05:48:25 <polyex> jails only make sense in the context of binaries right? like there’s no use running web hosting virtual hosts with static html and other assets in jails right?
06:16:22 <meena> polyex: if you suspect the server to have a whole, big enough for people to exploit it, then running those things in jail still pays off
06:16:23 <meena> otoh, if your Webserver has that big a whole, why are you running it, instead of using three chopsticks, old chewing and a piece of string
06:16:26 <signalblue> meena: legacy implementation
06:17:07 <meena> but that's a practical rhetoric question, not paranoid practical all software bad question
06:17:34 <signalblue> i mean yes.
06:18:16 <signalblue> though in the framework of BSD it's not strictly valid as BSD prefers clean, stable code that is up-to-date/modern.
06:20:13 <meena> In Base.
06:21:12 <meena> but even so, I've seen code that's not been touched in twenty plus years, and only had to be touched because c compilers finally banned k&r functions
06:22:33 <signalblue> if it's not broken, don't fix it I guess
07:49:55 <polyex> meena how does static html and css in a jail help anything?
08:02:04 <meena> polyex: it is conceivable, to me. there's been really really weird holes in software.
08:02:32 <polyex> huh
08:03:30 <polyex> meena so would the jailed website be served with host system nginx pointing into jail dir for doc root?
08:05:53 <meena> you have to realise that even a static Web server isn't just delivering files. it's also reading input
08:07:06 <polyex> so you’re saying put nginx in the jail too?
08:07:54 <meena> yes
08:08:58 <polyex> oh wow that’s heavy. every vhost gets its own nginx. why not just 1 nginx on host?
08:12:49 <meena> you should  have one nginx as main entrance and proxy (also jailed), but you want one per customer.
08:14:13 <meena> a jail is just a fancy process.
08:14:35 <polyex> so host nginx proxies to jail nginx which reads local files in the jail dir?
08:15:15 <meena> you might think it's heavy because you can give it a while base system to support it's startup and runtime. but to the host OS, it's just another process
08:15:45 <meena> I wouldn't run servers on the host.
08:16:09 <polyex> hmmm
08:16:20 <meena> what you call host nginx, I would still put in a jail
08:16:29 <polyex> why
08:17:07 <meena> it's the main entrance point. it reads data from the Internet. data you have no control over.
08:18:15 <polyex> so i assume you’re thinking each website jail gets its own ip?
08:18:23 <polyex> ipv4
08:18:27 <meena> I wonder now if all freebsd people sound this paranoid, or only the ones who have worked for more than two seconds in InfoSec
08:19:02 <meena> its own private IP. that can be IPv4 or IPv6 or both.
08:19:40 <polyex> so how does traffic get to it? host proxies somehow?
08:19:43 <meena> unless you find a good way to just safely share sockets between the proxy and the servers
08:20:18 <meena> host does routing / bridging / pf nat, etc
08:22:04 <polyex> how do you vhost websites in their own jails but on same public ipv4 ip?
08:22:23 <polyex> with no nginx on the host
08:25:17 <meena> you're mixing up different network layers here
08:25:36 <meena> i should do a drawing, but i am busy doing dishes
08:34:13 <Nixkernal> polyex: HAProxy for example
08:35:35 <polyex> ya so either haproxy or nginx reverse proxy on the host, to/from jails
08:35:57 <Nixkernal> one haproxy jail and for every webpage one jail, everything from port 80 and 443 to haproxy and from there to the internal jail ip
08:36:14 <Nixkernal> jup
08:36:59 <polyex> oh even the main reverse proxy in a jail too? wow
08:43:17 <Nixkernal> sure, every service a jail (exept ssh)
08:49:08 <polyex> every service a jail wow. even syslogd?
08:54:37 <polyex> can a jail have nginx and a web app running in it? for some reason i was thinking jails can only have 1 binary running in each jail
09:02:41 <RhodiumToad> a jail can run as much as you like
09:04:32 <polyex> even rc services that start when hail starts like a normal system?
09:04:52 <polyex> jail not hail
09:07:02 <polyex> so jail can run 1 binary or a bunch of rc startup daemons like a real system wow that’s huge
09:11:19 <strk> where can I search for packages online ? or can ayou help finding out the name of the docbok5 xml package ?
