"pkg-autoremove" is not very helpful in my case for I need Python packages as dependencies for other Python packages (see PyPI) installed in virtual environment(s), along with other build time dependencies needed when I build some ports

That does offer a list to non-auto remove a partial list

hello where I can find pxeboot for freebsd ? I dont see it on mirrors

it's part of the standard install?

this means I need to download an iso and it is inside ?

right it is inside, thanks

hello for booting via pxeboot, how to set console (I use qemu), does touching boot/loader.conf on the root-path is the right way ?

what do you want to set the console to?

baud=115200 console=ttyS0

I have set comconsole_speed="115200"

and boot_serial="YES"

I have logs on server that the NFS is mounted

console="comconsole"

but the console only show last Starting the BTX loader

with console="comconsole", no change

huh

let me check

what freebsd version?

latest 13.2

jump_message: .asciz "Starting the BTX loader\r\n" <-- that's the last message you see?

yes

hmm. looks like pxeboot can be compiled to always use a serial console

but that doesn't seem to be the default

if it's not managing to read loader.conf, then it wouldn't be able to switch to a serial console

I see someone having the same problem, probably i need to enable NFS over UDP

strange that the mount request is logged as succesfull

montjoie: Isn't mount always UDP? It's an RPC call.

yeah, mount is a completely separate option from actual file service, oddly

I tried with another nfs host which has not UDP disabled, no change

I removed the nographic from qemu, but no more success, the boot is stuck

other than compiling pxeboot with the serial console option, not sure what else to suggest

it's been a while since I tried pxe

the problem is not serial anymore, since with normal video output the result is the same

ah

can you tcpdump the nfs traffic to see what's happening if anything?

on qemu windows the last sentence is FreeBSD/x86 bootstrap laoder, Revision 1.1

and the cursor is blinking

hm

so it got most of the way through loader's initial setup, but I think that's about where it would stop if file access is failing

it seems the client try to access UDP port 0...

according to tcpdump

so something is wrong with nfs

it try to open boot, but ask it on port 0, so this is the issue

but why it uses port 0...

check whether it did a portmap call first

I see a call to sunrpc before

that should have returned the port number to use

wireshark help a bit more, the answer is PROGRAM_NOT_AVAILLABLE

does rpcinfo or equivalent on the nfs server show the nfs service as available?

it seem that nfs over udp is not enabled, but the kernel is built with support for it

is the nfs server on freebsd or something else?

nfs on linux

oh. I don't know about linux

on freebsd, -u and -t are separate flags to nfsd to control whether each protocol is enabled

if I don't set default versions of things like python in a make.conf – where does it come from? will one be defined at all?

default default versions are listed in Mk/bsd.default-versions.mk in the ports tree

phryk: from the framework

what RhodiumToad said

ah, neat. i assume those default defaults are what's used for the official pkg repo?

yes

okay it works now

so the problem was nfs-utils disabled udp by default since 2.1.1

thanks for your help

yw

great. thanks for the info. i think i know how my next poudriere setup will look, then. :)

so the UDP could be disabled both in kernel and userspace

phryk: painful without ZFS :P

meena: hell no. the automatically generated zfs datasets are where 80+% of the stupid mount breakages happen.

always have to mount some of the jails, ports trees etc manually after boot because that shit's so broken.

fun fact, I actually disabled zfs on poudriere, because I didn't know how the heck to backup that mess

yeah, no big surprise there.^^

with plain ufs it'll just be a poudriere dir. simple and easy to manage.

and if i want fancier stuff in there, i still have nullfs to mount around to my hearts content.

I still had it on zfs in the end, because without seventeen layers of datasets it's just one zfs send

I'm too poor for backups. I have everything mirrored because i'm still paranoid about failures tho. that strategy worked fine for over a decade now.^^

and if i had extra disks/machines to store backups, it'd probably just be rsync in a cronjob. :P

well, by Backup, i meant moving to a new server

that hasn't happened, so my repo was decommissioned with the old server

might be coming back soon

i'll be doing a new setup within the same machine. got myself 2new 4TB drives last month and am going to do a new setup for my homeserver on those manually so i can just reboot into it. will also give me some leeway if i forget stuff because the old system will still be around till i reformat the old 2TB drives. :)

for me, the fact that manually setting up a new system from a running one is so easy is one of the key strengths of freebsd. i don't even remember when i last used the actual installer… must've been around 5 years back when i got the current laptop.

