is more dev going into the base jail tools so there's less need for 3rd party wrappers that seem to get obsolete and be limited quality?

that is quite the loaded question.

you seem great at asking them.

?

Title: Loaded question - Wikipedia

dunno what's loaded about it tho

bhyve doesn't need a bunch of 3rd party tools. just thought jails could get to the same place

jails doesn't need then either, which is why you don't see them in base

ok so why does stuff like warden exist?

for automation.

its like asking why k8s exists when docker exists

or openstack when kvm exists, etc, etc.

and mind you, stuff like vm-bhyve(8) exist for bhyve.

good evening fellow bsd hackers

:)

hiya

polyex: i'd like to see a lua jail manager in base tbh

why

because we have lua in base, and it would be nice to have some features that jail(8) doesn't

ah

I've got a box that acts as the router for an IPv6 subnet, and I'd like to redirect all port 80 traffic for one host to another; the obvious rdr rule doesn't seem to work here, but it fails because of a timeout instead of getting rejected by pf, which is kinda unexpected

the obvious rule being: rdr pass inet6 proto tcp from any to $host2 port 80 -> $host1

anything stand out as obviously wrong?

so how can it be allowed for jails to share the same ip, as long as they don't have any other ips? and i think that means even the jails sharing the same ip with the host?

kevans: lua's for gams not jails! /s

bah

i wouldn't mind having more lua in my life.

do you see it replacing jail(8) or as a separate beast? we already know jail(8) exposes more utility than the base syscalls

need lua-jib and lua-jng too

separate, imo there's still plenty use-case for jail(8), no need to complicate those peoples' lives

in my head i skipped over the "manager" part but that makes more sense

kevans: lua jail manager would be awesome

kevans: procedural jail management via lua vs declarative shell-like configuration file? yes pls.

jwmaag: jib and jng should be unified into a single module, imo.

Probably the ideal scenario would be to improve netgraph documentation by creating a couple of new documents for it (existing node man pages are pretty good, though they rely on netgraph arch as a prereq, and that can be a bit overwhelming for some to dive into because it uses a lot of domain-specific terminology).

Then create a couple of lua modules, one for epair and another for netgraph, that wraps up most commonly used functionality (basically create/bridge/enable/disable/destroy). Finally probably a third lua module that presents a unified interface for higher-level use with jails.

when do you want a bhyve vm that a jail won't cut it? and the other way?

Use the VM to run another OS (including FreeBSD, but then there is "jail" already).

... could also be possible run the VM in a "jail" (depending on device passthrough support) -- have used only "jail' on FreeBSD to make some ports.

you can run a bhyve vm inside a jail?

polyex: i think most people just run the entirety of bhyve in a jail, not each vm in a separate one, but i might be wrong?

wow you can even run bhyve vms in separate jails?!

Hello. I connected ath0 but it is not displayed in my ifconfig output

What are extra steps?

if the device is "properly" supported & want to use WPA2-PSK, then see freebsdwiki.net/index.php/Network,_Wireless

Title: Network, Wireless - FreeBSDwiki

Does FreeBSD wpa_supplicant support WPA3?

i found

and it works

that's good

how?? w1.fi/wpa_supplicant it's not mentioned here

Title: Linux WPA Supplicant (IEEE 802.1X, WPA, WPA2, RSN, IEEE 802.11i)

( On first sight that "w1.fi" looks suspicious but seems that is indeed so|ok: duckduckgo.com/?t=ftsa&q=what+%22w1.fi )

Title: what "w1.fi at DuckDuckGo

w1.fri page says "Last modified: Sat Jan 12 13:27:18 EET 2013"; header says "Last-Modified: Thu, 22 Oct 2015 20:36:01 GMT"

... in any case now I know where to look first for the WPA3 support ...

Per wiki.archlinux.org/title/Wpa_supplicant WPA3 support is there

Title: wpa_supplicant - ArchWiki

someone needs to update that website

... I should also add was looking for something that could last a decade though have no idea how to filter on that🥴 as Buffallo one is going (wired LAN|ethernet portion have certainly gone bad)

parv: i have cheap cudy x6 that seems to work fine with openwrt

yuripv, Thanks, will check out. How long have you been using? Would it last ~a decade?

