00:04:27 https://github.com/cowsql/cowsql#compatibility — cowsql runs on Linux and requires a kernel with support for native async I/O (not to be confused with POSIX AIO), which is used by the libuv backend of C-raft. 00:04:29 Title: GitHub - cowsql/cowsql: Embeddable, replicated and fault tolerant SQL engine. 00:04:30 hrm… 00:06:10 we've got a libuv port, so i reckon that checks out 00:08:38 it's Tier 2, tho 00:09:08 nope 00:11:55 (i.e. a libuv port is not enough, C-raft is explicitly Linux-only) 00:13:16 oh… hrm. 00:13:43 it does say "Patches are welcome to add support for more platforms." 00:15:30 looks like it's not used in the agent 00:23:52 How can a python module not support creation of a wheel? devel/py-maturin 00:23:56 Isn't it just a zip file? 00:24:23 port claims i386 wheels aren't possible. 00:24:45 maturin has rust code 00:28:39 rust works on i386? 00:28:48 But if there's i386 rust is that still an issue? 00:29:05 rust doesn't work well on i386 00:29:18 works at a baseline, sure 00:29:20 specify "well" 00:30:45 memory addressing issues, amongst others 00:31:03 more easily seen when building/linking with LTO 00:36:14 I can't seem to find it now but I think this make samba not possible on 12.4 00:36:25 12.4 i386 00:36:27 rather 00:41:07 I don't see py-maturin as a dep of samba416 00:41:20 oh I was looking at the amd64 builder... yeah py39-maturin 00:41:50 It could be something else... 00:41:50 there was a recent fix of py-dnspython that dropped a lot of deps 00:42:00 but. http://beefy5.nyi.freebsd.org/build.html?mastername=124i386-default&build=f6493e8ca127 00:42:11 search for samba in skipped 00:43:48 that build started before the py-dnspython fix went in 00:44:10 it's trying to build py-dnspython 2.4.0, while the fixed one is 2.4.1 00:44:59 so the next run might work 00:45:18 Was the fix to pull in devel/py-maturin? 00:46:34 "Reduce dependencies" so maybe 00:46:37 py-dnspython was depending on py-poetry, which has a dependency list 3 miles long, instead of py-poetry-core, which does not 00:46:54 py-maturin is a dependency of py-poetry 00:47:16 (as are both rust and gcc12, and TONS of other stuff) 00:48:24 (honestly, when a build tool is pulling in fortran and various linear algebra packages, something is a bit wrong) 00:48:48 ok it seems a dry run a testport of samba413 in a i386 appears to want to build so that's good. 00:51:58 I guess as long has security fixes are back ported to 4.13 I don't need to worry about my i386 samab that has been chunging along with a gmirror for the past 12 years. 00:52:30 and so it has come to this https://freshbsd.org/freebsd/src/commit/136fc495615f6d5cf7fb2284aff56c59a64a58b6 00:52:31 Title: FreeBSD / src / 136fc49 / release: update main to ALPHA1 - FreshBSD 00:54:25 \o/ 01:07:55 also, a fix for py-maturin just went in to add 32-bit support back in 03:08:12 i still gotta get around to trying rust 03:08:18 seems more than a fad 03:36:17 is the localhost of a jail its public ip? what if jails aren't given an ip and only the host has an ip? 03:58:57 anyone know why extattr_get_fd(2) is prohibited for processes that have entered capabilities mode? 04:11:05 lattera[defcon]: it's enabled for capmode 04:11:21 I note there's a rights(4) fd capability for that 04:16:45 (more importantly it's properly annotated CAPENABLED: https://cgit.freebsd.org/src/tree/sys/kern/syscalls.master#n1972) 04:16:46 Title: syscalls.master « kern « sys - src - FreeBSD source tree 06:51:58 there anything you gotta do in a bhyve vm that you can't do in a jail? 06:54:25 polyex: Run other operating systems… 06:55:05 oo tyvm 06:57:08 jails are kind of like slim FreeBSD VMs that are powered by the host's kernel 06:57:48 Rather than a VM guest running its own kernel 06:58:12 of XYZ operating system 06:58:48 you can keep jails totally separate from eachother with the right config right? 