i don't even dare log into my bank unless they do the same, i just use the phone app

hooray for the open internet, i guess

I have had no trouble logging into ebay.com from FreeBSD. Not a problem so far.

I normally use 'bot' as UA, some sites give better versions they want to give those search engine crawlers

Remembered a reference Dan Langille posted that included a list of things to turn off from periodic in jails, and probably useful elsewhere too. gist.github.com/dlangille/ce60ac76b69f267a3f1de33495a338fc

Title: Periodic things to turn off in FreeBSD jails · GitHub

rwp: I'm still able to log into ebay even when using librewolf with the enhance privacy protections. Though some websites like amazon still think I'm a bot and require me to verify I'm not.

rwp: Perhaps we should summarize that and submit a PR, grouping those items into ...something.

rwp: and by we, I hope you.

My user-agent would look weird as f**k to them

rwp: i also had no problem logging in, until i tried to buy something and they suspended me, and then told me that "any related accounts" will also be suspended, so now i'm scared to log into my work account...

I had that dlangille reference because it is still in my queue to read, understand, grok completely, and then go fix up all of my systems. I still need to do that.

I have bought a lot of things off eBay using my FreeBSD Firefox. Just verified now that I do not override User-Agent there. (User-Agent Switcher plugin FTW!)

it probably didn't help that i made a new account

when poudriere attacks 12:10AM up 4 days, 8:24, 2 users, load averages: 13.01, 12.17, 8.73

Hmm, doesn't the browser ports automatically build them using "Linux" as the OS default user-agent?

kenrap: this one (that i pasted above) has both linux and freebsd in, which is weird. i don't know if it's qtwebengine doing that...

Current pkg installed Firefox gives me "Mozilla/5.0 (X11; FreeBSD amd64; rv:121.0) Gecko/20100101 Firefox/121.0" which I just pulled from the log just now.

my librewolf user-agent shows: Mozilla/5.0 (X11; FreeBSD amd64; rv:109.0) Gecko/20100101 Firefox/117.0

yeah, ff's is much more esensible

this one is from qutebrowser

Well, I was definitely wrong on both accounts thinking that the obscure user-agent was about fingerprint resisting and that "Linux" is an automatic default for all browsers built in ports in general.

I don't know why any site would use User-Agent as anything more than a mild hint but some do. It's insane.

It is insane: github.com/fingerprintjs/fingerprintjs

Title: GitHub - fingerprintjs/fingerprintjs: Browser fingerprinting library. Accuracy of this version is 40-60%, accuracy of the commercial Fingerprint Identification is 99.5%. V4 of this library is BSL licensed.

Is it possible for linux and freebsd to use the same swap partition?

technically yes, but possibly they won't like that they use different partition types

me: "well, this vm provider only offers linux, i'll use zfs on there and i'm sure it'll be fine"

my vm:

2!fuchsia /home/lexi# zfs destroy -r backup/data

Connection to fuchsia.eden.le-fay.org closed by remote host.

here we go building lang/rust again...

jbo: i feel your pain [02] 01:08:43 lang/rust | rust-1.75.0 build 01:07:54 72.2% 8%

i need to get around to submitting enough PRs that i don't need to build ports from source anymore

not sure whether you truly do. because before I left the office I turned off my 32-cores 256 GB RAM build server so now I'm stuck building on a stupid desktop machine

what do you mean, lw? you can always just use an overlay. should be unrelated to PRs entirely.

jbo: i have devel/electron25 in my tree, so i do

not sure how submitting more PRs helps with that?

no, these are different problems

1) electron takes ages to build, so i feel your pain, 2) i need to build ports because the default options are stupid, but we can fix that with subpackages, like enabling jack in pulseaudio

but i have to send patches to enable subpackages where needed

aye

hmm, for some reason my repo also has devel/electron25 in it. I better go hunting

> electron25-25.9.8_2 Build cross-platform desktop apps with JavaScript, HTML, and CSS

it's signal-desktop for me

oh, that's right!

fricking hate signal

the guy who created it claims to be an anarchist but threatens legal action against anyone who makes a third-party implement of their protocol

how the fuck does that work

the sentence of "Build cross-platform desktop apps with JavaScript, HTML, and CSS" is just enought of a hint that something like that shouldn't exist IMHO :D

"here are technologies that are purposefully designed not be used for desktop applications put together to make desktop applications"

oh this is fun (on my linux vm) fuchsia.eden.le-fay.org login: [ 249.856720] Kernel panic - not syncing: System is deadlocked on memory

i guess 2GB RAM is not enough to destroy a zfs dataset?

lw, I still haven't figured out why syncoid does not succeed on anything other than the first sync for me

jbo: i'm fighting with syncoid right now (it's what caused all this) but at least it's not syncoid's fault...

lw, one "problem" is that the progress bars of each snapshot rarely reach 100%

then I get

mbuffer: error: outputThread: error writing to <stdout> at offset 0x0: Broken pipe

and cannot mount '/storage/sanoid_test/beefy02/poudriere/jails/140Ramd64-main-ref': failed to create mountpoint: Permission denied

but one some datasets it works

.__.

jbo: broken pipe sounds like the ssh connection died, anything on the remote?

no idea about permission denied though, i guess you're sending as non-root and using zfs delegated administration? i've never tried that

lw, it's a very stable NAS type machine doing exactly nothing. never had _any_ issues with it. also on the same network just one switch away

yes @ second

that's a poudriere dataset, i guess it has a mountpoint set in /poudriere or something and you don't have permission to create it...

