Oh good lord.

"The utility to build the packages requires the GNU tar in PATH. The BSD tar isn’t compatible. We need to rename the existing executable: `mv /usr/bin/tar /usr/bin/bsdtar && ln -s /usr/local/bin/gtar /usr/bin/tar`"

That's their solution instead of using a proper ${MAKE} macro :/

I kind of wish BSD tar would have an environment variable or something it can read as a hint for the expected behavior, and then invoke gmake instead where required. It would make porting easier.

...or tar/gtar, etc.

Hi, I'm new to freebsd, comming from openbsd. On reboot /etc/rc.conf get apanded by ifconfig_iwlwifi0="DHCP", since I configured lagg0, I dont see a reason why this should be there.

Voyager_MP: did you configure WPA?

yes

Voyager_MP: i reckon it might be responsible for that then

although it feels like a bit of overreach

Then I have a sound issue on a x1gen9, any help on this one ?

I have ng net

with ng_bridge connected to ng_ether and one ng_eiface connected to this bridge

after creating jail with vnet.interface = ngeth0 and starting ipfw on the host

i automatically get default rule in jail "65535 deny ip from any to any"

is this normal behavior?

Greetings!

I've tried to use make world to install FreeBSD into a jail

but then, the etc directory in the jail ends up not being populated

i.e. no /etc/rc, and an empty /etc/rc.d

what am I doing wrong?

I'm on a recent 14-CURRENT and ran

"make -j8 world DESTDIR=/myjail"

maybe,run make distribution instead?

that target is not listed in build(7)

Not sure where the world target is these days, but I always do buildkernel buildworld installkernel installworld.

distribution is a valid target.

oof

why is this shit not documented anywhere

It is, at least for 13.x, unless they're changing it for 14.x.

where is it documented?

build(7) doesn't even list the target

build(7), search for "distribute"

It's distribute*, not distribution.

oh,sorry, it is distribute, indeed

Also, for distribute it's DISTDIR, not DESTDIR. That bit me when I was originally trying to figure it out.

the distribute target is not listed either

and nowhere does it say that it needs to be run to properly install a system

Maybe you're missing man pages too heh.

no they are all there

You shouldn't need to run distribute*.

Title: build(7)

(also make distribution did indeed work)

It's on that page.

there is no target named "distribute" on that page

Heh, which browser are you using?

distributeworld it is

_xor: recent Chromium

Search for "Distribute everything compiled"

that is a differently named target

Scroll up, I mentioned that.

and it is not documented that this target needs to be run to get a full system installation

Also, I've had issues searching on some FreeBSD pages using browser find. It was odd.

Scroll up, I mentioned that too.

I can assure you that I am able to search for strings in man pages just fine

mentioned what?

I haven't used world target, but I remember it being used with mergemaster, which has been migrated to etcupdate now.

I am trying to create a new jail, not update an existing one

That you shouldn't need to run distribute.

so using mergemaster seems pointless

You don't need to use mergemaster, or etcupdate.

then what do I need?

just "make world" or "make buildworld installworld" did not install etc files

I'm saying that because you ran the `world` target, which I haven't seen recommended in a long time. It might be stale, might not be managing /etc the same way, etc.

Point is, I'd try to run buildworld installworld and see what happens. Also, would give a quick review of /etc/src.conf and /etc/src-env.conf as well.

I already did

it does the exact same thing

these two config files are empty

(make distribution did the trick but is entirely undocumented)

I use those to create tarballs to use later for this exact purpose.

have you tried this with 14-CURRENT?

Though AFAIK installworld should populate /etc, though I could be wrong about that I guess. distribute creates archive media from which to install.

No.

maybe it changed

So to summarise: you have not actually tried to create a jail from source and had it work?

instead, you always build tarballs (which is a different sequence of steps)?

From 14-CURRENT? No. From 13-*, 12-*, ...? Yes, many times.

Now I do, but that's just because I create a lot of jails and it's easier to just fetch + extract tarballs.

I still have to go through the build process to create the tarballs to begin with.

Also, I keep the tarballs for multiple reasons, but my primary method now is actually to use pkgbase.

I would usually do something like this

but right now I'm setting up a jail for development on freebsd itself

so I need to be able to constantly work with the source

I just use a variation of `pkg install --rootdir /path/to/my/jail FreeBSD-runtime FreeBSD-utilities ...` to install a jail. Super easy and fast.

and not applicable to my use case

as I will be modifying the source code and frequently rebuild/reinstall the jail

Probably not, depends on what you're developing. I can build 14-CURRENT packages if I want and then create/destroy jails within a minute after that if I want.