07:00:13 Well, that's kind of the point of jails because of the containerization 07:01:34 can a jail be immutable? and have all of its logging go out over the network? 07:01:50 readonly, immutable, whatever 07:04:38 I imagine so, yes. Just make the jail's contents read-only (e.g. chflags -R schg) after setting up the network logging. 07:05:33 i guess it's syslog doing the network logging? how does it handle buffering if network flaps? 07:59:37 otis: procstat man page need fixing. penv is only available to the superuser 08:14:31 Hi, in a new 13.2-RELEASE-p2 jail I want to run vim and I get: ld-elf.so.1: /lib/libc.so.7: version FBSD_1.7 required by /usr/local/lib/libpython3.9.so.1.0 not found 08:14:59 not really, it's available to root or owner? (i.e. you can see the env for the programs you are running as user) 08:14:59 uname -UK gives: 1302001 1300139 08:15:55 I did freebsd-update fetch install several times but it doesn't update anymore. 08:20:48 yuripv: when I run without sudo, the only output i get is: procstat penv $fish_pid 08:20:48 38252: fish 08:20:48 - 08:20:56 that's it 08:21:53 $ penv $(pgrep irssi) ... long list of env vars follows 08:22:16 same when called as `procstat penv` 08:22:37 is fish running as your uid? 08:24:08 __sysctl("kern.proc.env.86893",4,0x45b034e51980,0x1a39b66f8a18,0x0,0) ERR#1 'Operation not permitted' 08:24:22 I've got security.bsd.unprivileged_proc_debug=0 sweet, i wonder if that affects it 08:24:32 that's when i'm trying to look up syslogd env as user :( 08:25:02 meena: yeah, that is 08:27:30 what a bad sysctl, it breaks truss as well 08:28:26 and emaste wants to enable it by default in 15 08:29:29 well, not, it. all the security options in bsdinstall should just be enabled, and the screen removed 08:29:54 but i think this one is probably a bad call 08:30:02 or keep screen but have them all selected by default? 08:33:16 I'm creating a new jail from a 13.2-RELEASE-p2 host, but the newly created jail is 13.0-RELEASE 08:33:28 how to force creation of jails the same version of host? 08:37:53 polyex: maybe. i just realised it was planned for 14, https://hackmd.io/JczFDHtiQYSeEyeK9182jw?view and the blurb is quite unclear as to what it wants 08:37:54 Title: FreeBSD 14.0 Planning - HackMD 08:39:36 martinrame: how are you creating the jails? 08:40:54 meena: with bsdinstall jail /path/to/jail 08:43:53 So the main problem is, that once a release is cut, we don't update the images 08:44:35 meena: I now setted DISTRIBUTIONS, BSDINSTALL_DISTDIR and BSDINSTALL_DISTSITE to let me install 13.2-RELEASE, but I want from now on to have 13.2-RELEASE as the default install, instead of 13.0-RELEASE. 08:45:23 after 13.2p2 is released, an ISO still gets you 13.2. and so do the base.txz etc archives 08:45:59 what that means in practice is that after install, you need to freebsd-update 08:46:57 meena: yes I did freebsd-update fetch, then install, then reboot, then install, but the kernel didn't match with the host. 08:47:41 that just means that the kernel didn't need an update, only the user land 08:48:11 which i find hard to believe given the last errata, but who am I to judge 08:48:47 meena: but it's something broken, for example if I want to run vim I get: lib/libc.so.7: version FBSD_1.7 required by /usr/local/lib/libpython3.9.so.1.0 not found. 08:49:32 yes, that does look very broken 08:49:42 meena: but martinrame said 13.0 gets installed, not that 13.2-p0 gets installed 08:49:53 oh 08:49:54 wtf 08:50:11 meena: btw I just installed 13.2 and everything works. But I'm sure the next time I want to create a jail I'll have the same issue. 08:52:53 So do i understand you correctly, that if you don't specify anything on the bsdinstall command line, you get 13.0.sounds like something in your freebsd-update on your host went wrong 08:54:34 hm, was your vim not build for 13.0? (probably as that is eol); packages aren't guranteed to work if the builder has a newer system than you 08:55:06 meena: yes, that's the issue. Now I need to figure out how to fix that 13.0 issue, because the host is 13.2-RELEASE-p2. 