gn, I'm in a kind in a pinch here

I suspect disk may be approaching eol and corrupted some files...

for example, /bin/mv

I'm trying to freebsd-update, but it relies in /bin/mv itself

try adding /rescue to the start of the PATH

(it contains some basic utilities)

Title: bin - src - FreeBSD source tree

yuripv good idea

well, /rescue/ is surely full

yuripv do have to check one by one or is there some faster way to know which of them needs to be restored?

well, /rescue contains a lot of utilities packed into one huge binary, so i don't think copying it over to /bin is a good idea :)

i just thought you could use what's there for your freebsd-update run

yes but I'll need /bin/mv back at some point and I'm not sure upgrade'll do it

I can try though

it seems to be working... yuripv thank you very much

rwp: I'm wondering whether freebsd-update is messing the flags up. but I can't easily check because there don't seem to be any updates for the image I installed

hi

hello

how do i find the version of the base system? "uname -U"?

uname -U returns the userland version. uname -K returns the kernel version. these should be the same unless you're in the middle of an update, or you failed to complete an update properly

dacha: freebsd-version -kru

seems like it is "-U", uname gets it from "snprintf(buf, sizeof(buf), "%d", __FreeBSD_version);" which comes from /usr/include/osreldate.h so it's a compile-time hardcoded setting

thank you

or you are using an i386 chroot from an earlier release

yes, or something similar

uname -U is literally the version that uname was compiled on, as you said

sometimes, one has to resort to using awk to grab __FreeBSD_version from sys/param.h

(I have tools that use that when setting up system images, since the image might be for an incompatible architecture so running the binaries isn't possible)

interesting

gah. I hate seeing things like this:

/* ... if no flags are set, return the empty string */ and then later, if (length == 0) return NULL;

dammit, am I going to have to report another libarchive bug

ugh, 360 open issues

RhodiumToad: libarchive does something pretty horrible too where it gives up creating an archive after the first unreadable file. previous tar versions keep going instead and exit with an error after having added all of the files it can to the archive.

eh, not sure that's a bad thing

what if you use tar to create backups of some directory and there just happens to be *one* zero permissions file in there. what if you have a cron job doing that unattended. it's OK that it exits with an error status at the end but I don't want it to just give up midway and not backup the other files...

hm

anyway, libarchive already has code to support "delayed error exits" but it's broken. I have a patch to fix it but it's in one of the 360 open issues lol.

I wish FreeBSD's pax command supported the pax file format.

I know FreeBSD's tar command supports it.

doesn't it?

ah

so that was added in issue 6, and probably nobody updated /bin/pax for it

I've done some POSIX-related patches for FreeBSD before but I am not smart enough to do archiver things. :B

I wonder if there's a way to attach the code or backend that tar(1) is using to pax(1)

the libarchive code

but yeah, pax format is cool, it doesn't have a tiny 4GB (4GiB? something) file size limit like ustar does

whenever i try to back up a file system with the ustar format i run into that issue pretty often

so I switched to just doing ZFS backups and rsync backups instead of .tar ones, when possible.

pax is a separate program and not a client of libarchive, converting the libarchive code to work with it is probably not easy

True.

that actually sounds like a useful project though.

for some reason I thought libarchive provided a pax(1) implementation, but on second glance at contrib/libarchive I think I was actually thinking about cpio

Yeah, I know both tar and cpio use libarchive on FreeBSD. (meaning cpio(1) also supports pax format!)

getting that libarchive error issue fixed would also be good.

(the bug I was looking at is trivial by comparison: it was just the fact that the entry_get_fflags_text returns NULL for "no flags", whereas entry_set_fflags_text looks like it would segfault if passed a NULL string)

Aha...

otis: I've not solved my problem with Hetzner VSwitch and VLAN, ping doesn't work yet: I've dropped FIB 1 and here there is output with arp -rn:

Have you more hint?