Building packages takes a lot of time

I do not want to take any detours

why build packages just to immediately install them and then throw them away?

this is entirely pointless

t went dead when you left

I upgraded from 13.1-RELEASE to 13.2-RELEASE by freebsd-update tool, everything seems fine, rebooted multiple times, the system is back now. However, "bectl list" shows;

13.1-RELEASE-p7_2023-05-30_130402 - - 20.4M 2023-05-30 13:04

13.2-RELEASE_2023-05-30_130545 - - 3.75M 2023-05-30 13:05

default NR / 809G 2022-03-22 09:40

My question is, why the "default" is active? (Created in 2022?)

freebsd-version, uname -r, cat /etc/os-release all report the OS version is 13.2.

(Trying to delete older snapshots listed in "bectl list")

is it normal to have the "default" one created in 2022 but is up-to-date?

Then I have a sound issue on a x1gen9, any help on this one ?

hi all

I have an Android phone with photos I like to copy via USB cable to my FreeBSD system. I know it uses MTP. What's the least invasive way to do this?

I say as I start looking around the net and trying things...

there's an mtp client, let me look

gmtp.

that looks like a GUI client

libmtp is the underlying implementation, I believe

I'll try gmtp. Thanks! I also just now found this forum posting: forums.freebsd.org/threads/mount-android-phone-using-mtpfs.75653

Title: Solved - mount Android phone using mtpfs | The FreeBSD Forums

RhodiumToad, it is. I guess "least invasive" is in the eyestalk of the beholder.

I never had much luck with mtpfs, though my use-case wasn't typical

FUZxxl: As you found by yourself, the target to use is "distribution".

FUZxxl: So, to install on an empty FS, you have to do "make installworld installkernel distribution".

OlCe: do you know why this is not documented?

I believe it is documented

where?

hm... FreeBSD handbook § 16.3.1.3 mentions it offhand

"distributeworld" is used to build a release, where you have to specify DISTDIR. Several "packages" will be created under this DISTDIR (such as "base", and at some point debug stuff, not sure if still the case today).

Don't know, no.

OlCe: distributeworld and distribution are distinct targets that do different things

When I say "least invasive" I pretty much mean not something which requires /etc/rc.conf setup for example. :-) Just run and go is best.

tercaL, 13.1-RELEASE-p7_2023-05-30_130402 created during 1st run of freebsd-update install - before install kernel from 13.2

FUZxxl: Yes, this is what I'm saying.

In your case, you want "distribution".

13.2-RELEASE_2023-05-30_130545 created during 2nd run of freebsd-update install - after 1st boot with kernel from 13.2 and before install world from 13.2

you can zfs destroy both if 13.2 work fine for you

rwp, that definition WFM in this case. I needed nothing more than was already needed to run Xfce.

I installed and ran gmtp and it runs but when I plug my phone into USB I don't see any device created.

I presume I need to figure out how to enable it in my phone since I assume it is not due to security reasons.

access control is in fact usually an issue

when you plugged the phone in, did you see a message in /var/log/messages reporting it being detected as a usb device?

I see "May 30 11:20:02 madness kernel: ugen1.3: <Google Pixel 6> at usbus1" logged to /var/log/messages.

I have in a /usr/local/etc/devd/blah.conf file a command that detects devices of the appropriate type and changes the ownership of the device node to my user

"gmtp" upon start says "No device attached". Selecting Connect says "Detect: No raw devices found."

but if it's just a one-off, you can find the device node manually

if you look at /dev/ugen*, you should see a recently created one

by default new usb devices are accessible only by root

I do find "crw------- 1 root operator 0x1c9 May 30 11:20 /dev/usb/1.3.0" having been created.

as root or sudo, do chown youruser /dev/usb/1.3.0

then see if gmtp can detect the device

Same as RhodiumToad here, plus I need to be logged in to my phone and authorize the connection request at the phone prompt.

right, that was going to be the next thing I was going to point out :-)

s/in to/in on/

I am in group wheel already. "chgrp wheel /dev/usb/1.3.0" "chmod g+rw /dev/usb/1.3.0" should give me access as me. gmtp now says "Detect: No available Storage found on device?"

Interestingly the phone display doesn't change in any noticeable way at all. I expected it would say something.

It's group operatoe, not wheel.

s/operatoe/operator/

they did do a chgrp

It gets created as group operator and not rw by that group. But I changed it to wheel since I am already in group wheel.

chown would have been simpler

anyway, the next step is to look at the phone settings

original: crw------- 1 root operator 0x1c9 May 30 11:20 /dev/usb/1.3.0 changed to: crw-rw---- 1 root wheel 0x1c9 May 30 11:20 /dev/usb/1.3.0

Agreed. Let me dig into phone settings. And I have a meeting coming up. Thanks!

the fact that gmtp is detecting _something_ means it can see the device and communicate

is there a way to optimize zfs to occupy less space for symlinks ?

