00:21:11 ok, convince me, why should i bother to put a partition table on a disk i'm going to access as FDE with geli and zfs 00:21:26 my only concern was gpart says corrupt, meh 03:24:28 good evening everyone im running freebsd 13.1 and sometimes my network connection just drops on both my laptop desktop on my laptop even when using an ethernet dongle i lose connectivity has anyone else run into this issue and if so how did you go about fixing it 03:24:58 this is the error message that im seeing in the messages file 03:25:12 dhclient[342]: send_packet: Network is down 06:54:30 Hi. How to check if my ZFS system auto trimming the NVMe disk, or not? 07:06:30 bsdbandit: what's the drivers? 07:09:45 Demosthenex: Full disk encryption wants partitions to look plausible. geom wants partitions because that's what its smallest work unit is. you want partitions because all the tools rely on it 07:10:57 Regarding the trim, when I run: zpool status -t zroot - it shows: nvd0p3 ONLINE 0 0 0 (100% trimmed, completed at Tue Dec 13 01:55:27 2022) (I guess that date I manually trimmed), so does this mean actually auto trim never works? 07:15:48 tercaL: zpool trim would need to be called by cron or periodic https://man.freebsd.org/cgi/man.cgi?query=zpool-trim&apropos=0&sektion=0&manpath=FreeBSD+14.0-CURRENT&arch=default&format=html#end 07:15:49 Title: zpool-trim 07:16:26 helpfully, this man page tells you how to do it with systemd times 07:16:36 timers 07:17:20 meena: If I activate autotrim with: zpool set autotrim=on zroot 07:17:45 how often it does trim? 07:18:12 and is this the recommended way, (the server has nginx, php, mysql database, a busy wordpress site - a busy server) 07:18:22 or you'd suggest running it through cron? 07:18:46 that just sets a property, which a periodic process would act on, i think 07:20:08 but see https://man.freebsd.org/cgi/man.cgi?query=zpoolprops&apropos=0&sektion=0&manpath=FreeBSD+14.0-CURRENT&arch=default&format=html 07:20:09 Title: zpoolprops 09:35:33 meena: its not a boot drive, is only an encrypted zfs member. i just can't see any reason to throw a partition on 09:36:11 meena: if i had a freebsd box, and assigned it a 1TB LUN on a SAN, would i bother with partitioning if it's zfs only? 09:38:54 So, bear in mind I'm old and started using ZFS on solaris eons ago but it was always the recommendation (at least under solaris) to give zfs the entire drive sans partition table. Even for boot drives. 09:39:50 Every zfs server I've built since then I've done that, but again, always solaris/illumos based stuff so I don't know how well that applies to the current state of FreeBSD 09:43:45 the recommendation I know is always put some swap partition on the drive to control how large the zfs partition is, so that replacing drives isn't a problem when there is some small size mismatch 09:49:05 nimaje: not a boot disk, no other partitions needed. 09:54:41 still, drives don't have the size they are advertised with but are somewhat larger and that is diffrent from model to model (maybe even drive to drive), you will have a problem if your replacement drive is smaller than your current drive, if you put a small swap partition on it you can have a fixed size for the zfs partition and give the rest to swap and you know exactly how large the part zfs 09:54:43 gets is 10:33:53 hi folks how much time make buildworld would takes on 3 cores 4GB Ram system ? 10:34:30 Its almost been 4 hrs since i started build 10:35:38 add 8gp swap min before build 10:35:53 u select num of cores by -j param 10:40:03 dang it now I will wait for it to finish 10:40:15 next time I will do this ^ 11:30:15 nimaje: i can see the wisdom in having a placeholder, but i expect to only replace with the same model or larger... i'll have to go reread the zfs replacement docs 11:37:57 so, i'm thinking of using bastille with zfs to put each of my services in a jail, but how does one maintain the software in that jail? 11:39:58 same as on regular box 11:42:13 i had the impression that bastille was using zfs to share files across jails on the same release 11:42:30 but i suppose that means i can do fetch and update in the jail and it'll just apply the changes 11:43:25 but what a huge relief to compartmentalize all the stupid dependencies, i won't have to worry about one upgrade breaking another service 11:43:37 *looking at python, web crap, etc* 11:45:39 so, i'm trying to get this serial console fixed. i have idrac redirecting at boot, i can interact with the bsd loader and enter my geli passwords via SOL at boot, great. but once booted, i can't get a login to come up 11:48:34 i removed all serials from ttys, ensured there's no getty on /dev/ttyu*, and am connected to a serial port. i've tried echoing to the /dev/ttyu* ports and see no response. 