Title: magnet_web paste from Someone at 217.168.150.38...

it might be interesting to tcpdump to find out what those incoming packets on the vlan are?

RhodiumToad: thank you, I'll do and report

I would use tcpdump on em0 with 'vlan 4000' as the expression, including the -e flag

RhodiumToad: thank you

there's another host on this vlan somewhere? if so, you could try pinging from that, and seeing whether you get arps or icmp or both

Even though I limited my sshd port on my server only to my home IP, by PF on FreeBSD, (and I checked with different IPs to see if the port is open/available to connect - it was not), I still have logs like: sshd[40074]: error: PAM: Authentication error for root from static.152.126.12.49. Any idea?

I assume that's not your IP?

anyone know how to get tar to display file flags?

RhodiumToad: No, it's not. That's why I'm wondering how come it can reach to my sshd..

I'd guess an error in your pf configuration then

RhodiumToad: The line is: pass in on $ext_if proto tcp from my.ip.ad.dr to any port 22 flags S/SA keep state and it seems it does the job, the port is not open to anything else than my IP

*double wondering

there's no line anywhere else that could pass the traffic?

RhodiumToad: Well.. Don't think so? Here's my pf.conf file: bsd.to/Mb7U/raw

Title: Mb7U

is anything in the whitelist?

Checked for that IP, it isn't there.

The IP from the "sshd[40074]: error: PAM: Authentication error".. line.

is anything there?

Yes

IPs of Cloudflare and my dedicated server provider's DNS.

any of them with prefix ranges?

what freebsd version?

hm. it shouldn't be possible for sshd to report "static.152.126.12.49." as the remote host, unless there's more to the message than that

howdy, I have an issue with a pfSense instance spun on a VPS termbin.com/feaf

in ifconfig output, after that `/sbin/ifconfig ovpns1 192.168.30.1 192.168.30.2 mtu 1500 netmask 255.255.255.0 up` I see ovpns1 is there but not configured

the previous messages suggest that tun1 is already in use

I guessed that, not sure what "In use" means here though

from man.freebsd.org/cgi/man.cgi?ifconfig I see that syntax is the `create` one with address and dest_address

Title: ifconfig

if I try to run the command again now that I see an unconfigured ovpns1 in ifconfig output, I get `ifconfig: ioctl (SIOCAIFADDR): File exists` that seems appropriate

does fstat /dev/tun* /dev/tap* return anything?

nope, just the headers

I'm not sure then.

maybe unconfigure the interface and try again

eh, I wish I was able to

?

but I am looking for the actual issue now that you pointed it out, got a couple promising results

I mean I am not familiar with freebsd, more importantly with pfSense, I have little idea what is it doing

ah right

unconfigure the interface you meant removing ovpns1 ?

no

RhodiumToad: FreeBSD 13.2 + there're CIDR ranges as well, yes. But the reported IP is not in there.

tercaL: was "static.152.126.12.49." the actual end of the message or was there more?

RhodiumToad: Randomly getting only a single line (but the same IP/Host) in auth.log file: May 11 08:11:00 sshd[58811]: error: PAM: Authentication error for root from static.152.126.12.49.clients.your-server.de

Nothing else related to it.

tercaL: what IP were you assuming that referred to?

ah ok, I see the few results I found had a mismatch between daemon reported status in interface due to wrong PID stored in file

tercaL: (because the actual IP there is 49.12.126.152)

tercaL: hello, fellow Hertzner

RhodiumToad: Aahh, my bad.. So it's reverse, forgot about it..

anddam: Hello.

RhodiumToad: the only unconfigure reference I found is `ifconfig -tunnel`

with UseDNS on in the config, which I think is the default, sshd will log a verified hostname rather than an IP

RhodiumToad: Thanks a lot! *blushes

I assume the actual IP is indeed in some whitelist, explaining the result?

exactly.

That's it.