I've used the installer a couple of times over the past few years - in VMs, to try and help out people with installer problems :-)

haven't used it for actual systems in a long time

The one thing I don't know by heart is the security settings the installer lets you enable. But I can look those up on my laptop^^

Which reminds me, I still need to read up on securelevels and see about secure uefi boot. Tho I think that would require a board that lets me write a pubkey to authenticate the boot partition or somesuch thing…

phryk: i think ASLR defaults to ON now!

lol, wow. wasn't that a downstream contribution from hardenedbsd like… 8 years ago? :'D

also is "now" 13 or 14?

no

hardened BSD uses a different kind of ASLR, it's basically what lead to the split

mhh, i vaguely remember shawn talking about handing it in as contribution when hardenedbsd already was a thing. otoh that was a long time ago so my memory might just be plain wrong.^^

i thought of switching to hardenedbsd a couple times, but the bus factor seems a bit problematic.^^

No, ASLR was developed independently.

The one in FreeBSD, I mean.

debdrup: ye, but might be that shawn made a patch that was rejected or something.

I don't think he did, no.

meena: "split"?

debdrup: mhh, yeah, i at least can't find anything on bugs.freebsd.org

As I remember it, HardenedBSD happened because Oliver and Shawn figured that notions of grsecurity (a company responsible for a custom Linux kernel build that cost money, and a set of free out-of-tree patches) were the only right ones, and decided to do a clean-room implementation.

As you can imagine, other people had different ideas.

yeah, i don't think much would speak against these features as optional ones, tho. but for aslr specifically, i'm not sure the current kernel design would allow for that to be a module as it seems to be a quite low-level thing.

It's also just not worth anything nowadays.

Even when HardenedBSD implemented ASLR, it was trivial to defeat, and it's only gotten easier.

ah, okay. my knowledge of that low-level stuff is sadly very limited^^

It dates back to 2001, for context.

not sure what difference that makes. i mean aes dates back further and is still considered secure.

The point is that it was effective back then, and that like any other security feature, it isn't a panacea that works forever.

scholar.google.com/scholar?cluster=9172709712739767577 and scholar.google.com/scholar?cluster=15808895045898589987 are the first two bypasses (from 2014 and 2016, respectively), and by 2017 the AnC attack demonstrated that it could be done in JavaScript.

Title: Google Scholar

I'm pretty sure there were ASLR bypasses before then, but there's little acedemic mention of it, so it's much harder to find.

yeah, the question is always: are security researchers going to find it, or somebody else?

repo.zenk-security.com/Techniques%2…LR%20bypass%20without%20ROP-JIT.pdf here's one from 2013

bookmarked. i'm slowly getting more into low-level stuff (have an ongoing project of doing libdrm stuff with D), but haven't done any security stuff that low yet. breaking ASLR might be a good first thing when I get time. :)

and the answer is usually: if somebody else does, you won't know

the slides from 2013 imply that it was possible to ROP or JIT past ASLR even before then, too

I love how all these security people think of really cool stuff to secure things up and down the stack, and then developers of a language runtime go, we need to disable that for security reasons

uh wat? :D

Title: 16.11.1 cant build and execute on FreeBSD 13 · Issue #40467 · nodejs/node · GitHub

40467 – Maintainer update port: devel/kprof bugs.freebsd.org/bugzilla/show_bug.cgi?id=40467

s/securit/performance/

sorry

ouch.

but meena, it has to go fast in order for javascript developers to be able to add more code

we can't just have a few hundred megabytes of javascript, we need many hundred megabytes of javascript!

do we have a wasm target for the kernel and base yet?

imagine what we could achieve if you could require freebsd in your JavaScript? people could finally use shellscripts in their Browser!

I think compiling shells to js or wasm is already possible and if not, python is and there is some shell (oil?) written in python

are there any javascript engines ported to wasm...

or browsers, even

imagine the fun

hello how to update automaticly a password on freebsd ? (for doing it when installing)

I want to avoid a sed in passwd file

I'd use "pw usermod" with "-h 0" in a suitable language: sh scripting, perl, python, or whatever.

For more, see pw(8).