Store in metadata if possible?

how long are the symlinks?

I have a backup job that basically symlinks a whole bunch of files arounds. For one backup job for example symlinks occupy 60Gb

it is stored in metadata, in my special device

Ok

Title: special - - - - - - Pastebin.com

symlinks take up that much space? aren't they just.... names?

the thing is I think I may run out of storage on the special device

didn't realize symlinks can occupy this much space

each symbolic link contains the path of the source (or, target; whatever)

is it like a symbolic link takes physical space on the disk itself and it's a minimum number like 4k?

if so maybe it can be optimized somehow to use less space per unit

aah, ok. yes, the symlinks would be pretty long

symlinks in zfs should be stored as a system attribute, but if they're long, that could overflow

I've also set the recordsize to 1M because it helps with my files

not sure if that has an influence on symlinks

That 1M recordsize is also set on the "specical device"?

last1: can you put numbers on that "pretty long"?

MAXPATH

heh

parv: ah, good catch. no, just on the data

rhodium: let me count the characters

last1, Whew😅

i guess it's actually PATH_MAX 4096?

no

the symlinked directory is 93 characters long

the original one is 62

that shouldn't be enough to overflow

unless there are a lot of other system attributes

it looks like by default, there's about 300 bytes available for attributes

not that I know, I'm basically doing: cp -alR $srcdir $dstdir

how much space per symlink do you see used?

how can I see that ?

you're saying that the symlinks are taking a lot of space, so you must have some idea of how much space is used and how many symlinks you have

ah yes, by comparing between backup jobs

let me get a total count of dirs which are symlinked

.oO( "readlink(1)" is what I was looking for, not "cat(1)", "less(1)" )

ah yes, turns out I'm an idiot

with cp -al I'm creating hardlinks

not symlinks

is that different in terms of used storage ?

hardlinks don't use any storage at all

except in the directory

so if I do : cp -al $srcdir $dstdir , $dstdir won't occupy any space ?

that's essentially what I'm doing

dstdir will take only the space needed for the directory itself

directories do get stored in "special", iirc, if possible

ok, let me see how many directories I have in total in this backup job

not 100% sure about directory storage

about 860 000 hardlinked directories

last1, Are you making hard link to directories, not files?

to directories yes

each backup job is about 860k directories and 125M files

cp -l only links to plain files, not to dirs

860k directories is a nontrivial amount of space in itself

for example, inodes used shows as : 549 149 229

directories cost an inode but hardlinks don't

"ln dir name-link" fails on 13/stable with "ln: dir: Is a directory"

I think I see where this is going, I need another special mirror :)

Another thing to note hardlink cannot be create across file systems, from first paragraph after option description in "ln(1)" manual page

s/create/&d/

last1: was it you a while back who asked for a way to detect/block IPs that weren't responding to syn+ack ?

might have been me, I was looking for something like fail2ban to act on them

one of my servers was getting probed with tons of SYN packets

netstat was just showing SYN_RECVD I believe

I ended up just blocking a few /16s

did you find anything? I needed something similar recently, but it stopped before I did anything much

I _suspect_ it was an attempt at some sort of reflection attack

I worked out a possible solution but didn't complete an implementation

What FS support hardlinks on dirs? AFAIK zfs and FFS/UFS/UFS2 doesn't.

the idea was to snag logs of outgoing syn+ack using an ipfw rule and tcpdump, look for high-frequency targets, and use the hostcache.list to exclude likely legitimate IPs

(hostcache is updated on connection _end_, but something shouldn't be sending a lot of SYNs without having made some previous connection)

VVD: ln(1) says "Directories may not be hardlinked" without mentioning that it's related to fs limitations, so probably none?

RhodiumToad: is a reflection attack sending packets to server A so that it sends a much larger number to server B?

link(2) also says "The name1 argument may not be a directory".

yes.

sort of like ordering a million pizzas for the person next door

yuripv: way way back in the day they could be. but when the directory structure is not actually a tree, file operations can deadlock.

This is to guarantee that file structure is a D... what RhodiumToad said.

yuripv, it's message to last1.

johnjaye: for example, if some host has a large DNS entry, the attacker can forge B's IP address in a DNS query to DNS server A, which then sends a response to B

so then what does cp -alR $srcdir $dstdir do exactly ?