‎

 

Heuy guys, I got a small problem on an HP 10-bay server. The machine has two internal SATA drives which are setup as a ZFS mirror for the OS and 10x SAS drives in the bays. The server boots fine from the internal SSD mirror when I remove the drives. However, when I leave them in it is unable to import the zroot pool. So I took the drives out, rebooted, all wennt fine. Then I inserted the disks (hotplug) and then 'zpool import' shows the disks but it seems like they

have a left-over zroot on them from an earlier experiment.

I do know that previously I wanted to have the zroot on those 10x bay disks but I abanonend that idea. presumably there is some 'zroot' pool identifier leftover. How would I go about cleaning this up or resolving it in general?

dd some trash on the first few sectors or these drives?

gah, be careful :-)

what do the partition tables of those drives look like?

and is there supposed to be any data on them?

RhodiumToad, each of those 10 drives has only one partition of type 'freebsd-zfs' with index 1 and a corresponding glabel

RhodiumToad, nah, I can trash the drives and start over - but if I don't have to I'll gladly learn about that :p

what does zpool currently say?

RhodiumToad, bsd.to/Se1A

Title: dpaste/Se1A (Plain Text)

RhodiumToad, first one before I inserted the disks, 2nd one after inserting the disks :D

RhodiumToad, this one is better: bsd.to/Se1A/raw

Title: Se1A

ugh

exactly.

I think what's happened here is that when you did the "earlier experiment" you were adding daN to a pool directly rather than via a GPT partition (i.e. gpt/blah or daNpN)

exactly!

and the result is that there are two sets of metadata blocks on each disk, at different offsets

jup

if the "storage" pool is empty, then by far the easiest fix would be to wipe the lot and start over

indeed

how far in do I have to wipe the disks?

well, there's another option, let me check it first

it's possible that careful use of zpool labelclear might be your friend, let me just check its code

much appreciated :)

dammit, where does the zfs source code live these days

ah right

ugh. that won't work

to be precise, labelclear of the faulty labels stands a good chance of clobbering something relevant on the functioning pool

that is reasonable - I mean this is a pretty gnarly scenario

I'll just start building the pool from scratch.

how far in do I have to dd each disk?

to wipe everything, what I'd do is gpart delete / gpart destroy on each,

that is what I did AFTER my initial "experiment"

that is what got me here :p

then dd zeros over at least the first 10 megabytes,

aye

maybe more like 64 if you want to play safe

I do like to play safely

gpart destroy should suffice tho, right? no need to gpart delete first?

in particular, anything less than 4 megabytes is likely not safe, zfs seems to like to leave big chunks of padding at the start of the disk

I guess destroy -F would do it

(without -F it wants the partition table to be empty first)

GPT puts a partition table at the end as well as the start, so you have to do the destroy as well as wiping the start of the disk

gotcha - thanks!

on it now

hmm, I never noticed that

just wanted to say that that is maybe just the ESP but nope. there's clearly an EFI and a freebsd-boot on my systems too

time to figure out how to turn on the location LED on a HP server

sesutil is not doing it because apparently this enclosure doesn't have a SES device

(or I am lacking some freebsd support)

ses device is supposed to be built into the generic kernel

hmm, I have almost no HP server experience

the controller seems to use the ciss driver

ah.

is there a way to turn on the location LED for a particular disk with/via/through ciss on FreeBSD?

I don't know

RhodiumToad, the server now boots successfully with the storage pool. thanks for helping out!

you recreated the pool after re-partitioning the disks?

jup. and overwriting the first 200 MB on each disk

zpool create did complain about an already existing pool afterwards tho. but -f took care of that

... huh

yep

my assumption was that zfs keeps pool info in multiple places - not just the first few megabytes

jbo: you should use zpool labelclear to get rid of the labels (yes, there are multiple ones, you can see them using zdb -lll vdev)

that's not likely to be a good idea if there are overlapping zpools

i.e. the result of doing two creations at different offsets from the start of the device

as happens if you use daN the first time and daNp1 the second, etc.

btw is pfsense in topic here?