08:55:45 nimaje: I don't now, the jail is new, just created. The first thing I do is: pkg install vim 08:55:57 a 13.0 jail on a 13.2 host should work fine 08:56:20 nimaje: yes!, but not in this case. 08:56:23 martinrame: why don't you run freebsd-update on the host, and see what happens? 08:56:59 so you installed from the official repos? they are currently build with 13.1 as far as I know 08:57:00 nimaje: old jail should work fine if you have packages for that old jail 08:58:23 meena: I'll try later. I cannot break everything on a friday morning. 08:59:39 right. that would be inconvenient 08:59:45 meena: hehe 09:01:00 I have been participating remotely at a developer summit at California time for the past two days, so my sense of time has gone to shit 09:02:09 meena: which language/framework? 09:03:18 martinrame: cloud-init 09:06:21 On that note "Terraform" now has Business Source License, if that matters to any one 09:07:42 seems like bsdinstall jail just tries to install whatever you have in /usr/freebsd-dist without checking any version by default, is there some good way to check which version that is? 09:08:03 BSL sounds like bullshit license. 09:08:20 :) 09:08:37 how does BSD sound then? 09:09:01 bullshit distribution.? 09:09:19 nimaje: don't know, but the files there are from jun/2021 09:09:27 I was feeling snarky 09:13:24 then it can be 13.0 at most, so safe to delete (if there are no files in there bsdinstall will download them) 09:13:55 nimaje: great, I'll move elsewhere and re-try. 18:31:15 can a jail be readonly and immutable? and have all of its logging go out over the network? 18:33:22 hm, kenrap already answered that to you last time you asked "I imagine so, yes. Just make the jail's contents read-only (e.g. chflags -R schg) after setting up the network logging." 18:33:42 polyex: what's the point? 18:34:12 to have predictable control over state 18:34:32 there are things which need to be writable, var/run etc. 18:34:46 but I guess you can add mountpoints as you see fit 18:35:09 hm ok. can logging at least be shipped over network? 18:35:24 it's not only about logging... sure you can ship stuff over network 18:35:29 of course your use case has to allow an immutable system with network logging 18:35:32 just mount an nfs onto var/log 18:35:55 i guess it's syslog doing the network logging? how does it handle buffering if network flaps? 18:36:22 depends on the underlaying vfs.. in case of nfs it would block 18:36:33 what do you want to run in the jail? you have to look how to make that to log via the network 18:36:33 another logging daeomon would also be a choice of course 18:40:23 Hello. 18:40:37 i'm trying # mount /dev/da0 /mnt 18:40:48 hi 18:40:54 but mount: /dev/da0: Invalid fstype: Invalid argument 18:41:09 i know that my SATA dongle is kind of broken 18:41:25 which fs do you expect? 18:41:25 Try with "-t" to specify the file system? 18:41:45 that was Linux drive (ext4) 18:41:56 maybe -t ext3 works? 18:42:03 not sure if we've full ext4 support 18:42:20 From The Ports 18:42:26 *ugh* 18:43:06 -t ext3 shows the same 18:43:10 21:40 < V-T60> but mount: /dev/da0: Invalid fstype: Invalid argument 18:44:38 Try with "fusefs-ext2" package (found via: pkg search -x ext | grep fuse) 18:45:18 there is sysutils/fusefs-lkl which says it supports ext4 18:45:18 parv: installing 18:45:28 nimaje, Thanks 18:47:30 where did it unlock something? 18:47:34 i see no difference 18:47:35 nimaje well can't syslog log over network rather than to /var/log/messages or whatever? 