jails only make sense in the context of binaries right? like there’s no use running web hosting virtual hosts with static html and other assets in jails right?

polyex: if you suspect the server to have a whole, big enough for people to exploit it, then running those things in jail still pays off

otoh, if your Webserver has that big a whole, why are you running it, instead of using three chopsticks, old chewing and a piece of string

meena: legacy implementation

but that's a practical rhetoric question, not paranoid practical all software bad question

i mean yes.

though in the framework of BSD it's not strictly valid as BSD prefers clean, stable code that is up-to-date/modern.

In Base.

but even so, I've seen code that's not been touched in twenty plus years, and only had to be touched because c compilers finally banned k&r functions

if it's not broken, don't fix it I guess

meena how does static html and css in a jail help anything?

polyex: it is conceivable, to me. there's been really really weird holes in software.

huh

meena so would the jailed website be served with host system nginx pointing into jail dir for doc root?

you have to realise that even a static Web server isn't just delivering files. it's also reading input

so you’re saying put nginx in the jail too?

yes

oh wow that’s heavy. every vhost gets its own nginx. why not just 1 nginx on host?

you should have one nginx as main entrance and proxy (also jailed), but you want one per customer.

a jail is just a fancy process.

so host nginx proxies to jail nginx which reads local files in the jail dir?

you might think it's heavy because you can give it a while base system to support it's startup and runtime. but to the host OS, it's just another process

I wouldn't run servers on the host.

hmmm

what you call host nginx, I would still put in a jail

why

it's the main entrance point. it reads data from the Internet. data you have no control over.

so i assume you’re thinking each website jail gets its own ip?

ipv4

I wonder now if all freebsd people sound this paranoid, or only the ones who have worked for more than two seconds in InfoSec

its own private IP. that can be IPv4 or IPv6 or both.

so how does traffic get to it? host proxies somehow?

unless you find a good way to just safely share sockets between the proxy and the servers

host does routing / bridging / pf nat, etc

how do you vhost websites in their own jails but on same public ipv4 ip?

with no nginx on the host

you're mixing up different network layers here

i should do a drawing, but i am busy doing dishes

polyex: HAProxy for example

ya so either haproxy or nginx reverse proxy on the host, to/from jails

one haproxy jail and for every webpage one jail, everything from port 80 and 443 to haproxy and from there to the internal jail ip

jup

oh even the main reverse proxy in a jail too? wow

sure, every service a jail (exept ssh)

every service a jail wow. even syslogd?

can a jail have nginx and a web app running in it? for some reason i was thinking jails can only have 1 binary running in each jail

a jail can run as much as you like

even rc services that start when hail starts like a normal system?

jail not hail

so jail can run 1 binary or a bunch of rc startup daemons like a real system wow that’s huge

where can I search for packages online ? or can ayou help finding out the name of the docbok5 xml package ?

freshports.org may be helpful

so a jail is like a whole virtual system environment

that right?

in effect, yes, though it's not as isolated from the host system as a full VM would be

dh: thanks, may I ask you if that one provides what it takes to make this command successful ? xmlcatalog "" "docbook.org/xml/5.0/dtd/docbook.dtd"

how not?

hey RhodiumToad ! so are you a FreeBSD runner ? :)

of course :-)

strk: you can use the pkg-provides package to find what package contains a given file, or you can look up packages by name using pkg rquery

RhodiumToad: I don't have access to a freebsd system atm

unless cirrusCI allows me to ssh in, let me check

doesn't look like so

rhodium how is jail not isolated from host?

strk: looks like docbook-xml is the package containing that .dtd file, you'll also need whatever provides xmlcatalog

strk: xmlcatalog binary comes from libxml2 package

polyex: the jail is limited to some subtree of the host filesystem, and (if it's a vnet jail) has its own network stack, but otherwise it shares resources (memory, disk space, etc,) with the host

host can set resource limits and quotas on jails right?

cpu, mem..

cool libxml is there

libxml2

polyex: yes, though memory accounting in particular is not very precise, and for some applications it can overcount the memory used

does the docbook-xml package also contain files needed to make this work ? xmlcatalog "" "docbook.org/xml/5.0/rng/docbook.rng"

btw, is just installing "docbook" package enough to bring docbook-xml in ?

rhodium isn’t it cool that we can ssh to a jail like it’s a real os and enable daemons like a tiny server

we can have servers in almost the same space as old shell accounts think of that

strk: docbook is a meta-port that brings in both docbook-xml and docbook-sgml (and sdocbook-xml)

strk: depending on what you're doing with docbook you may also need docbook-xsl and/or docbook-xsl-ns

(those contain XSL stylesheets)

docbook-xml does indeed contain docbook.rng as well

I'm actually surprised docbook-xsl-ns is not installed and build still succeeds

uh wonderful, the build is actually failing but is reported as green: cirrus-ci.com/task/6475061784215552

Title: Cirrus CI

or, it's just a warning

funny one, I guess we're mising to use CDATA for programlisting containing tags or something

uh, those tags are escaped in the document being validated, dunno why the namespace warning is output

escaped how?