only 6 months, so no idea how long it will last :)

yuripv, Alright. Thank you

and yes, all newer ax routers seems to be based on broadcom socs, and broadcom isn't known for open source love

huh, here that cudy x6 is cheaper than archer c7

if you want a WAP to last a decade then don't bother with consumer grade parts

plenty of enterprise WAPs will be capable of a decade of service, even if the support contract ends midway through the decade of service

generally better features for external antenna connections as well, and options for signal amplifiers

however, I will admit that even a super old archer c7 over here has been alive and well since the start of 2018, and it generally plays well adjacent to a cisco mesh net

flashed with openwrt, needs an update, but still reliable

freebsd developer summit is live, by the way

stream is open for everyone, the event itself is invite-only

Title: DevSummit/202309 - FreeBSD Wiki

Hi guys! I really need an old version of gitlab-ce to perform a migration. What are my options to build / obtain the old version?

checkout the old version of ports

the last one that contained the particular version

otis: and build manually?

and build using that ports tree

can I do this in a jail?

i'd use poudriere bulk -p tree_with_old_version -O tree_with_fresh_head www/gitlab-ce

ok, thanks!

or build manually, ofc.

poudriere uses jails, so you can do that manually too, if you want to put in more effort than you need :)

ah, ok, thanks!

freshports.org/security/portacl-rc Freaky did a neat thing

Title: FreshPorts -- security/portacl-rc: RC script for mac_portacl(4)

yeah!

just pondering whether it's reasonable to try to integrate it more deeply, e.g. so service rc scripts can add rules for themselves

I think the state needed makes it a bit of a dodgy prospect

dns/dnscrypt-proxy2 has its own little version just for itself

imho the best would be to extend rc so that it becomes a convenient feature available for every rc

like randomrc_portacl*=

seems over dramatized atm

no offense

bapt: how would you actually implement that, though?

oh wow... that jogged the 'ol memory on mac_ipacl didn't realize that landed finally

Freaky: something that will hook somewhere like cgit.freebsd.org/src/tree/libexec/rc/rc.subr#n1077

Title: rc.subr « rc « libexec - src - FreeBSD source tree

if bla_portacl* is defined

first perform a sanity check (is the module loaded, maybe if not maybe load it on the fly )

make sure the right config is there to have portacl working

then execute the expected systctl

if not already there

I have never played much with portacl but at quick glance that sounds like a reasonable approach

that said, given how simple it seems to use portacl, is it worth it ? vs the admin configures what they need

could also have an rc subcommand to add rules for you

yup

CmdLnKid: wjat

well, that wasn't what I meant to type, but, I guess that works too

it probably means something in some language in the world ;)

snought asiff wjat yu sae maddres

:)

bapt: I guess jails also make it less useful to couple it that tightly

which reminds me, bugs.freebsd.org/bugzilla/show_bug.cgi?id=259149

Title: 259149 – mac_portacl not in affect when running VNET jail

nice, created a vnet jail with bastille and lost connectivity for a few seconds

and indeed it doesn't work

oh cool cool cool cool cool cool

Freaky: i reckon this is still an issue in 14/15?

I see nothing to suggest otherwise

hrm… rwatson hasn't been active for two years, so we can't just assign the bug to them?

hmm

2023 Sep 14 14:45:43 80.80 caddy[43439]: :0 -> :0

what does that mean

apache shows :::80 -> :::0, which at least has a recognisable port

that's from dwatch -X tcp kern_bindat

hm

a cursory read of the code suggests that jail parameter allow.reserved_ports overrides portacl

that's on by default though?

hm. yes.

but that doesn't allow non-superusers to bind reserved ports

what did you do to make it work on the host?

the net.inet.ip.portrange.* sysctls are per-jail, did you check those in the jail?

(per-VNET-jail obviously)

I do kind of wonder if mac_portacl should actually be doing per-vnet rules (independent of this problem)

the layering of portacl is a bit weird; portacl does its check at syscall level not inside the network stack, but the network stack does its own checks way further down

yes, it probably should

but the layering might need to be changed first

kevans: on the mount thing, I'm not sure whether / how best to answer kib, since I don't see his objection as particularly well founded

ah

kevans: and the simple fix is something that can easily go into stable branches, whereas adding a whole new system of ids to mounts seems like it would not

RhodiumToad: net.inet.ip.portrange.reservedhigh: 1023

yeah, that'll do it

how do you set that to 0?

sysctl inside the jail?

