whats with this invalid signature crap and slow mirrot for the pkgs? :/

I tried to add .eu. to the repo url didnt really helped

hello, I have just successfully installed wireguard on freebsd =))))

In my FreeBSD server, I have one external interface with public Internet IP address, and a "lo1" virtual interface I created in rc.conf, for my Jails to have virtual IPs through that interface, and NAT for them so that they could be online through my external interface with public IP address. I'm trying to understand and configure PF for such setup now, and I'd like to ask in my case, should I have "set state-policy if-bound"?

on my homeserver, pf's nat doesn't work for jails after boot – i assume because the jails (or rather their ip addrs) don't exist when pf is started. doing 'service pf reload' fixes this, but how do I get this to Just Work™ after booting?

also, can i update to the 14 beta via freebsd-update? not really finding any info about that, but intuitively I'd assume 'freebsd-update -r 14.0-BETA2' should™ work.

I think update works for betas but not alphas

paulf: okay, i'll try. any idea where you know this from?

well i tried recently for alpha and it failed, not certain for beta

ah. well, i guess i'll see if it works. first updating to 13.2-p3 tho. probably not needed but feels cleaner. :P

also, i only recently learned about freebsd-update's -d option, which actually makes it work nice when updating multiple freebsd instances through one host. a bit confused that -d doesn't always default to $basedir/var/db/freebsd-update but i assume there's some reason for that.

re pf i found forums.freebsd.org/threads/pf-requires-reload-after-boot.58444 referring to man pf.conf saying names of interfaces with changing addresses should be enclosed in parens, but that's a syntax error for me… :F

Title: pf requires reload after boot | The FreeBSD Forums

phryk: could you paste your rule? this works for me: rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> $webserver port 443

stl: mhh, i do my rdr's on tables/subnets (<10.101.2.0/24> f.e.) rather than interfaces. i only have "pass on $jail_if" using the affected interface.

paulf, phryk: ALPHAs are cut from the main branch, and the stable/14, until releng/14.0 is branched. BETAs are cut from a releng branch. freebsd-update only comes from releng branches

meena: so upgrading to beta works, good. :)

but i'm still stuck trying to decipher (again) how to do a major upgrade for postgres… pg_upgrade seems like it *should* be the way to go but depends on a setup that no package manager i know (except portage, i guess) will allow… :F

can't really believe that there still isn't a better way than dumpall and feeding the whole dump into the new install…

phryk: the easiest way is to have jails for different postgresql versions

meena: oh right. mine already runs on a jail. but then i could go the replication route.

that would mean i have to figure out how to set up replication, so i guess that's a project for another day.^^

phryk: there's instructions in UPDATING somewhere for how to do it without jails

but the real fix is to allow concurrent version installs

meena: having jails isn't really a big help for pg_upgrade, which needs to be able to run the two version's postgres binaries alternately

RhodiumToad: far as i know that's not a thing pkg can even do

RhodiumToad: yeah, jails don't help with pg_upgrade (tho they can, i guess). the point was spinning up a second instance and getting replication going.

it means doing major changes to the ports, but it's quite doable

the best example of doing it close to right is how debian/ubuntu's postgres packages work

no idea how things look there.^^

but honestly, i'd like package flavors for a lot more things… like different compile-time options.

tho after my understanding, currently only ports have flavors, packages don't.

the basic idea is to install every pg server version into its own dirs, split out libpq, and provide a few wrappers

flavors aren't really the issue here

yeah, not here. it's just a general small gripe i got. :P

-wi2

oops

Is /etc/rc.firewall supposed to exist in base?

Oh, nevermind. Just checked my other systems and it's not there either (unless all of my systems are missing a file that's supposed to be there to begin with)

oh heh, I think I know what I did.

meena: Just realized that since I'm using pkgbase, that probably gets built as a package, doesn't it?

meena: Can I tell it build just a specific package or do I have to build the whole thing?

