rtyler: he might be asleep (4am)

rtyler: Oh, interesting. Surprising it's not six.

There's tradition to be observed. Multiples of six are canoniacl.

canonical too

any checklist for hardened freebsd? I want harden my freebsd but still usable for daily. I'm student

al1r4d: wiki.freebsd.org/CategorySecurity

Title: CategorySecurity - FreeBSD Wiki

Thank you, mason

The handbook will have stuff too. Looking.

al1r4d: docs.freebsd.org/en/books/handbook/security

Title: Chapter 15. Security | FreeBSD Documentation Portal

The handbook is generally going to be useful: docs.freebsd.org/en/books/handbook

Title: FreeBSD Handbook | FreeBSD Documentation Portal

:)) thank you very much

Sure! Enjoy.

mason: did you hardened your freebsd?

al1r4d: Out of the box defaults, and I make sure to install devcpu-data.

I choose a couple security options during install usually, and I use full-disk encryption as well, I guess, so not all completely vanilla, but close.

al1r4d: also check out hardenedbsd.org - a downstream FreeBSD project paranoidally focused on security

Title: HardenedBSD

al1r4d: start with what you're hardening *against* and what you're trying to protect

it depends mostly on context...

a server in a colo.

laptop at home or traveling across the globe.

dont approach security like a checklist

start wiht threat modeling

and al1r4d aint here!

oh well

checklist approaches to security are a problem..

oh rip

forgot i turned off join/leave messages lol

gman999: absolutely

and turn into non-technical ppl promoting them as cure-alls

i mean what i do with a tor relay is very different from my laptop

but preaching to the choir prob..

and i just watched gnn@ at asiabsdon in 2019 who made some related points.

gma999: all true

gman999*

so i did a workshop years ago around privacy tech stuff.. "please stop teaching tools"

it was the ugly example of checklists and workshops

checklists are good to find out where defaults lack. FBSD notably has not the best defaults when it comes to security

ie, stop telling targeted communities what to use without knowing their thread model

well... again it depends

i mean random_ip_id...

yeah, some low-hanging fruit that is a no-brainer really to enable

maybe doesnt play nice wiht nfs but necessary in other contexts

there is usually a reason that knob wasn't turned

i mean, syslogd not listening is low-hanging IMHO

legacy/stuborness/laziness/dogma

hard to say.... specifics matter i think

all the good reasons not to update defaults - some shit app somewhere will break!! omg

so so true

trains will stop running. my fridge will attack the cat.

yes.

ngortheone: god forbid we have to check up on the stuff we skimped on in the beginning

Are there checklists? I figured pointing the fellow to the handbook would give him stuff to think about.

idk.. someone dumped some ^ including from handbook

right?

carets?

a bit opinionated article, but has some good points on defaults

Title: FreeBSD - a lesson in poor defaults

Oh, the hardenedbsd thing? I don't know what they offer up.

so again.. it depends.

i hear the various linux arguments on 'normal defaults' then mitigation..

and i sort of laugh..

totally diff approach on some level

"running out of X limits? make it unlimited!"

an author is openbsd funboi obviosly, so take it all with a grain of salt, but there are good points on some defaults.

X is really a one big snooping device. if you run a browser that runs javascript from random websites - X is not a good thing.

+1 ngortheone

intersting from that url ^.. blacklistd/blocklistd (now) isn't ported to openbsd.

wayland is much better in that respect - to gman999 's point - security for the modern desktop where 99% of the code we run on our desktops comes from internet written by js monkeys

i haven't tinkered with wayland at all yet

so how to harden in that case? a) run wayland b) if you can'd do a - run browser in a jail with a separate X server

sway runs great on my box since 2018

if you like i3 - it is a painless switch for the most part

well, give me jails over any of the standard virtualization options.. by far.

but the sandbox/jail/qubes approach is often done poorly and worse

IMHO

i ran jails in prod for a long time but dont now

and im a fan of how small and clean they can be.

but thrwoing more code at problems isn't a solution in itslef.. and often a danger

yes, the whole UNIX approach start falling apart when you try to jail GUI apps. Lots of ductape is required to make it work. This is where people who konw things remember that there was Plan9 with much better ideas...