I felt asking since I was having issue with the tun interface, so seemed pertinent to the actual underlying system

RhodiumToad: what did you actually mean with "unconfigure the interface"?

I mean 1) which interface was that and 2) how do I unconfigure an interface?

either removing the ip address from it and marking it down, or destroying and recreating it

oh that's what I figured, but you said the iface was not ovpns1

that's the name it's been given?

are you guys using any utility to manage your bhyve VMs?

can anybody recommend vm-bhyve or similar?

I have heard positively connotated mentions of vm-bhyve, does that count?

seems like klarasystems would also "recommend" that

I've been using sysutils/cbsd for years - want to try some other options tho

is it possible with rsync to strip the first directory level/path from the destination ?

aka: rsync -avR host::export/files.12.5.2023/dir1 /bkp/

right now it also creates files.12.5.2023 under /bkp/

just the first?

last1: when using rsync the trailing slash matters!

sed/awk/cut ... run it into a variable and run rsync against that ?

it's not a trailing slash matter

yes, just the first

I've read through the options but I don't think rsync can do any kind of path conversions

thought I'd ask here anyways

rsync -avR host::export/files.12.5.2023/dir1/ /bkp/dir1/

that also brings over the files.12.5.2023 part

the only real solution I found so far was to change the export path in source host to serve directly from 12.5.2023 directory

and then I can simply do: rsync -avR host::export/dir1/ /bkp/dir1/

but that means I have to change daily that rsyncd config :|

dunno if this will help ya but rsnapshot.org

Title: rsnapshot | rsnapshot

I think that's just an rsync wrapper

last1: lose the -R

-R specifically tells it to use all path components of the source in the destination name

RhodiumToad: yes it was, I figure my issue is due to the custom virtual networking Hetzener is providing

where each host in the same network is actually routing through a hetzner additional host docs.hetzner.com/cloud/networks/faq/#how-do-i-setup-my-own-router

Title: FAQ - Hetzner Docs

in the diagram I have host A and B, C is not configurable but the route for 10.0.0.0 has to use 10.0.0.1 as gw

sounds like a hetzner support issue to me

RhodiumToad, losing the -R also loses all other path levels

so if I'm transferring host::export/dir1/dir2/dir3 , it will effectively create just dir3 on the destination

I was looking for a way to just lose the dir1 but keep everything else

CmdLnKid: yep, I am reading IRC only once in a while but I came to the same conclusion

filing a ticket right now

when I do a zfs send | zfs receive between two machine, zfs print a line like :10:40:32 188K rz2_pool/homes@2023_04_21

does that really mean it's transferring 188K per second? I mean these two machine are connected via 10G

it's only transferring like 80G and it's been running for days. I don't even know how to begin troubleshooting this

are there performance/security considerations for encrypting partitions and creating a gmirror on top of multiple .eli devices as opposed to creating the mirror on unencrypted devices and applying geli on the mirror device itself?

additional question: is there by now a mechanism to limit which boot-flagged geli devices a passphrase prompt is shown for? i'm extensively using gpt labels and associated my keys to the gpt labels as well, so all the prompts for /dev/ada* before that are extremely pointless and take a lot of time…

i just stumbled onto the man page of check-password.4th, but i'm not sure if that isn't what's doing the prompts i'm already shown.

someone in here used any good 3d printer slicers w/ freebsd?

phryk, unsure in your case if this would help but there has been some TPM work done that i seen recently ... papers.freebsd.org/2019/bsdcan/stan…ecurity_of_the_freebsd_boot_process

Title: Improving security of the FreeBSD boot process: TPM and Secure Boot in FreeBSD :: FreeBSD Presentations and Papers

phryk: you on EFI?

im sure there are more sources out there but essentially you could store your keys in the tpm and totally get rid of the password prompts