_xor: yes, and there's not much libs

so you can build it, and just not install it

Oh, just realized that ipfw includes a kernel module, doesn't it? So it'll have to build that too and upgrade the kernel package.

that's what I usually do

ah ok

PkgBase is paying dividends, thanks for the work on it :)

i wish i had more hardware resources to run an open repo again

What's the current situation and what do you need?

but i feel like just having done that has kicked stuff off

_xor: a #freebsd user has promised me a Vultr serveras soon as he's got a new job again

Wait, so do you need physical hardware or cloud resources?

whatever is cheapest. I'm happy with anything.

Hmm, I may be able to help you with it. I use vultr too and I have some excess credits right now. I'm also going to re-up the credit balance on my vultr account next week. If you let me know, I might be able to help you out.

Either we can create a new account & I can add an initial credit balance to that for you (which is ideal because then you can do whatever you want, but would like to do it without exposing my credit card), or I can directly create a VM in my account and give you access (less preferred, as I'll have to account for it and keep an eye on it to make

sure it doesn't chew up the balance on my own account).

_xor: codeberg is having trouble right now, but this was my last setup: codeberg.org/pkgbase/website/src/branch/main/howto/howdo.md

I just realized vultr has a referral program. Hang on, I'll /msg you a link.

"Referred customer must link a valid credit card or Paypal method to be eligible for the $100 credit. Unused portion of $100 credit expires after 14 days."

That last sentence is laaaaaame.

CrtxReavr: Do you know if I can refer meena, have her create an account, and I can give $TBD in credit to the account?

meena: You're working on cloud-init?

Yupp

k, will keep that mind.

well, taking a detour to work on virtio right now

but working on virtio is so we can test it FreeBSD on LXD.

_xor, NFI really. . . had the instance for years and don't bother with the website unless there's a problem, which has thankfully, been rare.

FreeBSD on LXD? I take that as FreeBSD userland running in an LxD container?

CrtxReavr: Yeah I'm Googling + browsing their site right now to figure out if/how I can do this.

FreeBSD instance. . . I'm unsure what their underlaying technology is.

You mean their virtualization stack?

Yeah.

Don't remember off the top of my head, but I remember building a FreeBSD image with cloud-init + customizations using poudriere, uploading it to vultr, and spinning up a VM with it.

I started with their image. . . upgraded it many times.

Honestly, with the exception of this in the rc.conf, it's very much a stock config: route_linklocal="-net 169.254.0.0/16 -interface vtnet0"

Doesn't need much, though I thought they required cloud-init, so figured there would be cloud_init_* knobs there too.

Dunno. . .

But like I said, I've had this instance a long time. . .

Been through a lot of OS upgrades.

Hmm, weird: "Your server was originally deployed using one of our installers. If you reinstall the operating system via a custom ISO, the root password in your control panel will no longer be valid."

_xor: last time I checked, Vultr didn't have cloud-init in their images yet. I should message them, the latest fixes makes it work really well on Vultr

I know 100% that I remember building and uploading a couple of custom images.

Now I'm wondering if that didn't work (though I remember seeing it work and I'm 99% sure I mentioned it in here too), and I resorted to using the stock images they had.

i have a problem. i have a half-done update to 14 on my desktop and it died during the big pkg upgrade. couldn't even read what's going on as it just immediately rebooted.

now i've been through an fsck and i don't know if that finished or not because there was a lot of text running down very quickly and then it rebooted again within less than a second – after taking over half an hour to get that far…

what sort of text?

no idea couldn't read it. but english, not /dev/random ^^

now it's going through fsck again, tho this time it doesn't seem to find a lot of errors (fixed dozens in the previous run)

how do i get this to slow the hell down so i can actually read whatever the error is?

Ctrl-S?

hm, that won't stop a reboot

depends

what does that even do?

this is on the physical console? scroll lock might help

so i have to hit either ctrl

+s or scroll lock in the fraction of a second before it reboots?^^

and yes, i do have direct keyboard access (tho only via usb, not ps/2)

you may be able to get it to stop on panic rather than reboot

you mean with ctrl+s or some other way?

aaand it rebooted again

okay, if i ctrl+c the fsck, i can get a single-user root shell. i have a looming suspicion i want to check.

it rebooted rather than doing some sort of controlled panic?