18:47:58 there are no new mount_* options in my shell 18:48:06 did it add something in my PATH? 18:51:41 oh, i see, lklfuse 18:54:13 is this right command? lklfuse -o type=ext4 /dev/da0 /mnt/ 18:54:31 fuse: failed to open fuse device: No such file or directory 18:59:27 polyex: syslogd seems to need some paths writable (to put its sockets and pid file), but supports forwarding logs to another host, see syslog.conf 19:13:13 ty! 19:47:05 V-T60, did you load the fuse kernel module first? "kldload fusefs" as root. 20:04:42 megaTherion: i would just star… by trying. 20:05:34 ? 20:06:41 V-T60: it's vanishingly unlikely that /dev/da0 is the correct device name, since that's the whole disk rather than some partition 20:06:46 megaTherion: build a jail, configure log shipping, make it immutable, start it and see what's failing 20:06:56 sure 21:27:28 meena that's what i was wondering. build a jail, configure log shipping, make it immutable, then start it and see in the shipped logs what's failing and address each item 21:27:42 and eventually have a jail template that's as immutable as possible, hopefully 100% 21:28:12 but i want 2 things i hope aren't mutally exclusive. i want immutable jails, but i also want jails totally isolated... from the host AND other jails 21:28:27 so basically jail state only changes through network interface 21:28:39 that make sense? 21:29:33 does the jail need any kind of myself storage? 21:29:59 myself? 21:30:18 mutable 21:30:45 I'm very tired, and took off my glasses, and this phone keyboard cannot read my mind 21:32:04 hopefully i can keep jails totally immutable 21:32:14 so if a jail needs to write, it'll do it with network writes 21:32:54 give each jail a small tmpfs for stuff like /var/run ? 21:33:41 sure 21:34:16 i guess step 1 is like meena said, get a jail installed configured to log ship, then look into how to make it immutable to then start seeing what fails in the logs. agree RhodiumToad? 21:34:55 what about /tmp and /var/tmp ? 21:37:16 symlinks are your friend? 21:38:39 have /var/run be a tmpfs and make /var/run/.tmp and link /tmp and /var/tmp to it 21:39:36 is /var/run/* and /var/log/* the only 2 parts of a fbsd install that change as a system is running? 21:40:18 is anything writing to /var/log except syslogd? 21:40:46 anything that does can prolly be configured to route into syslogd 21:40:52 or do its own network logging 21:40:59 I suppose some programs will write there 21:41:00 so that would eliminate /var/log as a change point 21:41:10 ya i'll just have to track those down upon failure 21:41:24 depends on what you got running. periodic runs lots of things, many of them write to someplace in /var 21:41:26 ah, there's also the utx log if you run anything that allows user logins, like sshd 21:41:29 i wanna see how far i can push immutable jails and jails isolated from host/other jails 21:41:41 hmm 21:41:46 might want to look at ocijails 21:41:49 how would i ship those out? 21:41:59 i'll search ocijail ty 21:42:13 hm, tmpfs does support -o union, i think 21:42:26 https://www.freshports.org/sysutils/ocijail/ 21:42:27 Title: FreshPorts -- sysutils/ocijail: Experimental, proof-of-concept OCI-compatible runtime for jails 21:42:42 so you could mount a tmpfs on /var with -o union 21:43:26 (note, this is not unionfs, which still has warning labels on it) 22:32:26 Hi guys, \o/ If you can help me, I'm having a problem with poudriere-devel. In my poudriere.conf I have PACKAGE_FETCH_WHITELIST="gcc* rust cargo-c llvm*". But sometimes rust is builded and sometimes rust is fetched. Whats the parameter or conditional to be builded or fetched? 22:34:03 is it possible that it's trying to fetch a new version, finding it's not there in the repo, and building it instead? 