B's dns entry?

or is that not necessary

last1: it creates directories recursively and populates them with hardlinks to the original files

johnjaye: any DNS entry that server A will provide

johnjaye: NTP has been abused in similar ways

oh wow, so then my space usage is coming from the directories being actual directories

VVD: right, sorry, i read that as a question out of context :)

and the files themselves are just hardlinks that don't take up space (?)

i typed it into google and it said dns, ntp, and snmp are all possible vectors for that.

and you can't do anything because you don't control the dns

syn issue: I think someone was doing some sort of crude syn attack

that's what I saw too

as i understand it the design of tcp/ip itself is flawed. in that ddos attack is built into it

so the only way around it would be a redesign or else giant companies like Cloudflare

128.116.0.0/17 <-- blocked this one

it's not possible to prevent attacks while still allowing communication

and a few others

185.141.34.0/24 , this was another big source

what I saw was only from a small number of IPs, which is why i suspect it was a reflection attack

(because in that case the IPs seen are the targets, not the attackers)

johnjaye: the biggest factor in allowing attacks is networks not doing ingress filtering, which is nothing to do with tcp

it was a few IPs in my case as well but I checked these blocks on ARIN and they're colo / hosting providers

same here

and I don't need their traffic anyways which is why I blanket blocked large subnets

any of these look familiar: 20.2.248.166 38.238.153.234 38.238.213.146 45.15.145.92 102.60.8.14 103.116.15.134 172.247.80.213 172.247.80.61

what is "large" for that kind of scenario? 45.15.*.*?

last1: what was the targetted service? web?

(in my case it was dns)

yes, ports 80/443

ips: nope, I got hit with entirely different ones

45.237.112.0/24

I'm compiling a list of ips that send weird packets so I can block across multiple servers

so far I have 300 000 entries :)

the entire colohosting range can be blacklisted

99% of their traffic *is* malicious

well that rather depends on what service you're trying to provide :-)

all vpn providers mostly exit through colo ip ranges

so we'd be banning that as well

something I don't mind doing at all actually

RhodiumToad: stork.readthedocs.io/en/v1.10.0/install.html#installing-on-freebsd

Title: 2. Installation — Stork 1.10.0 documentation

RhodiumToad: Second code fence is what I was talking about earlier.

FUZxxl: Huh? All I was describing is how I built & installed jails, either from source or from pkgbase. You seemed to be arguing a strawman, as I wasn't advocating for doing that and against what you were trying to do. Chill out.

_xor: sorry, answers of the kind "I don't know an answer to your question but here is $COMPLICATED_THING you should totally sink hours into doing instead" are something that is mildly triggering me

I should get a grip on myself

especially as is often the case if the person recommending me to do $COMPLICATED_THING doesn't actually know if it'll solve my problem

Yes, you should. I didn't imply that you should do $COMPLICATED_THING, you inferred that. I was just giving you another potential option. I didn't know the details of why you were doing what you were trying to do.

I even said you it probably wouldn't in your case once you said that you were working on src.

Thank you. I will strive to improve my conduct.

Again, you read what I was telling you as me recommending you do it. I literally said "Here's what I do in my case..." AND I was just going off of you trying to build a jail. That's literally it. It's shit like that which turns people off from wanting to add anything that might be of value.

I tend to read these as "and don't come back until you have tried doing that"

Yes, I know. That's exactly why I say stuff like "Here's what I've done for that..." not "Here's what you need to do..." I don't like getting static when I'm trying to contribute something, whether it ends up having value or not, I leave that for you to decide. The alternative is that people just don't contribute, but it's easier to contribute and

let the person decide since they know their situation best (just not the available options).

For me, at least, it makes me slightly less apt to contribute in the future. Like if I see a question that I might have an answer for, I might think, "Eh, I'm in a hurry. Not worth it, especially if they're going to be ungrateful."

Anyway, no worries. Back to work.

I've really started to prefer answers that do not try to think out of the box and instead directly answer the question

I'm not a beginner. If the answer is "no" or "it won't work this way" I can think for myself about other ways to do it.

If I ask a question, I'm usually looking for an answer to the exact question I asked and no other.

FUZxxl: my rule of thumb is to give a short answer, then clarify that you're probably asking the wrong question and the thing you just said won't do what you want.

However, for some reason people tend to immediate go off and try to respond with anything but answers to the question

"Can I drive my car off a cliff?" Yes you can, but it's not going to fly the way you imagine.

E.g. I just asked a complex question about locking and atomics in ##c and had to spend the first 15 minutes fending off attempts of people to tell me how to use a different locking approach before I got to an answer to my question

this just sucks

Ok I'm going to go against my better judgement and continue this. 1) Outside of the box is qualitative. You might see it as outside of the box, I certainly don't. 2) Directly isn't always clear, maybe to the speaker, not to the listeners. 3) I know you're not a beginner. 4) I wouldn't give you definitive statements without knowing details behind

the question, I was literally just giving you another potential option.