RhodiumToad: no idea. if it didn't reboot so fast i couldn't read anything i might know.^^

but i suspect that it tried loading radeonkms, saw two cards it supports and then spontaneously exploded.

will know whether that was the problem after this fsck is through… or reboots. ^^

boot to single user

and make sure you're not trying to load any drm stuff in loader.conf

incidentally, I can't think of any actually safe way to upgrade in-place without disabling graphics drivers first

RhodiumToad: i loaded it from rc.conf because of exactly that. then i wouldn't even have gotten to the fsck… if drm is indeed the problem.

i assumed x would just shit its pants and die and then dump me into a tty. this *is* actually what happened on first boot of the 14.0 kernel.

my assumption here being that it died right after installing the updated drm-kmod and presumably loading it in the pkgs post-install.

that's ... not how it works

then drm might not be the issue after all^^

boot to single user, run fsck, mount local filesystems, remove the drm packages, and try again

i removed radeonkms from rc.conf during the previous boot, that should™ do the same.

i said, while the machine was rebooting :F

running fsck -y from single user shell now

When I go to the console of my jail; jexec myjail, the location is always "/", how to make it "/root" by the default?

tercaL: jexec -l

meena: Thanks a lot

fffffffffffffffffffff

the disk is dead

after reaching +60% on phase 2 it spouts out "THE FOLLOWING DISK SECTORS COULD NOT BE READ" and "CAM status: Auto-Sense Retrieval Failed"

:'<

this goes on forever with different addresses or whatever…

phryk: oh no

ah yes, and if i just do "ls" in the shell, the whole box reboots…

meena: oh no indeed, this is my work machine.

this was working well before the upgrade?

I would say the odds are that this is not a hardware problem

RhodiumToad: never noticed a problem – but i was lacking a smartd config, so i wasn't exactly up to date with how fresh or not this drive is…

anyhow, gonna boot into the shit os and play some fallout. been doing it shit all day and i'm kinda spent :F

it's not inconceivable that the load of doing the update broke the drive, but it's not especially probable in my experience

RhodiumToad: yeah, but an obvious culprit. and here i was wanting to frontload some of the effort for the new machine i'm putting together next month…

meena: hachyderm.io/@Freaky/111099189331514331 sneak peek

Title: Thomas Hurst: "@josephholsten⊙ms Hey, look what I have…" - Hachyderm.io

i got two other disks in that machine, so I'll see about where to put a fresh bsd… tomorrow. :F

bsdinstall man page says "On FreeBSD release media, such a script placed at /etc/installerconfig will be run at boot time and the system will be rebooted automatically after the installation has completed." that mean if i don't remove install media it'll repeat the install automatically after rebooting?

that depends on the boot order configured in your bios or whatever, and whether you change it during the reboot

but if the scripted bsdinstall install media is left in and it gets booted to, the install will be repeated right?

like it won't detect that it's already been done or something

I guess that depends on the script

I would test it in a VM environment

can a bsdinstall script decide if bsdinstall runs or not?

i guess it's pretty important to remove the install media from the boot process, however it's done, because a reinstall loop could happen

badland.io/packmule.md seen that RhodiumToad?

Title: Introducing Packmule

haven't seen it myself

I'm not big on image-building tools, I just go with make

why not?

I don't have any requirement to build separate installer images, I'm generally building the actual system

well you gotta install it after building it no?

no, I'm installing it directly onto what will be the final system

whether that's a bootable sdcard for my RPIs, or onto a split mirror on a PC

or on an image file or device for a VM

oh do you do the thing where you netboot the system, then setup disks, then untar distro onto disks, then run post setup commands?

no

can explain how you're doing it like i'm 5?

for the PC case, I have mirrored boot disks, and when I'm going to reinstall I split the mirrors, boot one of them, wipe and recreate the other one, then boot off that

then keep them split until I'm satisfied the new system is working, then rebuild the mirror from the new one

this kind of thing would be easier with zfs, but this is something i've been doing in one form or another before zfs was in freebsd

only time I actually install from separate install media is for a brand-new machine

and how do you do it on brand new machines? scripted bsdinstall repacked into an iso or?

nah, just a manual install

why not scripted?