09:12:56 <dh> freshports.org may be helpful
09:18:17 <polyex> so a jail is like a whole virtual system environment
09:18:29 <polyex> that right?
09:20:34 <RhodiumToad> in effect, yes, though it's not as isolated from the host system as a full VM would be
09:21:11 <strk> dh: thanks, may I ask you if that one provides what it takes to make this command successful ? xmlcatalog "" "http://docbook.org/xml/5.0/dtd/docbook.dtd"
09:21:20 <polyex> how not?
09:21:27 <strk> hey RhodiumToad ! so are you a FreeBSD runner ? :)
09:21:39 <RhodiumToad> of course :-)
09:22:16 <RhodiumToad> strk: you can use the pkg-provides package to find what package contains a given file, or you can look up packages by name using pkg rquery
09:23:31 <strk> RhodiumToad: I don't have access to a freebsd system atm
09:24:00 <strk> unless cirrusCI allows me to ssh in, let me check
09:24:43 <strk> doesn't look like so
09:25:09 <polyex> rhodium how is jail not isolated from host?
09:26:45 <RhodiumToad> strk: looks like docbook-xml is the package containing that .dtd file, you'll also need whatever provides xmlcatalog
09:27:07 <dh> strk: xmlcatalog binary comes from libxml2 package
09:27:43 <RhodiumToad> polyex: the jail is limited to some subtree of the host filesystem, and (if it's a vnet jail) has its own network stack, but otherwise it shares resources (memory, disk space, etc,) with the host
09:28:48 <polyex> host can set resource limits and quotas on jails right?
09:29:09 <polyex> cpu, mem..
09:29:33 <strk> cool libxml is there
09:29:36 <strk> libxml2
09:29:48 <RhodiumToad> polyex: yes, though memory accounting in particular is not very precise, and for some applications it can overcount the memory used
09:30:17 <strk> does the docbook-xml package also contain files needed to make this work ? xmlcatalog "" "http://docbook.org/xml/5.0/rng/docbook.rng"
09:30:35 <strk> btw, is just installing "docbook" package enough to bring docbook-xml in ?
09:31:39 <polyex> rhodium isn’t it cool that we can ssh to a jail like it’s a real os and enable daemons like a tiny server
09:32:09 <polyex> we can have servers in almost the same space as old shell accounts think of that
09:32:37 <RhodiumToad> strk: docbook is a meta-port that brings in both docbook-xml and docbook-sgml (and sdocbook-xml)
09:33:37 <RhodiumToad> strk: depending on what you're doing with docbook you may also need docbook-xsl and/or docbook-xsl-ns
09:33:53 <RhodiumToad> (those contain XSL stylesheets)
09:34:16 <RhodiumToad> docbook-xml does indeed contain docbook.rng as well
09:35:45 <strk> I'm actually surprised docbook-xsl-ns is not installed and build still succeeds
09:37:41 <strk> uh wonderful, the build is actually failing but is reported as green: https://cirrus-ci.com/task/6475061784215552
09:37:42 <VimDiesel> Title: Cirrus CI
09:38:06 <strk> or, it's just a warning
09:38:43 <strk> funny one, I guess we're mising to use CDATA for programlisting containing tags or something
09:39:50 <strk> uh, those tags are escaped in the document being validated, dunno why the namespace warning is output
09:40:12 <RhodiumToad> escaped how?
09:40:19 <strk> &lt;gml:LinearRing&gt;
09:40:44 <RhodiumToad> maybe we could take this to #postgis?
09:40:54 <strk> although it's not in a CDATA (and yes, sorry, will move it there)
11:51:25 <_Random> Hi Guys, I need some advise on which iso irequire for this hardware. It has only 4GB of ram so zfs out of the equation. So I guess I need UFS. It;s]]'s
11:51:58 <_Random> It's single board Computer. RockChip 3399
11:52:03 <_Random> aa
11:52:13 <_Random> arm64 or aarch.
11:52:56 <_Random> https://www.friendlyelec.com/index.php?route=product/product&path=69&product_id=268
11:52:57 <VimDiesel> Title: NanoPi M4V2
11:53:20 <_Random> yes. spot on VimDiesel:
11:53:51 <_Random> and the winner Gets?