V_PauAmma_V: thanks

meena: i think llvm ir lets you do javascript

debdrup: finally a sensible machine to run freebsd on.

a JavaScript virtual machine

or abstract machine?

whatever, it'll be good, i promise

meena == scary

and by good, i mean

but a python virtual machine would be much better, as python exposes much more of the internal interpreter state of the reference implementation

Hi, something is causing my system to freeze when running in X11. How can I detect/diagnose what is causing it?

It's that bad I usually have to just physically reset the laptop

it started happening a few months ago after updating some packages, so I have no idea which package/software is causing it

can you still ssh into it?

I don't run sshd

Im on the laptop now

after sometime x crashes and it becomes responsive again

anyone running nextcloud? does pkg handle updating it from version to version or is that still manual?

for example it just happened about 5 minutes ago was just sitting in x playing music and it became really slow and unresponsive and I tried to switch to a console tty, which eventually it did after a minute or 2, but then I tried to switch back to x and the session has crashed. I see the message "dwm: cannot open display". dwm is the window manager I use.

I've been struggling with this problem for about 2 months now and I'm *this* close to installing Alpine Linux.

if i want to encrypt a zfs dataset, do i need to create it encrypted or can i configure it post-creation?

which I think I will right now

great, i would advise windows 11 though

i see quite a number of people displeased with the system

i was going to ask if he had top open and how his memory was

is freebsd really that hard to use compared to linux? i dont have many problems with it, except my dumb gpu and drivers

some people are dumb. it makes things much harder (:

gzar: i find all software impossible to use. I get near a computer, and things start breaking

See also EUSER (814): User error, replace user.

i dont think its fair to call people dumb like this. especially when its a program crashing when it shouldnt

i get frequent kernel panics due to the nvidia-340 driver on my system. nothing i can do about it. setteled for buying a less old gpu in the near future as i dont expect this bug to be fixed

gzar: i moved to freebsd and it was no more difficult than swapping linux distros

but i'm old school unix

fact is, i think linux wants to be the next windoze.

their desktop push is driving all decision making

i want no part. i want a UNIX box.

freebsd is a better choice for an X11 workstation

and a server

i agree. I'm just saying

hw support isn't as good as linux, but linux for two decades has had limited support. i'm used to that

i'm just so grateful to have decent disk management, zfs, proper updates (bectl+zfs), and strong separation between os and user packages.

yeah same

the /usr/local separation is my favorite way of doing things

jails are also pretty cool

i'm trying to get my new homeserver setup with proper jails

bastille has been useful!

huh never heard of it, looks pretty cool

does anybody happen to know why my linux jails started segfaulting ? i used rsync -av to copy the jails from a different zfs dataset

gzar: logs?

dont know, its just prings a segfault when trying to run some linux binary inside the jail, i restored to re-bootstraping it

do other linux bins work?

and you might check syslog anyway

some work some dont, seems like only really /bin/sh works

find and other utils segfault

bizzare, /var/log/messages shows no extra info either

when i chroot into it i get the same problem

gzar: are you sure your linux compat is setup?

and also in teh jails?

that is what i am figuring out now

some mount chaos going on, i'll have to remount stuff

i recently re-built my kernel with gcc, could it be related ?

gzar, The detail of whether it worked before your kernel rebuild and failed after, or if it worked before the rsync and failed after, is critically important.

It could be related to either. But that a new bootstrap of the system works implies to me that the rsync was not complete.

oh, no not even a new debootstrap works

Then that would imply to me that it is the kernel. Perhaps compiled without a required feature.

You could boot back to the previous kernel and see if it is working. That would test this theory.

i rebuilt my kernel yesterday and booted into it today, yesterday i tested the devuan jail and it worked... so i cant really give the distinction

oh, yeah good idea

the old kernel is usually renamed to kernel.old right?

Also if it were me I would run "ldd -d -r /usr/bin/programthatfails" and see if all of the shared libraries resolve through the loader.

Because if the shared libraries are messed up then that would also explain the problem.

If in the other case that you had two chroots and one worked and the other did not then it would be possible to diff all of the files down both trees and see what is different.

First look for files that are missing or added. Ignore the content differences on the first pass. If all of that made sense then could look a file content differences.

Also if you are using Root on ZFS then you will have Boot Environments active too. Boot Environments ROCK! Run "bectl list" (or beadm list) and see.

Can then easily boot into a previous boot environment and do an A-B test that way, or a system recovery.

Title: BootEnvironments - FreeBSD Wiki

ldd also segfaults

almost everything segfaults in the linux jails

Oh!