Freaky: nice!

ugh, commits search for illumos looks weird there

freshbsd.org/illumos/gate?committer[]=Yuri+Pankov says i've slacking for 10+ years and uses that weird sysroot branch :D

Title: Illumos / gate - FreshBSD

i'm trying out scripted bsdinstall. where do i set the options that are in the security hardening menu during interactive setup?

i assume in the script's preamble but don't know what options to set

those options end up in /etc/sysctl.conf

(mostly)

wait so scripted bsdinstall doesn't actually let me set the options that are in the menus during interactive install?

you can see /usr/libexec/bsdinstall/hardening for where they all go

?

like what about the system components menu screen, we don't get to configure those in the scripted install?

To elaborate on RhodiumToad's answer: look in that file past the copyright header. You'll see a multiline command starting with: FEATURES=$( dialog --backtitle "FreeBSD Installer". That tells you which menu option maps to which hardening option ID. Then, some lines below that, you'll see a "for feature in $FEATURES; do" loop with a case statement. That tells you which hardening option's ID maps to

which (sysctl.conf or rc.conf) line. For example (in 13.2), "Randomize the PID of newly created processes" is random_pid, which in turn maps to "kern.randompid=1" in sysctl.conf; and "Clean the /tmp filesystem on system startup" maps to clear_tmp which in turns maps to clear_tmp_enable="YES" in rc.conf.

Correction: "which (sysctl.conf, rc.conf, ttys, or loader.conf)"

the system components bit is controlled by DISTRIBUTIONS= in the scripted install

Newbie Bind9 here. I want to block a some domain, example gnu.org (just example) with bind9. I always get an error and I don't know where the error is located. Named.conf = pastebin.com/4mGsg1nw, log = pastebin.com/J5YJui9F, blocked.zone = pastebin.com/g2mkpJE5. Thank you

Not a bind9 expert (and this may not be the right place to look for one), but "Sep 20 22:32:08 manchester named[7222]: dns_rdata_fromtext: /usr/local/etc/namedb/blocked.zone:7: near eol: unexpected end of input" in log suggests that maybe it wants the ")" at the end of line 7, not alone on line 8.

the SOA record seems to be missing a field

@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h ; example SOA record

Oh good lord

Quite a few options compared to pf it seems, heh.

ipfw can do literally everything

I'm noticing that :|

its just got horrific documentation

I'm actually really interested in reading more on its jail + netgraph options.

wait till you get to the nat options with the in-kernel and external (old) nat options :D

natd

My ears perked up when I saw that you can divert to netgraph with a cookie.

Yeah also reading through the Handbook section on IPFW, which mentions that.

I'm reading through the handbook and also skimming man pages it references.

yeah then you google it and it becomes an absolute mess of options -_-

it really really really needs a new 'howto'

Heh, I noticed that too.

Somewhat surprised at the documentation.

ipfw was around before pf was integrated, right? I remember using ipfw until around mid-2000s.

the documentation for ipfw is impressive in the fact in that it is absolutely technically correct; 100% coverage; but there is 20 years of it

there is no realistic cookbooks or anything else

Most tutorials/docs seem to be written for pf, and I was about to say it got first-mover advantage, but then I realized that's not true.

Is it really just the sheer volume of functionality that ipfw offers that makes it so dense when compared to pf?

ipfw can even operate on layer2

so yeah sheer volume

documenting it I imagine is a constant nightmare

npf has the worst syntax of a firewall i ever seen

like bhyve its why we need cookbook.freebsd.org

perl has the same issues

Agreed, a cookbook of common recipes would definitely make things easier.

...and yeah, I saw the layer2/mac thing too, pretty neat.

I started something like that a while ago, but it fell off.

kind of need a community push to make it happen

but all of us are so busy with our lifes, quite the responsibility to head

I do not imagine anyone would block such an action

Oh wow, didn't realize it was Feb of last year that I created the repo for that...