22:34:53 the freebsd repos can lag the ports trees by a fair length of time thanks to the fact that it takes like 5 days to build the whole set 22:36:54 devnull: wanna give https://github.com/freebsd/poudriere/pull/1064 a try? 22:36:55 Title: Avoid unnecessary package building with `-b` by removing duplicate options and dependencies by patmaddox · Pull Request #1064 · freebsd/poudriere · GitHub 22:39:13 RhodiumToad I don't know if it is. 22:39:24 meena interesting 22:39:41 probably 22:40:24 I will try. 8 hours to build rust :( 22:45:23 does it make sense to run zfs everywhere yet? like even in a bhyve vm on a host that's running zfs too 22:50:27 polyex: Opinions vary but ZFS on ZFS should have the primary ARC caching to metadata only to avoid double buffering. 22:53:27 if you did zfs on host and in a bhyve vm, would any data or metadata leak between the vm and host? 22:53:34 through zfs somehow 22:56:23 polyex: That’s an interesting question. Any two file systems would lay out their data in a similar manner. A VM is generally consiered to be a the full mercy of the host and have no privacy… but you could independently encrypt its storage. Do you have a specific concern or use case? 22:57:49 <_xor> What do you mean leak? I'm assuming you're using a ZVOL for the bhyve VM, which should be mountable as a regular ol' block device. If you want to protect it from prying eyes, then encrypt it. 22:58:11 I’m assuming a raw file... 22:58:12 <_xor> Personally, if I'm using ZFS on the host then I'd just use UFS in the VM. 22:58:22 isolating systems. learning about jails and bhyve. thinking a lot about keeping host and vm/jail from being able to see through the mirror 22:59:14 then also thinking about using zfs on guest vm, not because it needs it since host already has zfs, but for same management interface everywhere. would that buy anything? 22:59:30 <_xor> Assume that anyone on the host can access VM data unless it's encrypted. Relatively safe to assume that the guest OS can't read host OS data (unless you explicitly somehow give it unrestricted access or whatnot). 22:59:35 polyex: Encryption is always your friend… within the confines of it also being able to separate you from your data. 22:59:41 polyex: I'd trust the ZFS on the host and just use a dataset for the guest. 23:01:09 A dataset is fine for a Jail but a VM would need a boot device, unless NFS-booted, and the 9p client is making progress but is not yet ready. 23:01:17 can whole disk encryption be done with ufs? only done it with zfs so far 23:01:24 VMs can live on zvols quite nicely. 23:01:47 mason does that mean setting up the vm itself to use a zfs fs? instead of ufs 23:02:00 polyex: No, the VM itself would use a traditional filesystem. 23:02:04 ah k 23:02:06 The host would take care of snapshots. 23:02:39 You can do some fun things with this, like store config in the zvol metadata so you can ship the VM around without external config. 23:02:54 oh damn 23:05:58 polyex: for encryption with ufs, one uses geli 23:06:24 so if host tries to look at bhyve guest it'll only see an encrypted view of the runtime? 23:06:40 ... depends how you want to use it? 23:07:02 if geli is running in the vm, then the host sees only the encrypted data, yes 23:07:13 ya 23:07:16 ok amazing 23:07:28 can a jail encrypt itself from host's view? 23:07:32 no. 23:07:35 wtf 23:07:48 jail is using the host's filesystem 23:08:08 it's confined to some root, but it can't isolate itself from the host filesystem the way a vm can 23:08:29 i.e. the host can always see inside the jail 23:08:30 <_xor> You can use `zfs jail|unjail` as well as setting the jailed proper on the ZFS dataset. Once you do that, it'll become inaccessible to the host. 23:08:35 that would be a killer feature imo. a way for jails to be encrypted so host can't peer into their contents 23:08:56 well, the host can read the ram of the vm, so it could find the key and the decrypted data there 23:09:05 right 23:09:15 (with enough work) 23:09:38 <_xor> Yup, not black and white. More like, "How can I make this enough of a PITA to make the effort not worth it?" 23:09:41 so no way to completely obscure jail/vm from host... dang 23:09:47 A VM could have GELI or ZFS native encryption, as mentioned. Keys-in-RAM notwithstanding. Do note the various AMD “secure” virtualization features. 