11:54:29 <_Random> sorry this laptop has an international keyboard setup with us
11:54:41 <_Random> US
11:55:04 <_Random> so im
11:55:43 <Nixkernal> aarch64 works...maybe
11:55:48 <_Random> I'm preeding this reverse L shape enter key by accident
11:56:20 <_Random> Nixkernal: which is the iso/img to use?
11:56:38 <Nixkernal> FreeBSD-13.2-RELEASE-arm64-aarch64-disc1.iso
11:56:48 <Nixkernal> or FreeBSD-13.2-RELEASE-arm64-aarch64-memstick.img
11:56:48 <_Random> thank you!
11:57:28 <Nixkernal> NP
11:57:36 <_Random> I'll download now. I'll try to use it as a home Nas
11:58:40 <_Random> I'll need to see how stable it will be. I hear they over heat. so I won't fit it into enclosure
11:58:48 <Nixkernal> ZFS should be no problem, i mean it's not a hight perf machine anyway right?
11:58:56 <_Random> 4gb ram
11:59:06 <Nixkernal> No problem...
11:59:41 <_Random> so you think for a Nas 4GB might be ok?
11:59:48 <Nixkernal> I have zfs on a 2gb machine, it's not great but hey i like my bit unrotten ;)
11:59:49 <_Random> ZFS
12:00:46 <_Random> Then I'll try. I can always go back to ufs if it doesn't work out. :)
12:01:15 <_Random> Again thanks.
12:01:45 <Nixkernal> well not for the systemdisk but for the external? Disk...yes
12:02:19 <Nixkernal> just test it, reforma the externel disk and change the filsystem is 5 minutes work
12:02:34 <_Random> ok. I thought you where refering for the installation disk. I'll then stick to UFS
12:02:53 <Nixkernal> Nice
12:03:37 <_Random> I'll try it first on Zfs first
12:05:09 <_Random> what command should I run to check & measure the ZFS performance. I have very little experience with ZFS.
12:05:12 <drobban_> what kind of setup are you guys running when setting up lets-encrypt.
12:05:30 <drobban_> any recommendations
12:06:34 <drobban_> perhaps relevant to question is that im planning to use haproxy as well
12:08:54 * RhodiumToad uses acme.sh
12:09:16 <Nixkernal> certbot it is for me
12:10:22 <Nixkernal> https://certbot.eff.org/instructions?ws=haproxy&os=freebsd and https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7
12:10:26 <VimDiesel> Title: Certbot Instructions | Certbot
12:12:50 <vortexx> anyone else's windows server instances crash on reboot in bhyve after the uefi updated package?
12:13:50 <_Random> thank you all. Downloaded I'll get back to you post installs.
12:19:09 <Nixkernal> vortexx: i have exatly the same problem after update to 2023, i just downgraded the uefi package, had no time to find the problem
12:20:19 <Nixkernal> bluescreen repair windows right? But dont try it it's not working even the "windowsinstallation-dvd" crashes
12:32:45 <vortexx> Nixkernal: yeah even the dvd crashes, hilarious
12:32:57 <vortexx> how do you downgrade the package?
12:49:43 <angry_vincent> maybe only rolling out to previous snapshot ( with the power of ZFS - but you then downgrade many thing maybe ).
12:50:21 <angry_vincent> i don't think there is a straightforward way to downgrade pkg.
12:51:12 <RhodiumToad> revert the ports commit that upgraded it and rebuild the port?
12:53:24 <angry_vincent> that's another possibility too - but if dealing with port and building it
13:08:09 <vortexx> I'm not building ports on FreeBSD...
13:08:46 <mage> drobban_: I use Saltstack with an orchestration script
13:09:06 <mage> (and certbot)
13:30:12 <drobban_> mage: seems a bit overkill... =) just want manage certs.
14:17:38 <Nixkernal> change from latest to quarterly and downgrade just that one package
14:18:27 <RhodiumToad> assuming quarterly has an appropriate version with compatible dependencies
14:48:19 <rogersm> # uname -a
14:48:19 <rogersm> FreeBSD rpi-4 13.2-RELEASE-p3 FreeBSD 13.2-RELEASE-p3 GENERIC arm64
14:57:20 <rogersm> updated!
