executable.

instead of relying on the installed python interpreter and tons of libs

they list onedir versions for many platforms, except freebsd

what problem are they trying to solve?

stop on the installed python interpreter and tons of libs

that's the job of the $OS package manager/maintainer

and $OS can break $SALT

if it depends on the system installed python

that's why a static exec is superior

maybe

Salt has a lot of bugs to be honnest

most things do :P

for example service.running is broken for years with PostgreSQL

how well does it handle rc.conf, sysctl.conf, loader.conf, etc

How do I make a -memstick.img image from an arbitrary commit?

My actual problem is I'm seeing hardware issues (iwlwifi) when installing 13.1 and I'd like to try main instead.

seclists.org/oss-sec/2023/q1/92 didn't see this get a mention here yet

Title: oss-sec: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)

malloc implementation exploitation | openssh.com/releasenotes.html#9.2

Title: OpenSSH: Release Notes

for aportnoy, when they return: do buildworld, buildkernel as usual, then `cd /usr/src/release && time make -DNOPORTS -DNOSRC -DNOTEST -s memstick`

but if they have zfs, beinstall.sh(8) is 99% certain more desirable

dch, thank you.

Re partition for ZFS, ~8 hour ago: Adding a single GPT partition allows me to use GPT label to create a pool instead of disk-number device which can/will change from one boot to the next.

Plus, human-readable!

still need motivation to try beinstall.sh :)

parv: +1 to that, I guess zfs just figures things out for that situation anyway tho?

dch, Yeah & I do not like when it uses disk-IDs or a long-ass integer. Problem comes at the time of replacement as it is tedious to locate the malfunctioned disk (reconcile the string used by ZFS in dmesg, "camcontrol devlist", "sesutil show", etc). With printed serial number on the disk tray & in the GPT label, I have much more confidence that I would be removing the intended disk

aportnoy: do buildworld, buildkernel as usual, then `cd /usr/src/release && time make -DNOPORTS -DNOSRC -DNOTEST -s memstick, but if you have zfs, beinstall.sh(8) is 99% certain more desirable

yup thank you my bad, I saw that I was logged in under a different nick

np

ok, so i have 4 x 4 TB drives to put in my data zpool. as i understand it, if i raidz them, the raidz is one vdev, so my zpool has only the one vdev. then i'm subject to needing matching size or larger size disks to replace any disk in the raidz

i also can't (yet) expand the raidz by a single disk as the raidz vdev geometry is fixed.

would it be better to make each disk a vdev, and just stripe/mirror instead so i can operate on single devices?

i have a 5th disk i was considering for hot spare

I plan my zpools around growing them roughly every 2-3 years based on new drive capacity

so I use striped mirrors

Demosthenex: in that case I would have 2 striped (2+2 mirrors)

I can then add 2 new larger (say 6TB) drives to one of the mirrors

now I have striped 2x2Tb + (2x2Tb + 2x6Tb)

then after silvering is complete, remove the 2x2Tb from the "fat mirror"

then extend the partitions on the 6Tb and grow them and then grow the zpool into the new space

then following year, do the dance again

I have a small slice of NVMe (around 20GiB) to act as a zil or slog or whatever I'm supposed to call it I always forget

in rc.conf, can I add 2 arbitrary IPs as well as a a range?

ifconfig_lo1="inet 100.64.0.0/15"

ifconfig_lo1_aliases="inet 100.64.0.0-15/15"

then I would manually do this `ifconfig lo1 inet 100.64.68.238/32 add` and `ifconfig lo1 inet 100.64.8.8/32 add`

can I put that already in the aliases somehow?

yes

ifconfig_lo1_alias0="inet 100.64.68.238/32"

ifconfig_lo1_alias1="inet 100.64.8.8/32"

I think I can just append them to my current line, lets try that after reboot

otis: thats also an option

otis, that /32 for IP alias thing is. . . very deprecated.

Though. . .. ifconfig(8) has yet to be updated to reflect that.

Which is pretty terrible, as I think it was 2009 when I learned about that.

I still think in terms of classful addressing.

about the /32 being deprecated?

It's not required.

what should I do instead? just the ip itself?

terrible is that i learned about that back in late '90s

dch: you wouldn't go wrong with /32 alias for now.

otis our brains are full of garbage like that from the 90s

dch, you can use the same mask as the primary IP on the interface.

I'm prepared to give up thinking in terms of classes when IPv6 takes over. And hopefully that's not too far out.

*splutters*

Classful addressing is already well out the door in IPv4 land.

mason, I so want to see LegacyIP die. . .

but there's so much irrational resistance to it.

The kludges people use to avoid it. . .

OMGTEHHEX!!!!!!!11111

i wonder how will things change once ifconfig is converted to netlink

woah, the more you know.

And I don't think that /32 for an alias is right. Aliases still need routing information in order to respond to incoming traffic.

So the alias address should be configured with whatever prefix is appropriate for the subnet in which they're participating.

Um. . . please tell me we're not going the way of linux with that ip(8) nonsense.

ip is better than Linux net-tools. By a long shot.

i think the jist was to use /32 when you already had an address on the same subnet, obviously you can't do it if it's the only ip on that subnet.

jkc, it used to be required for aliases to have a "non-conflicting" mask - and it woudl definitely break things.

CrtxReavr: "used to"

But that ceased to be an issue around '09.

Don't care what "used to be."

But you're talking about it like it's nonsense. .. it really was a thing. . . and if you look at ifconfig(8). . .

No, I'm not.