23:09:48 also, with a vm on an encrypted device, you have to get the key _into_ the vm somehow 23:10:08 <_xor> I mean if you want to secure memory, then you have to start getting into hardware modules. 23:10:21 crest: might have some ideas. He’s been using FreeBSD with untrusted “cloud” providers. 23:10:48 crest how do you keep your systems private from peering in by untrusted hosts? 23:11:00 polyex: You can't reasonably. 23:11:17 (He’s in Berlin on a Friday and may not see this for awhile) 23:11:24 np 23:14:03 <_xor> Hardware modules help to secure stuff like that. For example, secure enclave on Apple (iOS) to store private keys. 23:16:05 like encrypt vm and keep key in hardware enclave? 23:16:13 vm keeps key in* 23:16:20 And then how is that accessed just by a trusted party? 23:18:06 Or put differently, how long has it been since the last time your bank sent you a breach notice? 23:18:10 the host can still read the ram of the vm and read the decrypted data as the vm works on it, you need at least a basic level of trust in the host 23:19:53 michaeldexter: ? 23:20:50 crest we were talking about any ways to keep a fbsd bhyve vm or jail container private and totally isolated from an untrusted cloud host 23:20:53 polyex: i mostly use geli disk encryption, vpns and encrypted application protocols 23:21:18 polyex: you can't really protect against an actively attacking hoster 23:21:30 ok, figured 23:21:32 crest: If virtualized, can the host read the GELI key from RAM and bypass the VM’s encryption? 23:21:33 was just hoping 23:21:35 they have either physical access or even worse your code runs under their hypervisor 23:21:45 michaeldexter: sure it wouldn't even be hard 23:21:53 ah 23:21:58 because AES round keys are easy to find in memory 23:22:22 "trust" can mean many things. trusting the host not to make active attacks is one thing, trusting them not to leak data by accident is another 23:22:25 every common optimized implementation stores them as an array of 10,12 or 14 round keys (depending on key length) 23:22:42 just use the aes key schedule on every 16 byte of memory 23:22:46 Are the keys needed continuously or can they be purged from RAM after first use? 23:22:48 crest what do you mean encrypted application protocols? like when your jails and bhyve vms communicate with other servers in your infra, they have tls encrypted connections? 23:23:08 the first 128-256 bit are the key to be expanded for the other rounds 23:23:24 just extract them and try to decrypt the disks using all of them 23:23:46 since they are the raw keys there is no key derivation function slowing you down 23:24:04 you're basically asking for secure digital restriction mangement 23:24:31 even hardware assisted enclaves like intel SGX have been broken again and again 23:24:55 the only thing that kind of works in narrow usecases are dedicated secure coprocessors 23:25:20 as long as the communication between them and the application processors isn't compromised 23:26:45 but if you worry about data at rest e.g. having your hoster RMA a dead drive 23:27:40 michaeldexter: re: can the keys be purged, think about how you still need to actually access the disk. 23:27:54 or a reasonable layer for your defense in depth reboot -r allows freebsd to kill all processes, unmount all file systems, and instead of rebooting mount a new root file system (from a different device) 23:28:31 this can be used to have an unencrypted userland to ssh into, attach the encrypted partitions and reroot into those 23:28:49 the only downside is that you have to keep both patched and the kernel in sync 23:29:14 i prefer to mount the unencrypted /boot and either nullfs mount or symlink it 23:29:41 you can treat your unencrypted system as a chroot or jail to update it 23:30:28 for zfs the trick is to save the old root