15:19:32 <jwmaag> vortexx: are you using vm-bhyve? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273732
15:19:35 <VimDiesel> Title: 273732 – 13.2-RELEASE-p3 Linux VMs stopped working
15:32:39 <vortexx> jwmaag: yes I do, and I haven't run into that issue with ubuntu VMs, but I use vm-bhyve to setup my stuff
16:08:36 <jwmaag> Don't think it is specific to linux if the issue is the ACPI table not being generated. I was just connecting the dots from your error on #bhyve and thinking it might be related
16:26:54 <concrete_houses> does async mount flag for ufs along with jornal soft update speed things up?
16:27:03 <concrete_houses> or should async be avoided?
16:39:46 <RhodiumToad> async on ufs is dangerous
16:52:34 <concrete_houses> ok
16:52:50 <concrete_houses> if I have 8g ram laptop i7 8x3.4ghz
16:52:59 <concrete_houses> I have 3 usb3 drives
16:53:07 <concrete_houses> would I be beter to run zfs?
16:53:22 <concrete_houses> or will it slow down web srufing n stuff if I run a busy qbittorrent?
16:53:37 <concrete_houses> I have 3 ufs setup now with journal soft updates
16:53:59 <concrete_houses> I think my net connection is way slower than disks anyhow so maybe no amtter
16:54:05 <concrete_houses> matter
17:35:27 <remexre> does anyone here have SLAAC working inside a vnet jail on the router?
17:36:33 <remexre> tcpdump shows the jail sending rtsols, getting rtadvs; it adds a default route, too; but ifconfig still reports only a link-local addr
19:03:29 <dho> hi. it's been over a decade since i used freebsd. i wondered about network interface naming and whether there are any guarantees about stability of interface names?
19:04:59 <dho> for example, if i have 4 usb interfaces with realtek chips and i plug them in, i imagine i'll get interfaces rl[0123]
19:06:03 <dho> if i plug them in using a different order, do i get rl[0123] referring to the new order of attachment? if so, is there a methodology for naming them consistently so that the attach order doesn't matter?
20:21:18 <meena> hrmm
20:21:42 <la_mettrie> was?
20:21:57 <meena> I would give them fixed names based on their mac address. but i am struggling to think how
20:22:09 <meena> mostly because I'm struggling to think
20:22:35 <meena> dho: probably devd.conf ?
20:48:12 <dho> meena: thanks. i'm aware that udev and systemd have some other options such as naming a device by where it appears on a pci bus. mac address would be nice. i looked at devd.conf(5) and wasn't sure how that would work. i guess i'd have some script that waits for e.g. ATTACH or DETACH and then calls `ifconfig <ifname> name <whatever>$MAC`?
20:48:57 <dho> (i guess bus path isn't particularly useful for the usb scenario i described either XD)
20:51:26 <meena> yeah, no, the bus path could change depending on which thing you plug where
20:51:44 <meena> So the MAC address is your best friend
20:52:06 <dho> for the devd.conf method, i still have to know a thing will be `rl0` at some point. once i plug one in, is the next one going to be `rl0` again or `rl1`?
20:52:10 <meena> Also, i would give them cool names that i can remember that have meaning to me
20:53:08 <dho> for full disclosure i'm trying to figure out how people do this in other operating systems, and understand the challenges of those methods, so that i can better think about how to do it in the one i work on
20:53:09 <meena> the main issue is, if you need to do sysctls, you need to do them against the original name because we suck at doing renames, actually
20:54:21 <meena> one example https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273715
20:54:23 <VimDiesel> Title: 273715 – dumpon: Kernel panic on boot when enabling dumpon over IP
20:55:00 <meena> most recent one i have seen anyway
20:56:05 <meena> (n.b.: i don't know how Linux does renames)
20:56:30 <rwp> meena, dho, I have not used it so have no reviews other than I squirreled away the URL to it.  https://github.com/eborisch/ethname
20:56:32 <VimDiesel> Title: GitHub - eborisch/ethname: FreeBSD rc.d script to map ethernet device names by MAC address.
