Demosthenex: i bought mine from freebsdmall, but i wanted the old-school ones

I've been LOVING running a linux VM under bhyve but one thing I like about VMWare is the ability to cut and paste between host and guest vm, is there a way to do this in bhyve?

Do any of you folks happen to know if you can convince Python to run Linux wheels using the Linux compat layer?

probably could. sounds painful though, lol. would probably spend more time getting it running than you'd save by just using a source distribution no?

is there something which doesn't build well on freebsd?

well, the upstream does not provide wheels at all for FreeBSD, but they have some manywheels

and their modules don't pip install

rtyler: what's wrong with just installing the source?

also what's the package in question lol

vishwin: give stt a try ;)

this one? pypi.org/project/stt

Title: stt · PyPI

aye

yeah you're either better off creating a port for it or setting up a full linux python distribution

there is no FreeBSD bdist wheel dealer, we (ports) are :-)

debdrup: i guess they do have one sheet of stickers

is it possible to get laravel to work on freebsd?

Anything is possible.

llua: Hezestraat 110

3290 Diest

pfft

llua: dpaste.org/zBtYR

Title: dpaste/zBtYR (Python)

there :P

anyone running system with custom set of modules, for example with MODULES_OVERRIDE?

What does 'CLOSED' mean in 'netstat -a' output?

Hi, I have a conflist in port with at-spi2-core needed by adwaita-icon-theme needed by gtk3 and gtk4. Both are installed on my system. What is the proper way to deal with this conflict ?

CrtxReavr: it means that an existing connection was closed and an TCP RST was sent to the remote host, if memory serves.

You probably want to have a look at sockstat(1)

my conflict is related to this port bugs.freebsd.org/bugzilla/show_bug.cgi?id=269704 but I don't understand what al I supposed to do with that ?

Title: 269704 – (at-spi2-core-2.46.0) [exp-run] accessibility/at-spi2-core: update to 2.46.0

is there a way to remove it ?

debdrup, so like a FIN was sent, but not FINACK was received?

I tried pkg delete . it doesn't work

pkg works with package names, not directory names.

Do you answer le CrtxReavr ?

me*

I tried with package name, it didn't find it

For deleting it works with package version names.

I tried to remove /usr/local/include/at-spi2-atk (it was the emplacement of the conflict) but I still get the message despite of it doesn't exist

ok with the full name with the version thanks

The conflict is from the ports Makefile.

Midjak, don't manually mess with files in your ports/package managed prefix. . . which is /usr/local/ by default.

Midjak: I ran into that yesterday. it tells you which package is in conflict. Do pkg delete for that package. Actually there are two packages that you'll have to delete.

Learn to make use of the tools to manage them.

CrtxReavr, I am learning...

I get it. . . we've all been there.

No one knows everything - we're all still learning.

Schamschula, thanks Schamschula I have removed accessibility/atk and accessibility/at-spi2-atk

but as the pkg delete on the package name didn't work I have tried manually. I didn't know I have to specifiy the version. Now I know.

Midjak: normally you don't have to specify the version, just the exact package name

You can use -x to have regex matching on most pkg subcommands, including pkg-remove.

ah I get it

The format is explained in re_format(7)

I tried onaccessibility/at-spi2-core and not on accessibility/at-spi2-atk

Yeah that'll do it.

Eventually you'll learn to spot those things from the output of pkg, but it takes a little while to get used to it

now it works...

If you want to make things easier on yourself in case it happens again, make a note about it in a file. :)

in this case the names were very similar, and I tend to read too fast...

yes I hesitate to do it. But you still have to identify a problem that you have already had

(in order to find the note)

I am working on something I could use to maintains documentation I have taken . I have a bunch spread out several machine and applications. I tried a lot of thing. Zim is the best but I think develpping something which fits better with my expectations

a weird thing: firefox stopped working after the conflict, but its update had not yet taken place.

opening a new tab. reading what at-spi2 is, it. make sense

it makes sense

dumbbell: what is driving me mad is sporadic hangs with i915. i thas not been resolved/identified. on CURRENT it is little bit better, but they happen till out of nowhere. what i have been told i sthat my chip is old, so deal with it. this is massively pissing off. in reality, it is quite hard to debug, due to fact, no logs, dumps are saved. i believe such issue reported many times