pool/dataset in a kernel env var to mount it first e.g. under /plain 23:31:07 because the pool layout recommended and created by bsdinstall to support zfs boot envs doesn't use the root pool dataset as root file system 23:31:22 so you can't just automount all pools 23:34:41 What crest said. 23:37:03 tyvm 23:37:07 michaeldexter, polyex: https://gist.github.com/Crest/5204f6ebeb3a28a118f5c4f8cab82353 23:37:08 Title: etc rc.conf (encrypted) · GitHub 23:38:21 michaeldexter: in case you didn't save the link last time you asked :-P 23:39:00 if it's something more than 1 person cares about should it be put in ports or the base system or? 23:39:18 polyex: imo this belongs into base 23:39:40 but it's an annoying new complexity to support well 23:39:45 have you asked core for a sponsor? 23:39:57 i have not 23:39:57 polyex: Realize that a false sense of security is incredibly dangerous. Deciding to use such a system on a public cloud provider is almost the definition of a false sense of security. 23:40:22 Your best bet is to own the hardware containing private data, and even then there are risks. 23:40:23 mason: it can still be useful for ticking compliance checkboxes 23:40:37 crest: Sure. Depends on the compliance burden I guess. 23:40:57 but the actual effective security isn't any better? 23:41:09 and at least on rented physical servers and colocated hardware without a trusted/trustworthy system console there is real security gained 23:41:18 polyex: Also, remember that if your data isn't backed up, that's yet again a point of vulnerability. 23:41:41 if only the ability to use the warranty on less than 100% destroyed drives 23:41:42 Rented hardware, yeah. I was thinking more "cloud VM". 23:42:03 Best just not to trust anything, ever. :P 23:42:20 exactly including the cloud hosters storage stack 23:42:26 crest because the data at rest is the decoy, not the encrypted 1 23:43:04 there is a difference between a plaintext file system easy to scrape if the shared block storage gets compromised 23:43:43 and an active attack against your virtual machine's registers and memory through the hypervisor 23:44:15 most people aren't public enemy number 1 all the time 23:45:12 as long as you keep in mind that disk encryption isn't everything and you are prepared loose everything if with the key... 23:46:32 what do you think about immutable servers? 23:47:08 i see ppl talking about how that's good and i think it makes sense 23:47:22 URL? 23:47:48 oh nothing recent just heard it for a while in the ether 23:48:00 immutable infrastructure is the keyword i think 23:49:22 I prefer my infrastructure REALLY LOUD. (Friday afternoon joke) 23:50:56 polyex: imo a good idea for single application jails treated as just runtimes for the application 23:51:39 ya like ppl say jails are better app containers than docker ever was 23:52:04 any more to add on it? really interested if so 23:53:45 polyex: jails have been *designed* as secure kernel level virtualisation from the beginning 23:53:51 aye, i was right in their desire of oci containers 23:53:54 they started out as safe but restrictive 23:54:10 llua nod 23:54:30 over time they gained enough features to allow almost everything not using special devices (e.g. gpus) to run in them 23:54:57 the mechanisms are all there and most have been for ~20 years 23:55:24 what's missing a consensus what to do with them 23:55:45 instead 1/10 writes their own jail manager scripts 23:56:32 from just 10 lines of shell and jail.conf to python modules or intergrations into things like nomad 23:56:53 it exists and works for the author 23:57:20 what doesn't exist is 10000 unmaintained dockerfiles/images to consume and the mindshare around them 23:57:58 theire is no jailctl import latest-complex-application 23:59:03 oh ya like a docker importer to fbsd jails 23:59:10 ya that would really show off the feature 23:59:20 it wouldn't 23:59:38 why not?