I guess I feel a little silly suggesting that now. Since in hindsight that was an obvious situation. Silly me.

sh and its builtins work, some other programs work like cat. some programs manage to print a help message, but most programs just segfault

But if you try that on a working system you will see what I mean about it tracing through the shared libraries and reporting on them all being present or not.

not even bash works, just sh

This _feels_ to me like a missing kernel feature.

ah, none of the libraries were found

but thats me running it outside the chroot

chroot /compat/linux also segfaults

the f did i do

im rebooting into the old kernel and debug some more, thanks for the help

I admit that I subtly included -d -r in the ldd options because those are specific to the Linux version. If it was run in FreeBSD those options would barf. Indicating that it wasn't the linux version. (sly smile)

gotta run, bbiab

As I run let me direct you back to looking at the kernel, since I think the ldd shared library direction is a red herring and the problem is in the kernel feature set.

old kernel work

s

so it was the kernel

again...

maybe i should do a make world instead of just make kernel

seems like some kernel modules were not re-compiled

gzar: nice find. that's the linux compat ;]

i thought make buildkernel automatically rebuilt all modules

is there a command i can make to force it

kind of glad i've yet to find a reason to try and build kernel

i want a kernel built with gcc

not clang

gzar: make buildkernel does rebuild everything using the default kernel config (GENERIC) or whatever kernel config you provide with $KERNCONF.

alright, in that case something doesnt go right when using gcc

gzar: the tree should build with gcc.

it does build, but the linux compat layer wasnt working properly

well, it builds with the -Wno-error option

without it it detects uninitialized variables and aborts

alright, can confirm the problem persists when compiled with amd64-gcc

will have to try a make world with gcc later to see if it solves the problem but i dont want to leave my computer unoperational today so will do it some other time

Does aesni_load=YES in loader.conf actually help improving KTLS, SSL performance of Nginx, under FreeBSD? (My CPU supports Aes-Ni)

aesni is part of the crypto(9) framework, and ktls uses that framework. So it should be used if the actual ssl cipher in use is AES. but that's theory, I've not personally tested it

tercaL: it's specifically used for sendfile_SSL, which if memory serves is part of OpenSSL 3.x

Hmm.. got it. Thank you both, great answers.

See also, ktls(4)

Depending on how you want to define it, it's technically not end-to-end encryption - because that can only happen if it's from application layer to application layer.

It's as close as is practical, though.

seems like tracking latest pkgs isn't any less stable than quarterly because quarterly pkgs sometimes have problems too, and when latest pkgs have problems they get fixed faster. am i wrong?

Hello. The lp (lineprinter) command by default prints 80 columns on a sheet of legal paper.

I have some plaintext unix documents that are designed with an 80 column terminal in mind

however, I need to add § symbols, line number, period, and a space before each 80 column of text

I have already written a program to do this

the problem i'm having is the lineprinter lp command still only prints 80 culoumns

Is there any way to configure it to add just a few more columns to it's printing and possible control the left margin? preferably by decreasing the left margin by 7 or 8 characters

that would allow me to add the § subsection symbols for citation.

I thought UNIX was supposed to be good with plaintext

I am using a Hewlett Packard Deskjet 350 over the parallel port.

Use lpr instead? I think it has a width option.

whenever I try to use lpr it queues the job with no stdout but it doesn't actually print. upon looking further into the issue it's unable to connect to the locally running CUPS daemon.

I don't know why that is

Then I'm out of suggestions. I don't have a printer (or CUPS).

But maybe someone who does will see this and answer.

sfox: are you using CUPS?

(generally, if you have /usr/local/bin/{lp,lpr,lpq} then those are for CUPS, while /usr/bin/{lp,lpr,lpq} are for the BSD lpd

RhodiumToad, That's a good point. Because I am sad that installing any of a few dozen things wants to install cups. I would prefer they did not.

most apps that want to be able to print from within the app will use CUPS to do it, so they'll pull in at least cups-libs

I did a test "pkg remove cups" and there are 45 packages installed which declare they depend upon cups. Sigh.

anything with gtk2/gtk3 will want cups by default

Gratuitous comment on lp versus lpr from the scrollback: As I remember things, lpr has traditionally been the BSD print system and lp has traditionally been the System V print system.

correct, but there's a /usr/bin/lp provided as a frontend to /usr/bin/lpr

Right. Things today are that both systems provide compatibility with the other.