12:12:37 right, got it. my trying to echo to the terminal was blocking getty starting. duh. 12:12:40 awesome! 12:49:15 It seems running the manual trim *needs* a lowest load time on server, but when it's a dedicated web server with very busy visitors, (the server has nginx, php, mysql database, a busy wordpress site - a busy server), is there any side effects of running trim manually? What to do in such case? 12:57:41 you'd think at minimum it'd increase io latency 12:57:49 worst case freeze io until trim is done 12:58:30 Demosthenex: I suggest pure /etc/jail.conf and something like Saltstack rather than Bastille, iocage, etc 12:59:57 Demosthenex: Can manual trim process, actually (when needed) freeze I/O on the system? So this means no response from webserver (temporarily), right? 13:00:53 tercaL: o 13:01:08 tercaL: i'm guessing... i have no evidence 13:01:14 i said those are potential outcomes 13:02:01 it'd be by drive manufacturer and firmware, i don't think bsd caresa 13:02:17 mage: i've had limited success with bastille, and the zfs idea is cool 13:02:35 i was looking at salt, may be a good time to set it up 13:05:01 mage: bastille has it's templates, which is only a half-cfgmgmt solution. i was considering using the bastille template to get salt setup, and then dispatch orders into the jails via saltstack 13:06:45 Demosthenex: I use https://github.com/silenius/jails-formula 13:06:46 Title: GitHub - silenius/jails-formula: SaltStack FreeBSD jails formula 13:06:53 but I guess Bastille is ok too 13:08:16 mage: one of the reasons i'm considering salt over puppet (what i use today), is i get completely gut this annoying AF YAML infested ecosystem. 13:08:27 why ever write salt in anything but py or pyobjects 13:08:28 yaml should die 13:09:05 what's wrong with yaml? 13:09:29 regarding Salt the issue with yaml is more with jinja 13:09:32 what isn't wrong with yaml? it's like someone asked a windoze admin to come up with an alternate to ini files 13:09:43 and they thought "hey, spaces are cool" 13:09:52 yeah 13:09:58 Yaml is often a PITA 13:10:01 yaml is completely informal with a ton of edge cases, and it's just not suitable for modeling data 13:10:06 that's why it's riddled with jinja in salt 13:10:15 yaml is trash, i won't use it. 13:10:31 hell, if i had to, i'd write my data in s-expressions (LISP) and dump to yaml 13:10:44 google "yaml norway problem" 13:10:50 like most things "just so simple" 13:10:56 it's not well considered and has tons of issues 13:10:59 like json :P 13:12:38 i like that salt has the python and pyobjects to bypass the whole yaml/jinja mess. 13:13:03 not that i really enjoyed puppet's ruby-esque syntax, but it had few edge cases. 13:14:10 fyi, that's a cool jails formula once you get past the jinja ;] 13:17:19 but in Salt you usually do everything in a map.jinja file and keep the yaml "clean" 13:17:37 mage: have you looked at pyobjects? 13:18:02 not yet 13:18:35 https://docs.saltproject.io/en/latest/ref/renderers/all/salt.renderers.pyobjects.html 13:18:36 Title: salt.renderers.pyobjects 13:18:50 our infrastructure is ~ 30000+ yaml lines.. so it'll not be replaced tomorrow :p 13:18:54 collapse that file object from 10 lines to 1 :P 13:19:24 i was reading in some of the salt docs, they were saying that yaml and jinja didn't scale, which is why they had alternate "renderers" 13:19:47 I think I would prefer a pure Python renderer over pyobjects 13:20:36 there is pure python too ;] 13:20:47 the pyobjects is just a DSL over common salt objects, it's still python 13:21:05 it's an OO DSL over salt code 13:28:23 mage: are you using "onedir" or the single executable salt on freebsd? 13:30:45 also, https://skylightcyber.com/2023/02/09/a-salt-attacking-saltstack/ was interesting reading using a salt minion to attack whole infrastructure 13:30:46 Title: Skylight Cyber | A-Salt: attacking SaltStack 13:31:14 tldr; don't autoregister minions, and don't share pillar files in the main salt file distribution directory 14:01:19 Demosthenex: onedir ..? 14:01:31 we have a dedicated poudriere repository 14:08:06 mage: so in salt 3005 and up, they were supposed to start using something called onedir, to package the salt minion as a single binary 14:09:21 https://docs.saltproject.io/en/master/topics/releases/3005.html 14:09:22 Title: Salt 3005 release notes - Codename Phosphorus 14:09:33 ah ok.. what's the idea? 14:09:44 its a compiled executable. 