Say I have a range of IPs `127.0.0.1, 127.0.0.2, ....., 127.0.0.100`. How would you find an available IP address in that range?

ping in a loop? nmap -sP ?

what means 'available' here? what do you "know" beside that range and what can you do? are you writing a dhcp server?

antranigv: you're not supposed to use localhost that way

debdrup I mean... unless nonVNET jails :))

dedicating an entire /8 to localhost was the worst mistake in all address allocations

otis oh no, this is just a string

ipv6 fixed it by doing only a single loopback address

antranigv: make them vnet jails

debdrup should I default to VNET jails?

yes

there's no reason to use non-vnet jails

hmm, sounds promising. okaaaay

debdrup well, the ONLY reason I found is stupid cloud providers who have network limitations

antranigv: put ipfw or pf on the jail host and have it do NAT

with the right OIDs in sysctl(8) you can even make it so the NAT doesn't decrement TTLs

wait, those 127.* ips weren't just weirdly choosen examples?

nimaje nope, not at all :D

nimaje: there's a long-standing (and bad!) practice of using loopback addresses for interface aliased jail addressed.

debdrup well, I will default to VNET :)

Blah, I can't remember the OID to prevent TTL decremation :

:/

antranigv: I don't accept PMs from random people, so I can't see what you wrote.

debdrup no worries <3 I was gonna ask you to test my jail orchestrator, specifically to check the defaults. I used to default to VNET, I changed to none, but I think VNET would be better indeed

I can't promise I have the energy for it :/

debdrup also, I default to ZFS and we don't support UFS at all. I was gonna ask you if you see any reason to support UFS.

debdrup understandable <3

antranigv: supporting UFS would be desirable since UFS is still being actively developed on FreeBSD, but if you're making use of ZFS-exclusive features, it's harder.

Newest thing in UFS is reworking it so that soft-updates and journaled filesystems can use UFS snapshots.

That's.. a few months old?

debdrup yeah, we use snapshots a lot, for clones and send/recv

I would love to support UFS too, but that changes Jailer's whole... I wanna say architecture?

You'd need to abstract the snapshotting part so that it can work with either UFS or ZFS, and you'd need the newest change to UFS (that I mentioned above) for it to work.

And UFS snapshots aren't atomic or quick.

So I'd say that's a reasonable argument for not supporting UFS.

I can see it being added in a later version, if your tool gets a lot of use from people who want it on UFS too.

antranigv: ah, that's what you meant. so yes, then switch to VNET jails.

antranigv: Reason to support ZFS: It's probably fairly common to see FreeBSD jail hosts as VMs, in which case UFS makes a lot of sense there. They'll have the ZFS on the outside, not inside, in that case.

mason my philosophy is: DIE VMs DIE

antranigv: I'm wholly behind that stance.

And if I have to have a VM, it goes in a jail. :P

what if VM is not guilty? :)

ngortheone: invidious.snopyta.org/watch?v=cBc3kAWlfOQ

Title: TNG Kill all the Lawyers - Invidious

lol :)

guilty until proven otherwise is true about most software

Okay, but I still need a script to get an empty IP in a list :D maybe I should just write an AWK

an awk seems like an excellent solution to that problem, as long as it doesn't involve parrot-bothering

fingers crossed

so you have a set of valid identifiers and a set of used identifiers and have to choose one element from the diffrence?

seq 1 255 | grep -Ev '42' | awk '{getline nx} {if ($0+1 != nx) {print $0+1; exit}}'

I'm hoping for some pf advice on how to NAT into some jails on a network (bridge0-based vnet jails) and structure the host pf such that those hoses can route to the default route and the public internet, but nothing else on the host's LAN

rtyler I got lost :( where you wanna do what?

HostA does NAT into JailZ, I want to prevent JailZ from accessing anything on the LAN that HostA sits on

rtyler JailZ is on HostA?

correct

rtyler only the LAN of HostA, or the rest as well?