CmdLnKid: was that a reply to my last question or my secure boot question from a couple days ago?^^

just general information on your last question

[if-it-helps]

CmdLnKid: oh no, i want the prompts to be there. but only ask once for the passphrase and not try to attach all the ada* devices which have no associated keyfile anyhow…

aaah ok

like, i have like a dozen geli devices that get attached, but it keeps asking for adaxpy for every single disk before it even tries going through the gpt labels that actually have the keyfile associated. it always takes like 5 minutes of just pressing enter, entering the passphrase once and doing the same for every single drive when booting. :F

it's a nightmare tbqh^^

meena: yes. well maybe not yet, but i just did the efi setup for the zfs->ufs migration i'm doing.

if i could tell geli to either only attach devices with an associated key or only attach devices in /dev/gpt/ that would both work for me.

linux crypto thing with all its limitations is a lot more flexible on that regard

mhh, apparently there a multiple loader(8)s? how do i find out and/or set which one is used?

mhh, i get to attach my geli devices, but then i get "mountroot: unable to remount devfs under /dev (error 2)" and "mountroot: unable to unlink /dev/dev (error 2)" – anybody got an idea what that actually means?

/dev didn't exist, so it couldn't mount. new setup is now booting. still have to do some adjustments with stuff that's mounted into jails, but i got the music jail all set up and that's the important thing. :P

Music in jail, what a luxury

that reminds me that Sumerians invented jail. or rather, they were the first ones to document the invention of jail, after inventing writing

ugh. activated that geom_eli_passphrase_prompt option in loader.conf and now it refuses to recognize my keyboard ¬_¬

ffs can't even get into the uefi menu anymore. what the fuck does that option *do*?!

thought it was maybe the terminal->usb adaptor or the usb switch i have, but plugging in another keyboard directly via usb gives me the same result… machine is basically bricked.

okay, i just broke the keyboard in half.

broke it in half like this? youtube.com/watch?v=XScUYxLFt-U

Title: why is this weird keyboard so good? - YouTube

okay, so that passphrase option apparently blocks the system from initializing usb hids. and when i got that unfucked of course it doesn't even work and just throws away the collected passphrase because the dumb pos tries attaching devices it doesn't have keyfiles for first. genius.

phryk: this sounds like a bug

or two bugs

meena: i don't think so, just the result of lackluster engineering. uefi was set to skip usb initialization, wasn't ever a problem because loader or whatever would happily do the initialization… if it wasn't blocked.

as for the passphrase being thrown away if it doesn't work once, that's normal geli behavior.

geli is just a bit shit from a user perspective… :|

i'd try and contribute something, but i just looked at the code and it's not only pretty opaque to me, but also looks ugly as sin to me as someone who never did a lot with C.

he he he

all C code is like that

you can put some lipstick on the pig, but the next version of the mirror will just smear it into a grimace

like, there's a function definition (code style looking wonky af i will admit is subjective) and afterwards there's a SYSINIT(…) call in the root scope of the code? like, i wasn't even aware that's possible (maybe it's a preprocessor macro or something?) but it for sure doesn't look like clean code.^^

link?

err, g_eli.c line 121, possible from 10 years ago?

i just looked into my /usr/src/sys

Title: g_eli.c « eli « geom « sys - src - FreeBSD source tree

was hoping i'd stumble onto some undocumented loader hint or something…

anyhow, i wanted to actually be done with this and start my actual work… 7.5 hours ago ¬_¬

I would open a bug. usability bugs are still bugs

not quite sure, but i think i already opened one about the geli+gpt stuff like a decade ago.

and the old setups zpool doesn't get imported even though the geli devices are all attached and i got zfs_enable="YES" in my rc.conf… i hate computers. T_T

Hi! anyone has a tutorial link to migrate a virtualbox (.vdi) and get it running on vm-bhyve ?