:)

so this is funny from that url ^

I don't know anything about IPFilter, nor do I know anyone that uses it, so we'll pretend it doesn't exist.

it's been *that* long?

FBSD has 3 firewalls IPFilter being the least popular option, but it is still aroun

yup.. i remember when that whole riot happened at a usenix?

darren reed was the ipf dev?

idr...

and pf was born in response

I run IPFW and I am happy with my life

not looking at other firewalls

there are advantages of running pf or ipfw in contexts..

i dont run ipfw anywhere any more

barely ever did

i went ipf to pf mostly

lots of people are happy with pf too

there must be something to it

idk anymore.. i used to care to compare, now dont have the time or drive to

yup, both options work for the majority of typical usecases. Just use whatever your fingers remember to type and save time for better things

kde plasma wayland session is being worked on by some desktop folks, so that is coming... all who use KDE will get wayland for free at some point

i.e. kde wayland works on linux already, but not yet on FreeBSD

kde! too heavy!

well, then try sway

oh, i'm happy with xfce or cwm

it is the leanest WM on wayland, maybe except labwc - an openbox inspired wm

Title: GitHub - labwc/labwc: A Wayland window-stacking compositor

then wayland is not coming your way soon :P

is there a distinct name to the FreeBSD init system? context: if I want to have folders for multiple init systems to hold example scripts, like "systemd", "openrc", what name should I choose for the FreeBSD init system?

Grabunhold: it's just rc as far as I am aware, perhaps just "bsd-rc" or something like that would be sufficient.

rtyler: okay, thanks!

of course, there are no systemd. and with some effort it maybe possible to use OpenRC

Grabunhold: multiple init systems sounds like a bad headache

just use the one with the system or use a different system

rtyler: angry_vincent: i've written a FreeBSD init script for a package (not owned by me) that already supports systemd, openrc (and solaris SMF for that matter). i just want to upstream my script.

and the way to do that is to create a folder to place the script under, because that's what the other systems have

and that folder needs a name :)

no need for any init system wars

ngortheone: "French words are hard to spell" — 28% of English vocabulary is French

imagine what poudriere would be pronounced today, if it had been imported 1000 years ago

"pudry"?

There was a discussion about this a few years ago, that IIRC ended with "poo dryer" and "powdery air" camps.

lol

i like the former

I would go with: highfalutin jailed port maker

or hfjpm, "hypm"

"f" is silent

do we have anybody using gitea on FreeBSD here? I have Questions

poodryer FTW

probably yak poo

If I'm right lattera is using it

cool

I need a hand to work out what the startup message for forgejo should be, and how to migrate across

dch we do

dch So is Forgejo basically the same as Gitea?

exactly the same only still FLOSS not FLOSS--

Title: Codeberg Forks Gitea to Forgejo | Adamsdesk

gitea surreptitiously registered a trademark, transferred the assets, and became a company

Isn't that a good thing? that means it's becoming... self-sustained?

ergochat/ergo #2056 bsd-rc it is :)

Title: Add bsd-rc init script to distrib by avollmerhaus · Pull Request #2056 · ergochat/ergo · GitHub

antranigv: the key bit was "surreptitious" if this had been discussed up front, maybe

its a FLOSS rug-pull

Grabunhold: ooh yeah hella port when will it land?

ooh its already there

dch: there already is a port, it's just missing the init script

Grabunhold: will you PR the rc.d file too? I'll install it ASAP :D

i'm not the port maintainer, but i was hoping they might pick up on the upstream init script. if not, i might try and add it to the port as well

you can just fwd the PR to yuri I am sure he will grab it willingly

Grabunhold: we just need gamja or kiwi web front ends in ports

i'm in the process of migrating my linux + ngircd based small private irc server to FreeBSD + Jail + Ergo. not all done but close, so far it's been a fun project and i'm very satisfied with the results so far :)

web front end might be in the books later on, i still need to port quassel and my bot and quote db over (and write ansible for all that config)

i'm also porting the virtual machines that run on said server from linux + libvirt/kvm to FreeBSD + bhyve

(eh, quassel as in quassel the irc client)

(and since we're talking server, i'm talking about just the quassel core. fortunately there already is a ready-made pkg just for the core without all the gui deps of the frontend!)