I don't think it can be done via jail parameters

not permitted

hm

set securelevel=0 and it let me

yup, that works

oh, your securelevel was >0 ?

yeah, bastille default is 2

yeah, can't set reservedhigh when securelevel is >0

RhodiumToad: i'll try to take a look soon... kind of engaged in my own disheartening review at the moment as well

i think the main problem i have with our review process is that i somewhat frequently stumble into areas where i get objections but not much useful discussion until after i've tried a bunch of things that got rejected

or i get conflicting opinions from different stakeholders and they won't hash it out amongst themselves when they disagree with each other

jails can be given some disk from the jail host to use for writing right? like if a jail ran postgresql it would need to be able to write to disk

jails have some subtree of the host's file system

and stuff in the jail can write into that subtree?

i.e. you specify the jail root dir and it can use anything under that

can you set a quota on the jail root dir so the jail is limited to x GB?

in the same way you'd do so for the host, zfs quotas etc

easy to do with zfs, but not otherwise

in particular normal per-user filesystem quotas don't understand jails

how can jails not have disk quotas built in?

because disk quotas aren't simple?

could each jail be put in a dir in a different user account? then put quota on user?

are you not using zfs?

sure but what about in a vm where ppl say to just use ufs? then i can't set disk quotas on jails on the vm?

the reason there's not a simple quota option for jails is that it wouldn't be able to cope with files existing both inside and outside the jail

how do traditional quotas work? just periodic checks?

the normal quota facilities can be used as long as you understand that a given user quota applies to a given uid across all jails on the same filesystem

no, they are done by the filesystem

is it terrible to run zfs on a bhyve vm? so zfs on zfs

instead of ufs

I wouldn't expect any issues

oooo nice!

i mean, you'd probably want a slightly larger memory footprint, but it works fine

can be wise to set primarycache=metadata on the host to avoid unnecessary double-caching

Freaky: it's a wonderful little thing as it is, but if you got time for it, it'd be nice of it could be extended to do custom rules

jwmaag: I'm so happy mac_ipacl finally landed, it's an idea that I'd been kicking around and added to the SoC list on the spur of the moment. I've since discovered that other people had had similar ideas before, so it's nice that it finally landed.

how can I raise the volume more?

sfsf

more than what?

is there a way to raise volume more that apparent max?

I rememebr there was pulse audio way on linux somehow

pavucontrol?

sysctl hw.snd.vpc_0db

and also mixer vol 100 pcm 100

smaller values for vpc_0db are louder, but you'll get clipping if you go too far

# sysctl hw.snd.vpc_0db=100

hw.snd.vpc_0db: 45 -> 100

ohhh

sysctl hw.snd.vpc_0db=10 works awesome

wow

thanks!!

10 seems extreme. have you checked that you don't have some misconfiguration that's affecting the volume?

or turn on the speakers?

I've seen cases where the output levels were unreasonably low unless one of the gpio pins on the sound chip was tweaked

What's the default behavior of a user-launched /usr/sbin/daemon when a login session is exited? (e.g. user logs in -> user runs /usr/sbin/daemon ... my_app -> user logs out)

Most shells send SIGINT or SIGTERM or something, no?

Oh wait, I guess I could just test this on my spare system.

the shell shouldn't be sending anything

What actually emits the signal?

it's ... complicated

I see :P lol

but part of the point of daemon is to get the process out of the current session and into a new one

what options to daemon are you using?

Well, this is more just me learning, but for example lets say -c, -f, and -o.

Oh, I also tend to use both -p and -P by default so I always have pidfiles I can look at really quick.

ok. so as far as i can tell, daemon always puts a child in a new session and exits in the parent

Hmm, I should also get a better grip on process groups/trees since -p only tracks the main child spawned by daemon. I guess it would come in handy if I want to make sure that all child pids or whatnot are managed as a group.

ah

so the shell doesn't know the pid of the actual remaining process, so it can't kill it

How does daemon keep track of the child? Does it poll it or is there some mechanism where it can subscribe to pid changes and be notified (or something like that)?

depending on the options, daemon might just execute the child in place of itself,

I guess I'm wonder if the shell kills daemon when the user logs out, is there some coupling between the two that breaks that could cause the child to die? (thinking in terms of IPC I guess)

or it executes the child in a subprocess so it can monitor it

...oh wait, the daemon would kill the child on getting a signal, wouldn't it? That's the default behavior, no?

the shell doesn't know the pid of the actual daemon process

oh

since the daemon command immediately exits

Ooooh yeah, that's right. Didn't think about that.

i.e. it forks a child, puts it in a new session, and exits the parent, so the shell thinks it's done

Ok now it's making more sense.

the fact that it's in a new session takes it out of the normal job control done by the shell and terminal driver

Hmm, I was just now wondering if it's common for shells to broadcast a signal to all processes owned by the user session upon termination of said user session (or at least shell sessions launched as a login session?)

what shells do depends on the shell, and there's also stuff the terminal driver does

bash and (iirc) zsh will, when an _interactive_ shell exits, send SIGHUP (+SIGCONT if needed) to every active non-disowned background job

oh, with bash that's conditional on the huponexit option

What started this line of thought was because I have a number of background applications that start when I login to wayland (same goes for xorg though). Currently I'm using a command (hyprctl) provided by my desktop environment (hyprland) to launch them in the background. Some of those services sometimes fail to start, and so I currently check them

via ps and start them manually if required.