<gml:LinearRing>

maybe we could take this to #postgis?

although it's not in a CDATA (and yes, sorry, will move it there)

Hi Guys, I need some advise on which iso irequire for this hardware. It has only 4GB of ram so zfs out of the equation. So I guess I need UFS. It;s]]'s

It's single board Computer. RockChip 3399

aa

arm64 or aarch.

Title: NanoPi M4V2

yes. spot on VimDiesel:

and the winner Gets?

sorry this laptop has an international keyboard setup with us

US

so im

aarch64 works...maybe

I'm preeding this reverse L shape enter key by accident

Nixkernal: which is the iso/img to use?

FreeBSD-13.2-RELEASE-arm64-aarch64-disc1.iso

or FreeBSD-13.2-RELEASE-arm64-aarch64-memstick.img

thank you!

NP

I'll download now. I'll try to use it as a home Nas

I'll need to see how stable it will be. I hear they over heat. so I won't fit it into enclosure

ZFS should be no problem, i mean it's not a hight perf machine anyway right?

4gb ram

No problem...

so you think for a Nas 4GB might be ok?

I have zfs on a 2gb machine, it's not great but hey i like my bit unrotten ;)

ZFS

Then I'll try. I can always go back to ufs if it doesn't work out. :)

Again thanks.

well not for the systemdisk but for the external? Disk...yes

just test it, reforma the externel disk and change the filsystem is 5 minutes work

ok. I thought you where refering for the installation disk. I'll then stick to UFS

Nice

I'll try it first on Zfs first

what command should I run to check & measure the ZFS performance. I have very little experience with ZFS.

what kind of setup are you guys running when setting up lets-encrypt.

any recommendations

perhaps relevant to question is that im planning to use haproxy as well

certbot it is for me

certbot.eff.org/instructions?ws=haproxy&os=freebsd and ssl-config.mozilla.org/#server=hapr…modern&openssl=1.1.1k&guideline=5.7

Title: Certbot Instructions | Certbot

anyone else's windows server instances crash on reboot in bhyve after the uefi updated package?

thank you all. Downloaded I'll get back to you post installs.

vortexx: i have exatly the same problem after update to 2023, i just downgraded the uefi package, had no time to find the problem

bluescreen repair windows right? But dont try it it's not working even the "windowsinstallation-dvd" crashes

Nixkernal: yeah even the dvd crashes, hilarious

how do you downgrade the package?

maybe only rolling out to previous snapshot ( with the power of ZFS - but you then downgrade many thing maybe ).

i don't think there is a straightforward way to downgrade pkg.

revert the ports commit that upgraded it and rebuild the port?

that's another possibility too - but if dealing with port and building it

I'm not building ports on FreeBSD...

drobban_: I use Saltstack with an orchestration script

(and certbot)

mage: seems a bit overkill... =) just want manage certs.

change from latest to quarterly and downgrade just that one package

assuming quarterly has an appropriate version with compatible dependencies

# uname -a

FreeBSD rpi-4 13.2-RELEASE-p3 FreeBSD 13.2-RELEASE-p3 GENERIC arm64

updated!

vortexx: are you using vm-bhyve? bugs.freebsd.org/bugzilla/show_bug.cgi?id=273732

Title: 273732 – 13.2-RELEASE-p3 Linux VMs stopped working

jwmaag: yes I do, and I haven't run into that issue with ubuntu VMs, but I use vm-bhyve to setup my stuff

Don't think it is specific to linux if the issue is the ACPI table not being generated. I was just connecting the dots from your error on #bhyve and thinking it might be related

does async mount flag for ufs along with jornal soft update speed things up?

or should async be avoided?

async on ufs is dangerous

ok

if I have 8g ram laptop i7 8x3.4ghz

I have 3 usb3 drives

would I be beter to run zfs?

or will it slow down web srufing n stuff if I run a busy qbittorrent?

I have 3 ufs setup now with journal soft updates

I think my net connection is way slower than disks anyhow so maybe no amtter

matter

does anyone here have SLAAC working inside a vnet jail on the router?

tcpdump shows the jail sending rtsols, getting rtadvs; it adds a default route, too; but ifconfig still reports only a link-local addr

hi. it's been over a decade since i used freebsd. i wondered about network interface naming and whether there are any guarantees about stability of interface names?

for example, if i have 4 usb interfaces with realtek chips and i plug them in, i imagine i'll get interfaces rl[0123]

if i plug them in using a different order, do i get rl[0123] referring to the new order of attachment? if so, is there a methodology for naming them consistently so that the attach order doesn't matter?

hrmm

was?