dch: thanks, i'll drop yuri⊙Fo an email :)

hello folks. Thenhandbook is inbelivable… I just read the security page. Whaou… May be read a handbook page every day could make the kenel panic away :-)

sadly, fixing panics is a bit more involved that that :(

than too

yuripv: sure, I was just joking :-)

can DNS just, like, work?

for whatever reason OVH is refusing to add a nameserver saying it's not configured for the domain, `dig domain @nameserver` responds as expected

DigitalOcean lets me add a zone to their nameserver thingy no matter if it's actually the NS server for that zone or not

well, yeah, for a start I'd like OVH not to do any validations

it takes 5+ minutes and then 5 more to roll back if it fails

it's very annoying.

on a positive note, massive shoutout to nsd(8) that is just absolutely fantastic to work with

domlaut: OVH IS annoying.

I don't have a better EU-based alternative :(

i stopped using OVH when i needed their recovery remote KVM thing and had to try and recover a bootloader problem with my physical keyboard in german, the ovh KVM thing set to french layout and the bootloader and BIOS of the remote system using a US layout. that, plus a very hefty delay. in the end, i gave up.

yeah, server-wise I'm with Hetzner

next to useless, and they have the nerve to charge hefty prices for that thing

have been since 2018, rock frickin' solid.

servermania is ok, although they charge you for two months if you cancel within the first month

Lovis_IX: but one can hope, right

i've been lucky with the KVM incident though, a few month after i moved because of that they had their big datacenter fire

but then for domains I figured maybe have that somewhere else, just so it's not all with one provider. and OVH generally has cheaper domains (and does tax correctly for businesses)

maybe using OVH's API can skip NS validation... hm. I'll write an email to support either way to check if it can be disabled, cause otherwise I'm happy with them for domain hosting

and getting audit emails re: changes - I really like that

something Cloudflare and Google Domains don't do, AFAIK

domlaut: there is scaleway (based on France), or hetxner (based on Germany, which I use). For DNS only there is Gandi, BookMyName and sure there is may other.

Lovis_IX: I use Hetzner as well - just not for domains. I thought Scaleway was OVH too, just a subbrand

Gandi looks like a cool service, but they're *always* the most expensive one

difficult to justify for non-profit work which is currently where I'm at

I do know they fund a bunch of OSS so I do use Gandi when I'm working with corp funding :-)

domlaut: no scaleway is not a subbrand of OVH, but a subbrand of online which have Free dans free mobile as other subbrand.

ah, right, online

ok that's something to investigate then

thanks!

domlaut: you're welcome.

anyone here has knowledge about testing? I'm trying to write a tests, but no idea if my methodology is correct :D

antranigv, the best I found is youtube.com/watch?v=RYtwx7Jj8aE

Title: Automated firewall testing - YouTube

any relation to the hamburgler

antranigv, I think it depends on what you're testing.

I've worked for NAS development & testing engineers and saw a lot of their methodologies.

I've also had a job where I wrote automated tests for a suite of RESTful APIs.

Testing those was essentially CRUD routines.

pretty sure this is a quick question ... TIA but /etc/etcupdate.conf are these values boolean ? e.g. FREEBSD_ID=1 or FREEBSD_ID=TRUE, FREEBSD_ID=YES, FREEBSD_ID=ON ?

there seems to be no example conf that i have seen in a search or something with a good description of what each var should be set to

not that ive seen anyway unless someone could point me to it

so I had to add two lines to /etc/rc.conf re: ipv6, then executed /etc/rc.d/netif restart vtnet0 to apply. this causes dhclient to exit with "My address (<ipaddress>) was deleted, dhclient exiting" and lose ipv4 connectivity. what's the proper way to do this?

domlaut[m], when restarting netif, I generally do it like this: service netif restart && service routing restart &

Well. .. if I'm shelled in and not local.

Host will lose its routes, so generally routing needs to be re-run as well.

The && will normally make sure both commands are run, even if your connection in drops.

command before && executes normally return(0) then second command will execute

; ensures every command runs

as long as they are typed correctly ;)

antranigv: freebsdfoundation.org/wp-content/up…The-Automated-Testing-Framework.pdf

good article by kp about ATF and kyua, explains in lay terms how to get started with testing

why isnt firefox just working after installing it?

meka: sorry, didn't get the context about french words, sorry. What was it about?