_xor: well on the internet there is no nuance or tone. if you ask you how to do x. and you reply well i did y. that sort of implies that i should try y. or at least think about it.

It just sounds like you were frustrated at the problem and taking it out on me because I couldn't immediately end that problem for you.

the thing that tends to happen is that once people give these "alternatives" and "out of the box answers" others assume the question has been answered

I found that the only way to get an answer is often to continuously press that I want an answer to my question and not an alternative solution

johnjaye: Yes, that's exactly why I VERY EXPLICITLY say, "Well, to do that, here's what I do..."

I understand that part

i couldn't see the scrollback. i'm just saying how both of you have valid points.

this is becoming tedious

All right, now I actually don't have time for this.

ok

have a good day!

I need to go workout.

fwiw I use make installworld distribution installkernel a lot

Is distribution needed to populate /etc? I thought installworld did that.

yes

installworld does not do that

Good to know. I was wrong then.

i didn't know that either.

noted, I have compiled several custom kernels and assumed that installworld did that.

Did world do that before? I think maybe that's where the confusion comes from.

the docs focus on installworld on the assumption that you're updating an existing system

make distribution is DANGEROUS because it will clobber /etc if DESTDIR is not set

Yes, I've been bitten by that :|

installworld has never installed /etc

I guess that makes sense, absent any conflict resolution (a la .pacnew)

I got DESTDIR and DISTDIR confused.

the one letter difference isn't encouraging

Yes, I copied and pasted a line and boom...bye bye.

Boot environments are nice.

RhodiumToad: Did you mistype that or did you mean DISTDIR above?

_xor: it's weird that the distribution target seems to be largely undocumented

the only documentation mach I found was in the handbook on creating jails

_xor: I should perhaps go and file a bug on that

It's on that page I linked earlier for build(7). Though it should be more thoroughly documented.

_xor: which page was that? build(7) does not document the distribution target (only distribute{kernel,world} which are for release making and do something different but related)

Oh, I misinterpreted. You literally mean distribute, not distribute*. Yes, I'm not sure where that's documented (if it is at all).

distribution

yes I literally mean what I write (usually)

I just ripgrep'ed /usr/src to look at distribution targets and see what they do.

Well, 'distribution|distribute.*'

note that the old distribution target in etc/Makefile, which checks DESTDIR, is apparently not used now

Yeah, I was wondering why distribution was ringing a bell and I used to use it a while back. I was looking at my notes/scripts and saw that I'm explciitly invoking distribute*.

there was a reorganization some time back which moved a lot of stuff out of src/etc and into the subdirs for the programs owning the files

which means that making /etc now requires recursing through the whole tree rather than just into src/etc

it looks like now, make distribution actually invokes make installconfig

see Makefile.inc1

L155 & L200:L217 illuminate a bit.

installconfig is I think not a user-visible target

I see build32, install32, & distribute32.

Was wondering why I wasn't able to generate the tarballs for lib32. Are those the targets of interest in that case?

Ah, apparently so.

installworld certainly installs lib32

last1, Did you find your backup directory size issue?

parv: I guess it's actual usage

how can I find out the actual size of a directory name in zfs

last1, Ok. What was the situation with the hard links?

not the contents of the dir, but rather how much the dir entry

the directory contents - the files are hardlinked, but the directories themselves are created anew each time

so if I have 850 000 directory names and I get 60Gb of usage = 70Kb/directory name

seems kind of excessive

I do not know how to get the size for a directory entry other than diving in the source. There may be some presentation/papers, possibly outdated, where the minute details from developers' perspective would be mentioned

how many files per directory?

there's no set number, average, etc. it can be any number from 0 to 80 000

Then use the worst case for the maximum size

is compression on?

I wonder, can I set compression for the special device

also there might be something off with what I'm doing in my backup job

for example if I do stat -f '%l' it prints 13 for a file

but there shouldn't be 13 copies of that file

stat -f '%b' on a directory on zfs reports _something_, which is nominally the size of the directory file in 512-byte blocks

whether it is accurate or not I don't know

(ls -ls also reports that size, but in blocks of size BLOCKSIZE as set in the environment)

eh, it's probably correct and I just deal with lots of data - I'll but two more ssd special devices and be done with it

On use of stronger passwords & PAM: lists.freebsd.org/archives/freebsd-current/2023-May/003784.html

Title: Re: Surprise null root password