I'm hoping to restrict just access to tthe LAN HostA is on, but still allow routing out to the public internet

rtyler nat on $ext_if inet from $jailZ_addr to ! $ext_if:network -> ($ext_if)

that SHOULD do it

lemme test

that does look like it works, let me do some more testing

rtyler yup, all works fine

rtyler trying pinging hostA's gateway

antranigv: thanks for the help! that works quite well

from within JailZ I can ping the bridge network, which is what I Would expect

rtyler anytime :) and how do you manage jails? plain jail.conf or any specific tool?

rtyler yes, that has nothing to do with NAT, if you want to restrict that too, that's also very easy

vanilla vnet jails in jail.conf inspired by meena's doc: nat on $ext_if inet from $jailZ_addr to ! $ext_if:network -> ($ext_if)

antranigv: how would you restrict JailZ from hitting other specific hosts? I'm asking mostly so I can include that in the blog post I should write now that I'm making progress here :P

rtyler hey meena 's doc is a copy if mine! yey!

hah

rtyler it would be easer to do the opposite. block everything by default, except hostB..C

rtyler do you want JailZ to reach JailX that is also attached to bridge0?

rtyler would you be open in testing my Jail orchestrator? it's basically a jail.conf.d wrapper.

only in a few cases where I have an application that needs to reach the postgresql jail (for example), otherwise I am intending to have each vnet jail effectively isolated

rtyler oh I have code for that. one sec

antranigv: something that's not ezjail, pot, or other? :D

rtyler none of the above. yes.

heh, hit me with a link, I've got a secondary machine here where I might be able to test it, this NAS/primary machine I don't want to fiddle with too much

rtyler: my secret is that i let other people do the work, and just make small strings between many big dots

for example: someone wrote a patch for me: reviews.freebsd.org/D38898

Title: ⚙ D38898 virtio_random: pipeline fetching the data... This hides latencies that reach 500us, where otherwise we are busy looping...

rtyler yeah indeed, my software is still beta.

for a debugging job that took only 2 - 5 days :P

lemme get this firewall first

if a port needs kern.elf64.allow_wx=1 to function, would it be considered a "bug" with the port?

hey rtyler , you need these lines

f451: yes

f451: bugs.freebsd.org/bugzilla/show_bug.cgi?id=268363

Title: 268363 – www/node16+: needs wxneeded

meena: ty

i had half a day going mad getting it to work lol

rtyler I'll do line by line (except the nat thing). 1: block in all ; this will block everything; 2: pass in on bridge0 from any to bridge0:0 keep state ; this will allows the jails to reach bridge0 itself; 3: pass in on bridge0 from any to ! bridge0:network ; this will allow the jails to reach everything EXCEPT the bridge0 network ; 4: pass out on bridge0 from $j0 to $j1 keep state ; this will allow j0 to reaching j1

rtyler btw, j1 can't reach j0 by itself. j0 has to initiate the connection :) so your j1 is the DB in this story.

meena: this would also cause devel/electron22 build to fail, i guess

f451: same reason: blame electron

v8

i mean, v8

ok ty

nfs giving me grief

Title: exports.md · GitHub

can I do nfsv4 exports with different roots? i.e. both /usr/* and /var/www/freeside there?

dch: I think youu need to do "V4: /" on the first line

how does -sec=sys work btw?

but if they're zfs datasets, you can use the sharenfs property mentioned in zfsprops(7)

debdrup: its is zfs but I struggled with that in the past, so this was keeping things simple

fair

does having `V4: /` expose the other filesystems somehow?

i didn't have problems with it for what little that's worth

dch: no, it just tells nfsd which paths should be exposed as v4

err, not exposed

should be mountable as v4

try (d)truss'ing a manual mount of a share that works as opposed to one that doesn't

see where it fails

also, is it intentional that in the manual mount(8) command you're using the wintermule hostname, but in your fstab you're using straylight?

i should fix the gist

too much copy pasta

meena: i'm not sure something needing to do write AND execute as opposed to the default write XOR execute counts as a code

s/code$/bug/

I have both straylight and wintermute doing exports

debdrup: yeah, but it's called bugzilla, so,

but wintermute has the phat www dir

and straylight has the arm64 src & obj

dch: like i said, (d)truss

debdrup: oh there are 2 issues

1. the exports, I think your suggestion to change the V4 / will fix that

and 2

2. the manual mount works, but the same syntax in /etc/fstab fails