At one point you had to manually enable hald and dbus to get firefox working

check.

firefox works nicely without dbus or anything else on my box, just install and run

run it from the console and see if it complains on something

getting some sort of could not determine network status bs...

well. I continue using chromium then

ngortheone: yea, it complains....

ngortheone, french words?

meka: oops, sorry, it was meena, not you. Need to wipe my glasses and get a cup of coffee

hehehe, no worries :o)

CrtxReavr: heh, that keeps dhclient alive, but it looses the route :-)

I'll have to comb through the docs for this one I reckon

although service routing restart did fix my ipv6 connectivity so that's great

script something to re-add the default v4 route?

CmdLnKid, you can always script it if you don't trust your typing.,

just a && /etc/rc.d/dhclient restart vtnet0 at the end will do

for the time being

Which shoudl be the same as typing 'service dhclient restart vtnet0'

that or more likely I just disable DHCP given it's a server

if my public IP changes I have bigger issues than having to KVM

I remember when they added that service script and I griped about. . . "What are we, a linux distro now?"

:-)

Though. . . it was written by Doug Barton, whom I knew and really trusted his work. . . eventually embraced it.

dougb@ actaully coached me a lot when I started getting heavy into shell scripting.

ngortheone: re vez.mrsk.me/freebsd-defaults.html that sentence is from that article

Title: FreeBSD - a lesson in poor defaults

meena: well, I personally find french words both hard read/write and say, so don't disagree in principle, but it is completely irrelevant to the article, so I think the author overstepped the boundary a bit

how do other BSDs, that auto-encrypt swap, deal with crashdumps?

not to mention that english spelling is so logical and coherent by comparison

there are some valid points in the piece IMHO

but some is not..

there are dev decisions made that are thought out that the author clearly isnt weighing or even aware of.

more importantly...

the bsds are a small island in a very big sea.

the last thing we should be doing is focus on negative nasty critiques of other bsd projects

basically, a lot of it is: a promise of stable supportedness needs to make some terrible tradeoffs and how dare they choose these ones

the very resistant to change is something i've been discouraged by, even as a committer

oh, i woudn't argue against that vishwin at all

and it applies to all of us

yeah, it's all a dance

"engineering" (quotes required because legal term) is literally tradeoff management

but the pissing game between projects means we all lose

ha.. +1 vishwin

and security is risk management

yes... mitigation only.

same with privacy technologies... etc.

I think the author means well: I used to know him.

maybe.

He actually got me into sending patches to all BSDs

but it came off very wrong.

crtxreavr, np im posix compliant advandced scripter... haws gained me much.

that's cool..... there are some ppl i dearly respect and know persoanlly in bsd land who do things that i'm not fond of

to put it lightly

hasnt

the very ironic part with each bsd...

if you have to port something, pkg, driver..

and you have nothing to start with.. .

where do you go?

if another bsd has it.. you start there

we need to focus on the common denominators not to be hippies

but because we dont have a f'g choice

what are you talking about?

there's nothign ironic about that

rtprio... article in backlog.

I wish the BSDs would join forces. . . would only benefit the users.

Net has too many people trying to keep archaic hardware alive that really has no practical use, and use and Open has too much. . . too much Theo.

well, i dont think it's about "join forces"

that horse left the barn a long time ago.

I use different BSDs for different purposes: it'd be a loss if there were fewer.

And my own experiences with Theo were very pleasant as he helped me prepare a patch.

I hear it's different for others, but that's my anecdote.

+1 xtile

man, reading -misc ensured i never wanted to deal with him

what changed my mind about Theo was attending one of his talks. His expertise, energy and passion really came out hearing him speak live (as opposed to what one may encounter on the mailing lists). I would encourage everyone to hear him give a talk, see how he interacts with the audience, responds to questions, etc before passing judgement. Just my two cents

I hear that. . .

. . . but. . . the BSD community, with the exception of one week a year, is a collection of online communities.

and of the BSDs, FreeBSD is small and all the rest put together are minuscule

That's the environment Theo needs to primarily operate in.

That's a fair comment

I mean. . . Linux Torvalds is on record, having said he never would have started hacking a kernel, if BSD wasn't under legal attack by Sun & Bell Labs.