(you = the non-root user)

yeah I'm using a poudriere dataset to test sanoid/syncoid :D

hrm, is it worth a dedicated build host (for poudriere, and the world) ?

lw, well on the destination host:

zfs allow storage/sanoid_test/beefy02

user jbo create,mount,receive

rtprio: like a dedicated computer? imo, no, unless you're doing constant back-to-back builds

rtprio: a dedicated VM though, sure

rtprio, I have three separate dedicated build hosts .__.

jbo: i have never used delegated admin but i guess you need to find a way to make it not send the mount attribute

lw, agreed

jbo: ... or create /poudriere and make it owned by you but that doesn't sound like a good solution (especially if you back up >1 host)

jbo: you have 3 computers dedicated to building ports? how many do you maintain??

lw, I really want this sanoid/syncoid situation to work for non-root users.

lw, I have a "production poudriere server", a "development poudriere server" and a "lol I hate my life poudriere server"

jbo: i might play with this when i have some free time in which case i'll let you know what i learn

to be fair, I usually just run two.

other than that i probably can't be much help though

jbo: did you try setting canmount=noauto on the entire hierarchy?

it would be a vm

I guess the packages have usually been enough for me

rtprio: a vm to build packages sounds completely reasonable to me. i don't do that myself but like, why not

rtprio, running poudriere in a VM is fine. however, you can also ditch the VM and just run poudriere in a jail. works well too. the reason why I run one poudriere in a VM is because kernel forward compatibility "restrictions"

rtprio, if you have no reason not to use official packages then keep doing that. poudriere is fun and works great but rabbit hole mechanics apply.

rtprio: although note that because poudriere creates its own jails, you don't need like a "14 build host" and "15 build host", just create jails of the appropriate version and put COMPAT_FREEBSDxx in your kernel

lw, the canmount=noauto would be for the dataset on the dest host, right?

jbo: yeah, set it on the dest host (and hope it doesn't get overwritten)

lw, what would override it potentially?

jbo: well, if syncoid notices the property is "wrong" compared to the source system and resets it. i don't know off hand if it does this

(i don't back up my poudriere filesystems)

well that would apply to a non-poudriere fs too

I'm just using the poudriere ds because that is a decent test and I don't care if I trash it :p

i do backup my root pools and never noticed / getting mounted over the backup server's root

so what does the mountpoint property show on your destination host dataset?

# zfs get mountpoint zroot/ROOT/default

NAME PROPERTY VALUE SOURCE

zroot/ROOT/default mountpoint / received

5!fuchsia /home/lexi# zfs get mountpoint backup/hemlock/zroot/ROOT/default

NAME PROPERTY VALUE SOURCE

backup/hemlock/zroot/ROOT/default mountpoint /backup/hemlock/zroot/ROOT/default default

first = source, second = backup host

so it seems like it's not sending the property

hmm... so the mountpoints on my destination host datasets are all set to something other than what the source host has - which is good.

maybe more relevant:

I remember the first time I was dealing with ZFS send|recv I ended up with a broken dest host because I was recursively snapping/sending zroot which caused the remote host to boot from the wrong dataset...

[11!] root@hemlock /etc/periodic/daily

# zfs get canmount zroot/ROOT/default

NAME PROPERTY VALUE SOURCE

zroot/ROOT/default canmount noauto received

6!fuchsia /home/lexi# zfs get canmount backup/hemlock/zroot/ROOT/default

NAME PROPERTY VALUE SOURCE

backup/hemlock/zroot/ROOT/default canmount on default

but then, if it doesn't send canmount *or* mountpoint, i don't understand why you had this problem to begin with

because the mountpoint would just be default on the backup host, right?

just checked, it's indeed default on the dest host

hm

any ideas? :/

jbo: is it possible that 'zfs send' of /storage/sanoid_test/beefy02/poudriere/jails created it with root as owner, and now you can't create the child filesystem because... it's owned by root?

lw, well I mean when I zfs list on the dest host I see datasets created/send by syncoid

jbo: i'd suggest asking the sanoid people, i know jim salter (who wrote it) works for klara sometimes so they're probably open to support freebsd

I'd assume that this is just something stupid that I would have liked to be figured out by now :p

lw, here's my syncoid line: syncoid --no-privilege-elevation --no-sync-snap --recursive zroot/poudriere jbo⊙111:storage/sanoid_test/beefy02/poudriere

i've never tried it as non-root so i don't really have any idea how it works :-/

you could try now :p

i cannot because i have to wait for my backup vm provider to upgrade the memory...