I'm contemplating just changing it to use /usr/sbin/daemon with -p and -P to make it easier to check those background processes, but was wondering about things like can I be sure those processes terminate when I logout?

There's also the option of using XDG autostart via ~/.config/autostart/${APP}.desktop or whatnot, but I remember having an issue with that a while back.

well, now there's the distinction between a terminal session and a login session to deal with

if you want stuff killed when logging out from wayland or x, then that's something neither the shell nor tty job control will handle

Lol, well that was fun. System crashed.

Had to reboot and restart services I was talking about just now hhe.

Since I was rebooting anyway, I decided to upgrade packages too, and also ran autoremove. Now some apps aren't working due to packages be removed that were apparently needed (but not marked as a dep I guess).

if i wanted to run my whole network on freebsd, even the networking gear not just servers were all just freebsd servers ultimately, how much slower and crappier would that network be?

lol

what was my last msg into chat?

You were talking about how much you love FreeBSD

paste pls?

<polyex> I'm switching everything to FreeBSD!

if i wanted to run my whole network off of generic freebsd servers, and not use any special networking gear like switches and load balancers, how much slower/crappier would my network be?

polyex: it'll probably be faster/better not slower/crappier

does anyone actually do it?

I went all in and installed FreeBSD on the cat5 cables

Hi. Just installed freebsd on my desktop to try it, did manual partitioning following the handbooks example but using freebsd-zfs instead of freebsd-ufs as filesystem for each partition, now i get 'cant find /boot/kernel/kernel' at startup. Fixable or better to do a quick reinstall?

KingShark: You went the hard way there, didn't ya? There's a guided zfs on root mode

vkarlsen, I checked the guided section and somehow came to believe its tailored for a raid setup asking about striping and raid modes so i went the manual way, probably for no good reason 😕

KingShark: It can do simpler setups too

vkarlsen, i saw i could chose only one disk for the striping mode but would that be useful? didn't see much simpler

i have one ssd and one hdd. /usr was supposed to go on the hdd, everything else can be on the ssd

You'll need two zpools then, one on each drive

guess i will rerun the installer quickly, took only a few minutes on my previous run

in the guided mode, it seems to offer one pool only?

It probably does, yeah. You'll have to create the other one later

my manual setup still shows in the manual mode and looks fine to me. i wonder what went wrong

i got the freebsd-boot, freebsd-swap, and /, /var and /tmp as freebsd-zfs on the ssd

whatever. doing guided mode

worked fine *shrug*

is mixing pkg and ports a no-go or not much of a problem? i see warnings about doing that in the handbook

its always been a thing that they should be intermixable, but generally its better to pick one and stick with it

alright. compiling x11 from ports it is

ah one thing though this is from my personal playbook

I install freebsd minimal then use pkg to install <whatever I need>

then use portmaster to rebuild the entire systems from ports when its bed time; and then use ports from then onwards

but really what you do is your choice :)

interesting approach

you can generally upgrade from pkg to ports but not the otherway around (without some weird stuff having a chance of occuring)

are the forum entries on how to rebuild all pkg from ports dated 2015 still the correct procedure?

like forums.freebsd.org/threads/rebuilding-all-ports-with-portmaster.51210

Title: Rebuilding all ports with portmaster | The FreeBSD Forums

apparently better than portmaster -af

portmaster -aBd is generally what I use

but just man portmaster for the flags you want

:o

I might also mention I use raid0 everywhere and store all my systems on a central ZFS system for instant backups :P

I'm stuck on some hp all in one hardware, can't easily add more disks

i got a raid1 nas for data backups though

Bd as far as I recall is do not take any backups :) which is what I assumed MelanieMalik's :o was about

it was about "oh, i landed here in my channel window switching"

:-)

thanks for the help everyone 😃 bye

you can give readwrite diskspace to a jail either directly mounted or through a network fs protocol. is that right? tradeoffs?