And to everyone's surprise, David won that fight.

Who's David? I could do with learning some more of this history.

I deal primarily in linux, professionally, 'cause these days where I work, I don't have a choice.

I have heard very good things about peoples' interactions with Linus Torvalds

But you'll never convince me that FreeBSD is the more mature, more stable, better documented code base.

er - isn't the more mature. . .

Linux just has the FOSS momentum behind it.

And yet. . . three major BSD platfroms continue to exist.

I think they could take a bigger chunk together, than apart.

There are definitely some "community and interpersonal issues" but we all seem to manage. You can't tell me that Linux doesn't have those too ;)

systemd!!!

Oh, I know they do.

had to say it

Before I discovered FreeBSD, I spent my time "learning to appreciate it more."

CrtxReavr: not four? ;)

xtile, were you thinking Dragonfly?

Admittedly I've only use dfly once

but yeah

(If you say macOS, I'll cut you.)

dragonfly another personality rift based distro

Yeah, they're out there.. .. I've toyed with it a bit in the early days.

I'm in a bad situation where I have Nvidia video card, so I only can use FreeBSD functionally on my desktop

but FreeBSD's probably the best for desktop usage anyway, right now

But I also saw the other side of Dillon's temper trantrums that lead to it.

there are personalities everywhere.

that's part of life.

> that's the environment theo needs to primarily operate in

no.

openbsd has certain opinions and that's fine and ideal.

i wish that freebsd and openbsd pf's didn't diverge as much

well, I read the backlog article and I don't know wantt to think? Is it true? Is it just a troll? Can't make my own oppinion, I too new in FreBSD

Lovis_IX: Pay no heed. All the systems out there to choose from have really nice things about them and are worth using.

And it's only through trying them in depth that you'll develop opinions that might sway you one way or another in the end.

having used openbsd before ages ago, my recent experience moving to freebsd has been much more positive. i feel like it's better integrated, documented, and a better general purpose server

mason: thanks, I did not have much time to test all *BSD. So I will continue to ply=ay with my FreeBSD and lean how to use it.

Lovis_IX: You'll get the most out of any of them the more expert you become with any of them.

i'm moving all my stuff of linux to freebsd atm

loving it

mason: I don't want to be an expert. I'am old, I'm disabled, I did not work for real. All I want it to have fun.

Lovis_IX: It's fun being an expert.

mason: sure… As the president of Exodus Privacy I have a lot of fun and expertise. :-)

so just a cheap plug... but i have my laptop today running freebsd on an x230. i use stumpwm as a unix workstation with virtualbox for ubuntu/windoze.

I think FreeBSD's good for casual fun too

both in terms of games and in terms of programming

StumpWM! \o/

I appreciate that FreeBSD comes with cc by default, among other things.

i just bought a t480. i booted usb to do a fast install to my t480, then booted usb to remove all the zfs filesystems. i did a zfs send/recv from my old laptop to the new, and after updating the bootfs flag, i rebooted and MY WHOLE SYSTEM MOVED HARDWARE

the t480 has the same OS, same packages, my same data, even the same snapshots from zfs-autosnap

neat

later today i'm going to shutdown my old laptop to single user mode, take a last snapshot, and do an incremental send to the new laptop. only changes will be copied, and it'll be current

hell, even virtualbox worked... out of the box ;]

i should get a new thinkpad, this x1 isn't holding up quite as well as i had hoped

supervisord, daemontools, something else?

(I need automatic restarting when whatever rc.d started with name_enable dies)

domlaut[m]: daemon(8) can do it

and then <name>_user goes into the rc script instead of using daemon(8)'s -u, right?

then the question is what do I do about all the packaged stuff that I want to run and restart itself, but don't use daemon(8) in their rc scripts

mason: i'm stumpy!

I'm thinking if it'd be better to have something working alongside rc to deal with restarts, given that no other package that I have set up to start itself on boot with <name>_enable does auto-restarting

aight, didn't find anything over at langille's, but I did find sysutils/fsc which seems like something I'm looking for

domlaut[m]: daemon(8)

I've moved to that from daemontools.