14:09:51 instead of relying on the installed python interpreter and tons of libs 14:10:14 they list onedir versions for many platforms, except freebsd 14:10:29 what problem are they trying to solve? 14:10:36 stop on the installed python interpreter and tons of libs 14:10:54 that's the job of the $OS package manager/maintainer 14:11:02 and $OS can break $SALT 14:11:11 if it depends on the system installed python 14:11:19 that's why a static exec is superior 14:11:41 maybe 14:12:01 Salt has a lot of bugs to be honnest 14:12:31 most things do :P 14:16:24 for example service.running is broken for years with PostgreSQL 14:21:12 how well does it handle rc.conf, sysctl.conf, loader.conf, etc 16:20:07 How do I make a -memstick.img image from an arbitrary commit? 16:21:14 My actual problem is I'm seeing hardware issues (iwlwifi) when installing 13.1 and I'd like to try main instead. 16:24:57 https://seclists.org/oss-sec/2023/q1/92 didn't see this get a mention here yet 16:24:58 Title: oss-sec: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) 16:29:40 malloc implementation exploitation | https://www.openssh.com/releasenotes.html#9.2 16:29:41 Title: OpenSSH: Release Notes 16:34:52 for aportnoy, when they return: do buildworld, buildkernel as usual, then `cd /usr/src/release && time make -DNOPORTS -DNOSRC -DNOTEST -s memstick` 16:35:19 but if they have zfs, beinstall.sh(8) is 99% certain more desirable 16:39:22 dch, thank you. 17:26:32 Re partition for ZFS, ~8 hour ago: Adding a single GPT partition allows me to use GPT label to create a pool instead of disk-number device which can/will change from one boot to the next. 17:29:45 Plus, human-readable! 17:36:36 still need motivation to try beinstall.sh :) 18:02:33 parv: +1 to that, I guess zfs just figures things out for that situation anyway tho? 18:09:25 dch, Yeah & I do not like when it uses disk-IDs or a long-ass integer. Problem comes at the time of replacement as it is tedious to locate the malfunctioned disk (reconcile the string used by ZFS in dmesg, "camcontrol devlist", "sesutil show", etc). With printed serial number on the disk tray & in the GPT label, I have much more confidence that I would be removing the intended disk 18:43:55 aportnoy: do buildworld, buildkernel as usual, then `cd /usr/src/release && time make -DNOPORTS -DNOSRC -DNOTEST -s memstick, but if you have zfs, beinstall.sh(8) is 99% certain more desirable 18:44:41 yup thank you my bad, I saw that I was logged in under a different nick 18:44:48 np 19:28:41 ok, so i have 4 x 4 TB drives to put in my data zpool. as i understand it, if i raidz them, the raidz is one vdev, so my zpool has only the one vdev. then i'm subject to needing matching size or larger size disks to replace any disk in the raidz 19:28:57 i also can't (yet) expand the raidz by a single disk as the raidz vdev geometry is fixed. 19:29:44 would it be better to make each disk a vdev, and just stripe/mirror instead so i can operate on single devices? 19:29:52 i have a 5th disk i was considering for hot spare 20:06:25 I plan my zpools around growing them roughly every 2-3 years based on new drive capacity 20:06:30 so I use striped mirrors 20:07:20 Demosthenex: in that case I would have 2 striped (2+2 mirrors) 20:07:40 I can then add 2 new larger (say 6TB) drives to one of the mirrors 20:08:12 now I have striped 2x2Tb + (2x2Tb + 2x6Tb) 20:08:33 then after silvering is complete, remove the 2x2Tb from the "fat mirror" 20:08:53 then extend the partitions on the 6Tb and grow them and then grow the zpool into the new space 20:09:05 then following year, do the dance again 20:09:31 I have a small slice of NVMe (around 20GiB) to act as a zil or slog or whatever I'm supposed to call it I always forget 20:10:11 in rc.conf, can I add 2 arbitrary IPs as well as a a range? 20:10:29 ifconfig_lo1="inet 100.64.0.0/15" 20:10:29 ifconfig_lo1_aliases="inet 100.64.0.0-15/15" 20:11:09 then I would manually do this `ifconfig lo1 inet 100.64.68.238/32 add` and `ifconfig lo1 inet 100.64.8.8/32 add` 20:11:19 can I put that already in the aliases somehow? 20:12:07 yes 20:12:18 ifconfig_lo1_alias0="inet 100.64.68.238/32" 20:12:27 ifconfig_lo1_alias1="inet 100.64.8.8/32" 20:13:42 I think I can just append them to my current line, lets try that after reboot 20:14:00 otis: thats also an option 20:24:50 otis, that /32 for IP alias thing is. . . very deprecated. 