If ifconfig requires a /32 fake prefix length to have an on-net alias, that's... dumb. Not saying you're wrong.

sigh

I have an easy fix for you.

it's not really fake. it may no longer be necessary or best practices but as was already stated it was in cases where you have multiple addresses on the same subnet. so you already have a route to that subnet via the interface with the real netmask.

'/ig jkc' was a lot less typing.

word.

CrtxReavr: It's amazing that you've been in this channel for so long, but you still haven't learned to drop the childish antagonism.

`/ig CrtxReavr` is a lot less typing, though.

desnudopenguino, maybe EFnet had the right idea with restricting nicks to nine characters.

Or maybe it doesn't.

9 char nicks is annoying.

even when you dont use them often

(9 char nick limit is annoying, that is, 9 char nicks are fine!)

is there a way to list installed packages by which repo?

oh, actually, pkg upgrade -f solves my problem

efnet also has the right idea what freebsd channel should be

would be nice if efnet had sasl and… stability

And no NSFW ASCII art.

dch: i don't plan to expand much, my goal is long term stable.

reading more, i do see that it's the vdev that's the issue, and the raidz is one piece.

and if i want to upgrade capacity, i can do so one drive at a time later.

Hello! Please tell me what are the problems in the FreeBSD operating system if you use the installation of programs from packages and ports?

Kit_Leopold: none? packages go in /usr/local and don't impact the core os?

I haven't installed the FreeBSD operating system on my computer yet, I'm currently reading the FreeBSD HandBook.

i came from gentoo, and bsd is rock solid

I am familiar with the Gentoo Linux operating system.

Kit_Leopold: there are no problems...

the packages use sane defaults.. and should be fine. However if you want something compiled with different flags you can always compile a port instead of installing a precompiled pkg

hrm. ok, at boot the loader geli isn't unlocking my FDE disks, maybe i need a partition to make geli do that

hernan: I read a warning in the FreeBSD HandBook in chapter 4 that the ports collection and the pkg must be in the same release branch.

Kit_Leopold: install pkgs and dont use ports initially

you will be fine

Kit_Leopold: TLDR don't mix ports & packages. But do investigate poudriere to build your own packages once you find things where the default options aren't what you want. the poudriere-devel port is very stable, and allows caching ports that are identical to upstream's FreeBSD.

invariably you end up with slightly different files or versions of stuff, and its annoying to backtrack and clean up

getting a local poudriere setup takes 0.5 - 1h

but does require some h/w to build packages, not your laptop

Thank you all for your replies. I'll see what poudriere-devel is right now.

Kit_Leopold: its a port as well, github.com/freebsd/poudriere/wiki has more notes. its what the FreeBSD build cluster uses to build the binary packages we all enjoy.

Title: Home · freebsd/poudriere Wiki · GitHub

Kit_Leopold: and some old notes of mine, docs.skunkwerks.at/s/3SL9taN8s# mostly still useful/relevant

Title: pkg and poudriere - a lightning trip - HedgeDoc

Can someone explain what lib/csu is and does? Plus ideally, what build options cover it during 'make memstick|cdrom'?

mainly because I can't spell poudriere

haroldp: :-) tab complete ?

Kit_Leopold: as a beginner i would just see what poudiere does and ignore it completely for now.. and install everything from pkg. Then, when you want something compiled differently, then look into pourdiere

haroldp: me too.. until some weeks ago i thought it was proudiere.. but i guess i still cant type it correctly =p

that's about what I do, except I mix and match with wild abandon when i want custom compile time options

I mean, I understand the issue.

Okay, thank you again. I will follow your advice and leave this topic for the future.

but as a rule, the port that I want to customize is some high level think, and not a library that other packages depend on

so I tend to get away with it

I have a home computer, an AMD Ryzen 3 processor, an AMD RX 550 graphics card, and 16 gigabytes of RAM. This is far from new, but I think that the build from ports will be very long.

AMD Ryzen 3 1200

Kit_Leopold: just install it, create an admin user and add that user to groups "wheel" and "operator" . then login with that user, install xorg, a window manager, browser and echo "exec i3 or gnome or whatever" > .xinitrc and then type startx

Kit_Leopold: i bet 100bucks with you.. install everything from pkg and everything will be usefull for months, if not years and you will probably never need to manually compile anything

Before installing the FreeBSD operating system, I want to study all the documentation.

^ wot hernan said, over time I am down to just 2 locally compiled ports

Kit_Leopold: i started building everything from ports.. did that for years... then moved to pkg and havent had a real need to compile anything

Thanks for your advice. I will use pkg like you said.

Kit_Leopold: do that and you will have a perfectly working environment in probably 30min, 1h

hernan: Not today :) I need to finish reading the FreeBSD HandBook and write down all the important information in my notes.

Kit_Leopold: just keep it updated with "pkg update ; pkg upgrade" for the latest packages... and to update minor and major versions is also simple: docs.freebsd.org/en/books/handbook/cutting-edge

Title: Chapter 25. Updating and Upgrading FreeBSD | FreeBSD Documentation Portal

Kit_Leopold: for minor and major upgrades take note on those 2 commands under section 25.2.2. Applying Security Patches in docs.freebsd.org/en/books/handbook/cutting-edge

Title: Chapter 25. Updating and Upgrading FreeBSD | FreeBSD Documentation Portal

Kit_Leopold: why not today? today is a great day =p

kdding

good luck

Thank you. And I wish you all good luck and have a nice day. You are very good people!

hrm, so how does geli choose what disks to ask password for at boot? my FDE's are configured for boot password

I have a system that boot fine in safe mode but not in normal mode, what exactly does safe mode booting do?

is there a way to force safe mode from the loader.conf file?