I also prefer it over superivisord now.

dvl: ok, but the way I understand daemon(8) is that has to be the command in a rc file

command=/usr/sbin/daemon

domlaut[m]: Why might that be an issue?

and then command_args to run the thing you want, -r -P yadda yadda

that doesn't help me with haproxy, for example, that packages it's own /usr/local/etc/rc.d/haproxy

There seems to be a requirement I have not read yet

ah, sorry, I'm on Matrix so I don't see when you joined. it might also be dropping messages? :-)

That's what Matrix does.

anyway, it (maybe) wouldn't be a problem for just my own stuff, but I also want to restart anything else that might happen to fail for whatever reason. my understanding is rc files aren't supposed to take care of restarts, so nobody writes them in that way

I think you're trying to find a way to restart existing applications automatically if they stop

but then if no other rc script takes care of restarting itself, maybe I want my rc scripts to behave the same/follow the same convention, in which case I need a tool that knows how to pick up rc conf, monitor what's enabled, and restart what I want

which seems like fsc is

mason: stop gap until I set up ZNC or whatever superseded it, if anything. been a while since I was active on IRC!

I just log in when I'm awake and /quit when I'm not

IRC is transient

My laptop goes to sleep when I'm away so that's a bit too transient :-)

Otherwise I agree. Missing messages is half the fun :-)

And then Matrix compensates by dropping some of my own! :-)))

it's a kind of jeopardy. Give domlaut[m] an answer but you don't know the question :-)

domlaut[m]: re daemon vs rc: ngortheone and i are trying to work something out: freebsd/meetings #9

Title: supervision: new group by ngortheone · Pull Request #9 · freebsd/meetings · GitHub

heh

How do I determine what PCI device to share with a bhyve instance to make a physical USB device available to the VM?

ghoti: I don't think you can share individual devices. I think you need to share the controller.

That said, I could be confused.

ghoti: When last I'd looked at that, I'd decided to just get a separate USB controller for a guest.

But then I ended up not doing any of it.

mason: I'm basically asking "what do I share"

ghoti: You're talking about sharing a specific USB device, and I believe the answer is, at least with Bhyve, "you can't".

yes, I know that, but I have no other USB devices in this machine at the moment.

Oh! Then you should find your usb controller in pciconf -lv output

I'm trying to make a sonoff zigbee dongle (umodem0) available to HAOS.

ghoti: You're not using USB for a keyboard even?

Hmm, I guess I am, though "ideally" I won't have to. :) If a bhyve instance has access to the controller, does that make the controller inaccessible to the host?

yes

Dang.

I do seem to have multiple devices though.. ehci0 and ehci1 Perhapsone is available.

ghoti: So, I decided that getting a dedicated USB card would be reasonably cheap and effective. I never went through with it but it was my plan so I could get something boring going in a VM to do videoconferencing in a FreeBSD workstation.

okay, I have usbus0 and ehci0 and usbus1 on ehci1, now to track down where my devices connect..

domlaut[m]: lots of good improvements coming to daemon, we are setting up a working group, we'd love to hear about usecases/problems related to process supervision

whee, the sonoff device is the only thing connected to ehci1 it seems.

ghoti: usbconfig

I would have used deviceinfo -p or what it was

ngortheone: restarting functionality-wise I'd need a restart-always or restart-on-fail (going by child exit code), and for the daemon invocation/monitoring to happen outside of the service's rc script (use case: rc script provided by vendor). I'm not sure the latter is (maybe even should be?) in scope of daemon(8)

And, of course, for it to know about jails :-P

But my use case is basically docker-compose, but with jails. Maybe more of a job for a jail manager, but it's all rc scripts anyway

domlaut[m]: please either create bugzilla bug for deamon(8) or send a pull request to the meetings repository for the working group. All of your asks are in the scope of what I'm planning for deamon

just to capture the ask so it is not lost

ngortheone: got it. I'll try my best to do that by sunday if that's okay with you

Ooo, more stuff for daemon(8)?

debdrup: yes, I have big plans for it

domlaut[m]: totally

ngortheone: something you wanna share with the class? :P

so far I've been doing general code clean up, a batch of changes hopefully landing today-tomorrow freebsd/freebsd-src #684