20:26:09 Though. . .. ifconfig(8) has yet to be updated to reflect that. 20:31:55 Which is pretty terrible, as I think it was 2009 when I learned about that. 20:32:27 I still think in terms of classful addressing. 20:32:30 about the /32 being deprecated? 20:32:44 It's not required. 20:32:52 what should I do instead? just the ip itself? 20:32:55 terrible is that i learned about that back in late '90s 20:33:08 dch: you wouldn't go wrong with /32 alias for now. 20:33:15 otis our brains are full of garbage like that from the 90s 20:33:20 dch, you can use the same mask as the primary IP on the interface. 20:33:22 I'm prepared to give up thinking in terms of classes when IPv6 takes over. And hopefully that's not too far out. 20:33:34 *splutters* 20:33:46 Classful addressing is already well out the door in IPv4 land. 20:33:47 mason, I so want to see LegacyIP die. . . 20:33:54 but there's so much irrational resistance to it. 20:34:06 The kludges people use to avoid it. . . 20:34:27 OMGTEHHEX!!!!!!!11111 20:34:50 i wonder how will things change once ifconfig is converted to netlink 20:35:40 woah, the more you know. 20:36:33 And I don't think that /32 for an alias is right. Aliases still need routing information in order to respond to incoming traffic. 20:36:50 So the alias address should be configured with whatever prefix is appropriate for the subnet in which they're participating. 20:36:51 Um. . . please tell me we're not going the way of linux with that ip(8) nonsense. 20:37:13 ip is better than Linux net-tools. By a long shot. 20:37:50 i think the jist was to use /32 when you already had an address on the same subnet, obviously you can't do it if it's the only ip on that subnet. 20:37:50 jkc, it used to be required for aliases to have a "non-conflicting" mask - and it woudl definitely break things. 20:38:04 CrtxReavr: "used to" 20:38:04 But that ceased to be an issue around '09. 20:38:06 Don't care what "used to be." 20:38:53 But you're talking about it like it's nonsense. .. it really was a thing. . . and if you look at ifconfig(8). . . 20:39:35 No, I'm not. 20:40:13 If ifconfig requires a /32 fake prefix length to have an on-net alias, that's... dumb. Not saying you're wrong. 20:40:46 sigh 20:40:50 I have an easy fix for you. 20:45:00 it's not really fake. it may no longer be necessary or best practices but as was already stated it was in cases where you have multiple addresses on the same subnet. so you already have a route to that subnet via the interface with the real netmask. 20:45:47 '/ig jkc' was a lot less typing. 20:46:18 word. 20:47:47 CrtxReavr: It's amazing that you've been in this channel for so long, but you still haven't learned to drop the childish antagonism. 20:48:01 `/ig CrtxReavr` is a lot less typing, though. 21:03:08 desnudopenguino, maybe EFnet had the right idea with restricting nicks to nine characters. 21:05:36 Or maybe it doesn't. 21:14:27 9 char nicks is annoying. 21:14:35 even when you dont use them often 21:14:56 (9 char nick limit is annoying, that is, 9 char nicks are fine!) 21:19:32 is there a way to list installed packages by which repo? 21:20:09 oh, actually, pkg upgrade -f solves my problem 21:39:03 efnet also has the right idea what freebsd channel should be 21:39:07 * yuripv hides 21:58:06 would be nice if efnet had sasl and… stability 22:03:35 And no NSFW ASCII art. 22:35:17 dch: i don't plan to expand much, my goal is long term stable. 22:35:36 reading more, i do see that it's the vdev that's the issue, and the raidz is one piece. 22:36:28 and if i want to upgrade capacity, i can do so one drive at a time later. 22:38:03 Hello! Please tell me what are the problems in the FreeBSD operating system if you use the installation of programs from packages and ports? 22:39:02 Kit_Leopold: none? packages go in /usr/local and don't impact the core os? 22:40:32 I haven't installed the FreeBSD operating system on my computer yet, I'm currently reading the FreeBSD HandBook. 22:41:06 i came from gentoo, and bsd is rock solid 22:42:14 I am familiar with the Gentoo Linux operating system. 22:52:26 Kit_Leopold: there are no problems... 22:53:24 the packages use sane defaults.. and should be fine. However if you want something compiled with different flags you can always compile a port instead of installing a precompiled pkg 22:53:33 hrm. ok, at boot the loader geli isn't unlocking my FDE disks, maybe i need a partition to make geli do that 22:56:55 hernan: I read a warning in the FreeBSD HandBook in chapter 4 that the ports collection and the pkg must be in the same release branch. 