I would give them fixed names based on their mac address. but i am struggling to think how

mostly because I'm struggling to think

dho: probably devd.conf ?

meena: thanks. i'm aware that udev and systemd have some other options such as naming a device by where it appears on a pci bus. mac address would be nice. i looked at devd.conf(5) and wasn't sure how that would work. i guess i'd have some script that waits for e.g. ATTACH or DETACH and then calls `ifconfig <ifname> name <whatever>$MAC`?

(i guess bus path isn't particularly useful for the usb scenario i described either XD)

yeah, no, the bus path could change depending on which thing you plug where

So the MAC address is your best friend

for the devd.conf method, i still have to know a thing will be `rl0` at some point. once i plug one in, is the next one going to be `rl0` again or `rl1`?

Also, i would give them cool names that i can remember that have meaning to me

for full disclosure i'm trying to figure out how people do this in other operating systems, and understand the challenges of those methods, so that i can better think about how to do it in the one i work on

the main issue is, if you need to do sysctls, you need to do them against the original name because we suck at doing renames, actually

one example bugs.freebsd.org/bugzilla/show_bug.cgi?id=273715

Title: 273715 – dumpon: Kernel panic on boot when enabling dumpon over IP

most recent one i have seen anyway

(n.b.: i don't know how Linux does renames)

meena, dho, I have not used it so have no reviews other than I squirreled away the URL to it. github.com/eborisch/ethname

Title: GitHub - eborisch/ethname: FreeBSD rc.d script to map ethernet device names by MAC address.

appreciate it. that's in the spirit of what i was thinking, though requiring a priori knowledge of which interfaces one would want to "rename". i think meena's point that aliasing is incomplete is relevant

meena: i don't really either, udev supports it and then systemd has policies that work with udevd to make that work. i believe it does end up telling the kernel what the device is called

rwp: that looks cool, but to make it reactive, you'd still have to stuff it into devd.conf

although that might be easier ti find examples for

again, brain not cooperating or i would've written down an example

github.com/search?q=repo%3Afreebsd%…2Ffreebsd-src%20devd.conf&type=code lots of cool examples across many different man pages

Title: Code search results · GitHub

github.com/freebsd/freebsd-src/blob/main/sbin/devd there's probably more examples

Title: freebsd-src/sbin/devd at main · freebsd/freebsd-src · GitHub

let's see if I can finish this docs

Oooooh, next release of zfs is getting raidz vdev expansion?

so with microvm stuff going on, any reason to use container tech like jails anymore?

meena: I think the intent for that one is to use it with /etc/rc.conf

or /usr/local/etc/rc.conf i guess

dho: yes, but if you want it to react dynamically, without you having to restart it every time you plug something in or out, you would still want to hook it into devd.conf

it's a good start like. No doubt!

oh wait, I need something like this. X11 hates when I unplug my wacom tablet.

what needs to hook into devd.conf?

I have been struggling on how to make my system not lock up if the wacom gets unplugged or replugged.

thedaemon: depends on what you'd do if the device disappears

thedaemon: devd.conf(5) has a bunch of explanations about events it can synthesize on device / subsystem attach. you can specify actions to run when those events occur and then develop a script that reacts appropriately.

ahh nice, I'll check the man page. appreciate the tip.

i guess if you can figure out what $DISPLAY is you might write something to see if it was the wacom that detached and tell X to switch input device or something

I am not sure what exactly is causing the freeze, as it's too sluggish to figure out. maybe if I have patience I can debug

meena: oh, that's a good point about restarting it.

reviews.freebsd.org/D41848 start of the stack

Title: ⚙ D41848 virtio: use bool for boolean functions

well, "done"

now we see if what I've written actually makes sense, fix the bits that don't, and then split it into 70~ or so man pages, instead having it all in 2

meena so with microvm stuff going on, any reason to use container tech like jails anymore?

polyex: what's microvm?

basically a stripped down freebsd instance that can start in 25ms

to run on demand (per request) and stuff like FaaS

like FIRECRACKER on AWS?

ya

really depends on how you're planning to manage your infra.

in what ways would it NOT be a container (jail) killer?

I have no answer to that. I don't use FaaS stuff.

so i don't have the experience with it. IMO: It boils down to the tools you have for managing infrastructure. If you got a container manager that you control and are confident with, then it does't matter what AWS has on offer, it'll probably end up more expensive ;)

If you don't, and you can afford AWS, and you feel confident in using it, then go that route.

well no with stuff like qemu microvm we can start running our own microvms we don't need aws

i was using AWS as example because we agreed on FIRECRACKER above.

in the end, what tool you use for managing infrastructure isn't really all that important. You and your crew need to be skilled in it. and the tool needs to be flexible enough for you and your team to accomplish the tasks you need to accomplish today and next year. Some tools are so flexible, they can be grown, too.

ya

so how can it be allowed for jails to share the same ip, as long as they don't have any other ips?