Title: daemon: state management refactoring by ngortheone · Pull Request #684 · freebsd/freebsd-src · GitHub

if kevans is going to be kind enough to me :)

after this change lands next batch of cleanup is going to be focused on switching daemon to kqueue as a source of all events, and removing signal handlers as a result

once that is done I will start fixing bugs/feature requests that were sitting in bugzilla for years

Title: meetings/2023-03-01.md at supervision · ngortheone/meetings · GitHub

there are at least 4 of them there

(there is a list of bugs in the meeting notes)

Oooo

this is where I add functionality that domlaut[m] is asking for too - this is quite reasonable to expect daemon to restart failed apps on conditions or at least capturing the failure event and log it

then, the next phase begins - convincing ports to switch from legacy daemon mode to supervised mode

use --long-options instead of short for readability

legacy mode in daemon == is when it does not fork a process to supervise, but instead execve's itself, so there is no supervision happening. Lots of ports use daemon in that mode unfortunately

long options are unpleasant

and then there are long-term plans: add config file support to daemon (motivation here is that there are a lot of features that can be added, we don't have enough flags for all of them, and at certain point it becomes easier t o use config file

xtile: it is a matter of taste, don't use them if you don't like them. From practical viewpoint long options reduce cognitive load when you are working with scripts.

i.e. it is easier to understand what "--close-fds" mean vs "-f"

long options actually behave differently from unix options: there's an important functionality difference. for example: gnuprog foo --bar baz sees --bar as an option rather than a regular argument

fewer tripts to the man page to understand what is going on

whereas, sanely: unixprog foo -b baz will see -b as a regular argument

longopts in freebsd have compatibility mode with short opts, where functionality does not change

interesting

long options were merged to deamon a while ago, you can try it yourself if you run current

but yes, there are always subtleties when it comes to mixing positional arguments and --flags

in the end of the day what matters is user's experience. if you encounter confusing behavior - please report it

xtile: man 3 getopt_long

A leading ‘+’ indicates that processing should be halted at the first

non-option argument, matching the default behavior of getopt(3). The

default behavior without ‘+’ is to permute non-option arguments to the

end of argv.

debdrup: is the class satisfied? :P

useful

ngortheone: yes, except that now I have to wait for all of that to land :P

me too

I do think that default behavior is dangerous though: means script writers have to use -- (end of options) when building robust scripts

but, useful to know

use it more often*

very ambitious and exciting. I just discovered that my apps, being written in Elixir and Erlang, ship with a binary that has a daemon mode (<app> daemon instead of <app> start) that can also handle restarting via heartbeats

...so I can wait for new functionality of daemon(8) for everything else and not deal with fsc et al :-)

but now I hit a snag where I can't use command, but start_cmd/stop_cmd/restart_cmd instead, so I lost rc.subr's chroot functionality (<name>_chroot)

(and _chdir, and some others that only work with command=)

guess I can chroot myself or define a workdir variable and use start_cmd="${workdir}/bin/<app> daemon" instead

elixir and erlang/otp in general has fenomenlly good internal mechanisms to supervise running proceeses

I wish more people in the industry used erlang

erlang/otp does most of what people use kubernetes today for, but 10x better and it was written in the 80s :D

you probably don't need daemon or other external supervisors if you use OTP the right way

unless your erlang VM crashes

Supervisor crashes the app by default after 5 unsuccessful restarts

sounds like you need to fix the app :P

That's true

but yes, in those cases daemon can help. Even today it can unconditionally restart the process if it exits

see -r or -R <seconds> flags

Yeah, I'd like it as a final failsafe and ideally a warn/log to syslog

the log to syslog on crash is not possible today, but this is somethings that I want to add

like if we get to the point that daemon has to restart it, instead of it being handled by OTP

and I think I saw the log to syslog (and kqueue) in fsc

but you've already mentioned you're working on implementing kqueue :-)

I'll jot down that wish as well

yeah, our deamon implementation is in quite a rudimentary state. Lot's of features missing if you compare it to the competition

if you need a solution *today* I recommend looking at s6-supervise (from

from s6 package

Title: s6: the s6-supervise program

it can be a bit of a pain to setup (requires reading docs attentively) but it works very well

here you can find examples on how to setup a service directory for s6

Title: s6/examples/syslogd at master · skarnet/s6 · GitHub

can I install a package without dependencies ?

man 8 pkg-add (--accept-missing)