21:00:10 <dho> appreciate it. that's in the spirit of what i was thinking, though requiring a priori knowledge of which interfaces one would want to "rename". i think meena's point that aliasing is incomplete is relevant
21:00:46 <dho> meena: i don't really either, udev supports it and then systemd has policies that work with udevd to make that work. i believe it does end up telling the kernel what the device is called
21:05:46 <meena> rwp: that looks cool, but to make it reactive, you'd still have to stuff it into devd.conf
21:06:02 <meena> although that might be easier ti find examples for
21:06:47 <meena> again, brain not cooperating or i would've written down an example
21:09:40 <meena> https://github.com/search?q=repo%3Afreebsd%2Ffreebsd-src%20devd.conf&type=code lots of cool examples across many different man pages
21:09:41 <VimDiesel> Title: Code search results · GitHub
21:16:30 <meena> https://github.com/freebsd/freebsd-src/blob/main/sbin/devd/ there's probably more examples
21:16:31 <VimDiesel> Title: freebsd-src/sbin/devd at main · freebsd/freebsd-src · GitHub
21:17:22 <meena> let's see if I can finish this docs
21:43:22 <_xor> Oooooh, next release of zfs is getting raidz vdev expansion?
22:14:08 <polyex> so with microvm stuff going on, any reason to use container tech like jails anymore?
22:22:25 <dho> meena: I think the intent for that one is to use it with /etc/rc.conf
22:22:48 <dho> or /usr/local/etc/rc.conf i guess
22:23:02 <meena> dho: yes, but if you want it to react dynamically, without you having to restart it every time you plug something in or out, you would still want to hook it into devd.conf
22:23:15 <meena> it's a good start like. No doubt!
22:23:35 <thedaemon> oh wait, I need something like this. X11 hates when I unplug my wacom tablet.
22:23:51 <thedaemon> what needs to hook into devd.conf?
22:24:18 <thedaemon> I have been struggling on how to make my system not lock up if the wacom gets unplugged or replugged.
22:28:35 <dho> thedaemon: depends on what you'd do if the device disappears
22:29:29 <dho> thedaemon: devd.conf(5) has a bunch of explanations about events it can synthesize on device / subsystem attach. you can specify actions to run when those events occur and then develop a script that reacts appropriately.
22:31:46 <thedaemon> ahh nice, I'll check the man page. appreciate the tip.
22:31:48 <dho> i guess if you can figure out what $DISPLAY is you might write something to see if it was the wacom that detached and tell X to switch input device or something
22:32:48 <thedaemon> I am not sure what exactly is causing the freeze, as it's too sluggish to figure out. maybe if I have patience I can debug
22:35:00 <dho> meena: oh, that's a good point about restarting it.
22:35:30 * meena is finally done
22:35:36 <meena> https://reviews.freebsd.org/D41848 start of the stack
22:35:37 <VimDiesel> Title: ⚙ D41848 virtio: use bool for boolean functions
22:40:05 <meena> well, "done"
22:40:35 <meena> now we see if what I've written actually makes sense, fix the bits that don't, and then split it into 70~ or so man pages, instead having it all in 2
22:45:11 <polyex> meena so with microvm stuff going on, any reason to use container tech like jails anymore?
22:45:41 <meena> polyex: what's microvm?
22:46:10 <polyex> basically a stripped down freebsd instance that can start in 25ms
22:46:27 <polyex> to run on demand (per request) and stuff like FaaS
22:46:32 <meena> like FIRECRACKER on AWS?
22:46:34 <polyex> ya
22:46:48 <meena> really depends on how you're planning to manage your infra.
22:47:12 <polyex> in what ways would it NOT be a container (jail) killer?
22:47:47 <meena> I have no answer to that. I don't use FaaS stuff.
22:49:05 <meena> so i don't have the experience with it. IMO: It boils down to the tools you have for managing infrastructure. If you got a container manager that you control and are confident with, then it does't matter what AWS has on offer, it'll probably end up more expensive ;)
22:49:28 <meena> If you don't, and you can afford AWS, and you feel confident in using it, then go that route.
22:49:40 <polyex> well no with stuff like qemu microvm we can start running our own microvms we don't need aws
22:50:13 <meena> i was using AWS as example because we agreed on FIRECRACKER above.
22:52:32 <meena> in the end, what tool you use for managing infrastructure isn't really all that important. You and your crew need to be skilled in it. and the tool needs to be flexible enough for you and your team to accomplish the tasks you need to accomplish today and next year. Some tools are so flexible, they can be grown, too.
22:59:19 <polyex> ya
22:59:39 <polyex> so how can it be allowed for jails to share the same ip, as long as they don't have any other ips?