22:58:09 Kit_Leopold: install pkgs and dont use ports initially 22:58:12 you will be fine 22:58:53 Kit_Leopold: TLDR don't mix ports & packages. But do investigate poudriere to build your own packages once you find things where the default options aren't what you want. the poudriere-devel port is very stable, and allows caching ports that are identical to upstream's FreeBSD. 22:59:37 invariably you end up with slightly different files or versions of stuff, and its annoying to backtrack and clean up 22:59:58 getting a local poudriere setup takes 0.5 - 1h 23:00:19 but does require some h/w to build packages, not your laptop 23:00:27 Thank you all for your replies. I'll see what poudriere-devel is right now. 23:01:09 Kit_Leopold: its a port as well, https://github.com/freebsd/poudriere/wiki has more notes. its what the FreeBSD build cluster uses to build the binary packages we all enjoy. 23:01:10 Title: Home · freebsd/poudriere Wiki · GitHub 23:01:48 Kit_Leopold: and some old notes of mine, https://docs.skunkwerks.at/s/3SL9taN8s# mostly still useful/relevant 23:01:50 * haroldp always mixes ports and packages 23:01:53 Title: pkg and poudriere - a lightning trip - HedgeDoc 23:02:07 Can someone explain what lib/csu is and does? Plus ideally, what build options cover it during 'make memstick|cdrom'? 23:02:48 mainly because I can't spell poudriere 23:03:05 haroldp: :-) tab complete ? 23:03:27 Kit_Leopold: as a beginner i would just see what poudiere does and ignore it completely for now.. and install everything from pkg. Then, when you want something compiled differently, then look into pourdiere 23:04:03 haroldp: me too.. until some weeks ago i thought it was proudiere.. but i guess i still cant type it correctly =p 23:05:05 that's about what I do, except I mix and match with wild abandon when i want custom compile time options 23:05:20 I mean, I understand the issue. 23:05:29 Okay, thank you again. I will follow your advice and leave this topic for the future. 23:05:58 but as a rule, the port that I want to customize is some high level think, and not a library that other packages depend on 23:06:28 so I tend to get away with it 23:07:35 I have a home computer, an AMD Ryzen 3 processor, an AMD RX 550 graphics card, and 16 gigabytes of RAM. This is far from new, but I think that the build from ports will be very long. 23:07:49 AMD Ryzen 3 1200 23:08:12 Kit_Leopold: just install it, create an admin user and add that user to groups "wheel" and "operator" . then login with that user, install xorg, a window manager, browser and echo "exec i3 or gnome or whatever" > .xinitrc and then type startx 23:09:27 Kit_Leopold: i bet 100bucks with you.. install everything from pkg and everything will be usefull for months, if not years and you will probably never need to manually compile anything 23:09:46 Before installing the FreeBSD operating system, I want to study all the documentation. 23:10:07 ^ wot hernan said, over time I am down to just 2 locally compiled ports 23:10:14 Kit_Leopold: i started building everything from ports.. did that for years... then moved to pkg and havent had a real need to compile anything 23:11:19 * dch mainly uses poudriere to locally build and test ports, and to control distribution of custom packages at work 23:12:01 Thanks for your advice. I will use pkg like you said. 23:12:31 Kit_Leopold: do that and you will have a perfectly working environment in probably 30min, 1h 23:13:54 hernan: Not today :) I need to finish reading the FreeBSD HandBook and write down all the important information in my notes. 23:14:16 Kit_Leopold: just keep it updated with "pkg update ; pkg upgrade" for the latest packages... and to update minor and major versions is also simple: https://docs.freebsd.org/en/books/handbook/cutting-edge/ 23:14:17 Title: Chapter 25. Updating and Upgrading FreeBSD | FreeBSD Documentation Portal 23:15:06 Kit_Leopold: for minor and major upgrades take note on those 2 commands under section 25.2.2. Applying Security Patches in https://docs.freebsd.org/en/books/handbook/cutting-edge/ 23:15:07 Title: Chapter 25. Updating and Upgrading FreeBSD | FreeBSD Documentation Portal 23:15:23 Kit_Leopold: why not today? today is a great day =p 23:15:30 kdding 23:15:33 good luck 23:17:02 Thank you. And I wish you all good luck and have a nice day. You are very good people! 23:31:01 hrm, so how does geli choose what disks to ask password for at boot? my FDE's are configured for boot password 23:38:35 I have a system that boot fine in safe mode but not in normal mode, what exactly does safe mode booting do? 23:49:15 is there a way to force safe mode from the loader.conf file?