Title: xor's FreeBSD Knowledge Base

tell me about it a few years ago I created an entire youtube channel: youtube.com/channel/UCFhw1oJktUnwY6slMSSxpgQ

:P

Title: viBSD - YouTube

I have a ton of notes I can put in there. The outline is based on notes I already have. But I have to schedule time for it, and it's a bit scarce.

as I said :)

You're in the UK? Oh god, that's a warm can of beer, isn't it? :P

at the moment im trying to juggle 2 40 hour jobs, a house move (including my 5 year old daughter, mrs and my parents house) as well as dealing with some legal issues over <issues>

I bought AC :P

title: how to learn 5 vi commands overall in 30 years :>

Bought AC?

lol <3 vi

side joke about thermal warming and the uk at the moment, ac being air conditioning -_-

It's annoying that some Linux distros set ee/joe/whatever as the default $EDITOR.

oh right

i had that moment today, visudo on debian starting nano instead of EDITOR being vim, and i was literally lost

There seem to be a fair number of UK'ers in here (and in general working on/with FreeBSD). Is there a reason for that? Like is there some big FreeBSD-using company in UK?

yuripv: Yes, it's annoying. Muscle memory kicks in and I automatically start using vi commands to quickly make edits...only to realize after a few seconds that it's not vi.

not that I am aware of, not sure where netflix is based but pretty sure its not the UK, though ... there is a lot of retro-pro people in the uk, be it amiga, spectrum, acorn... etc. FreeBSD traces its routes from the original unix so it would make sociological sense that it was more popular

Can't we pass legislation or something on stuff like changing $EDITOR? We can start a lobbying group for it.

I mean the sane thing to do would be it defaults to 'seteditor.sh' like ms was forced to do with browsers

daemon: Ah interesting. I remember how many people talked about Amiga when I was learning gfx coding in the 90s and was watching the demo scene.

Mentally even now (as someone born in the uk) when faced with a problem I will think ... hmm how did it used to be done? as a default reaction

Heh, I was talking to my friend from the UK the other day and said to her, "The cozzies around here seem to know absolute bollocks. Right then, forget those chavs, time for some bubble and squeak and a nice cup o' tea."

She didn't find it very amusing.

its a mixture of random colloquialisms from various parts of the uk :) it does not make sense in a single sentence

I know, I was just giving her a hard time. When I first saw Lock, Stock & Two Smoking Barrels, I was calling people Northern Monkey or Southern Fairy for a while.

still happens to this day but a bit more tame, the division of south and north

Which are you? Which is RhodiumToad?

not sure about RhodiumToad but I am originally from derbyshire (midland, england)

so I technically southern

RhodiumToad, in the next 3 months I might be moving to fallin, stirling ... in the north :o

Going on a mission to spread cheer and the good word of the FreeBSD gospel?

I want to unite my family ... I currently live in a place called Rugby close to london, my mrs is Scottish her birth town is Fallin. My parents are selling their house and wish to retire, I am hoping to merge the entire lot to get us all in the same rough area together for the sake of my 5 year old daughter habing family close by

stirling is a bit north of north :-)

I just noticed it's Scotland.

Say hello to Craig Ferguson and Gordon Ramsay for me.

RhodiumToad, if you ever get chance visit the isle of skyé

if I ever met gordon ramsey the only question I would ask; is why he got that weird face lift thing

it looks weird -_-

Gah, this is so weird. If anything, that's my biggest complaint with FreeBSD: bluetooth and audio.

in that case night _xor because im scuttling to bed ;)

nn all

audio has usually worked fine for me, but never tried bluetooth

good night

RhodiumToad: Audio works fine on its own, but somehow it's now screwing up this system when I tried to pair bluetooth, even after I disabled all bluetooth-related stuff after my failed attempt.

USB headphones are showing up fine, but whenever I try to play something it slows to a crawl, like it's trying to find/open/whatever the audio device (doesn't fail quickly and loudly, "succeeds" silently).

No audio plays either.

brb reboot