i thought 2GB might be okay for zfs but it turns out it's really not :-d

my datacenter remote host that does zfs recv has 4GB

my current situation is, "zfs destroy backup/old-fs" causes a kernel panic

soooo i'd rather not touch it until that's sorted :-)

a real kernel panic?!

not just OOM killer?

hm, I throught under 4GB you should tune for performance and under 1GB you have to tune to have zfs running properly

jbo: fuchsia.eden.le-fay.org login: root

Password:

fuchsia:~# zfs destroy -r backup/data

[ 1891.754792] Kernel panic - not syncing: System is deadlocked on memory

[ 1891.754804] CPU: 0 PID: 1 Comm: init Tainted: P O 6.6.9-0-virt #1-Alpine

hey i hear fuchsia is pretty cool. start rewriting freebsd in rust wen?

i might replace this vm with a proper server at some point but for now i just asked them to add another 6GB of memory

lw, you can get a VM from a provider that offers zfs recv as a service :)

jbo: are any of those providers not terrible? this is a small company run by a guy i know on irc...

rsync.net

just saying

they're pretty huge, that puts me off

also i pay £1/150GB for disk space, which is more than most backup services, but cheap compared to a lot of VM providers, and i can run my own OS

(well, any OS as long as it's linux, but still)

which brings me to a question: how do you backup a zfs-native-encrypted dataset over zfs send|recv ?

i use a separate encryption key on the source host and the backup host. and yes, this is not a good idea if you are encrypting secret data... for my use-case it's fine

but i believe you can tell syncoid to use zfs send -x which sends the raw encrypted data

can I zfs send the encrypted dataset? so it's still encrypted on the dest host?

yes

neat

if you send it with -x, the destination host can't decrypt it at all, the only information it has is that the dataset exists

so it's like live backups?

obviously you can't mount the dataset in that case

(well unless you copy the encryption key to the backup host)

nah I just want to have a retrievable copy - not accessible on the dest host

alepzi: that's how zfs backups works in general, you end up with a copy of the source filesystem on the destination that you can access normally

jbo: this is again something i've never tried, but i might play around with it at some point

lw, so far I have only used passphrases for zfs encryption anyway. might want to look into using a yubikey tho

i just use /etc/zfs/data.key. which... yeah, this is not secure, but the only reason i use encryption is so i can throw out old disks without wiping them

I was a bit "meh" to learn that I can't "properly" use a yubikey with KeepassXC

lw, that sounds like a terrible idea (the "without wiping them" part)

jbo: why? they're encrypted, no one can read the data

afaik the password is used to protect a key that gets generated when you decide to do encryption

lw, maybe not now

not now? what do you mean

encryption gets broken all the time down the road

eh

if someone cares enough about my secret data that they break AES-256 to read it, they can have it

more power to them

:D

like i said, the data on these disks is not that secret, if it is, do not do like i do :-)

mbuffer: error: outputThread: error writing to <stdout> at offset 0x0: Broken pipe

mbuffer: warning: error during output to <stdout>: Broken pipe

:<

warning: cannot send 'zroot/poudriere/data/packages@autosnap_2024-01-11_02:05:59_daily': signal received

warning: cannot send 'zroot/poudriere/data/packages@autosnap_2024-01-11_02:05:59_hourly': Broken pipe

[00:57:55] [03] [00:56:42] Finished lang/rust | rust-1.75.0: Success

at least that... slowest rust build yet.

[02] 00:13:15 devel/electron27 | electron27-27.2.1 build 00:08:35 8.9% 2.6%

lw, any ideas or hints regarding the broken pipe?

why is it building electron27

did they upgrade signal?

lw so do you know how ZFSBOOT_GELI_KEY_FILE works? like how i can generate one?

jbo: broken pipe must be a symptom of something else, are there no errors before that? or something on the remote host (in messages or auth.log or something)?

alepzi: never used geli, sorry

isn't that what does the zfs disk encryption you talkeda bout?

alepzi: although if it's like zfs, i would dd from /dev/random

i'm using zfs native encryption, that's different from zfs-on-geli which is an older method

(older but not necessarily worse, it has some advantages)

how do i use zfs native encryption with unattended bsdinstall?

i don't know, sorry

how do i use it period then plz?

or how do you use it?

geli is device/disk level encryption. zfs is dataset level encryption

hang on, my desktop is so slow when ports is building

alepzi: klarasystems.com/articles/openzfs-native-encryption

Title: OpenZFS Native Encryption | Klara Inc

lw, broken pipe does not show up anything on the dest hosts auth.log

which type is enabled by ZFSBOOT_GELI_ENCRYPTION?

lw, first it goes "Accepted public key", then "received disconnect" then "disconnected"

alepzi: since it has GELI in the name i'm guessing that is for zfs-on-geli

ya

ok i'll read that link thx

also: forums.freebsd.org/threads/geli-vs-zfs-encrypted-dataset.84721

while i'm reading it any of you guys switched from geli to zfs native encryption and regretted it for this or that?

Title: ZFS - GELI vs ZFS encrypted dataset | The FreeBSD Forums

nod

i think the main downside of zfs native encryption is it exposes dataset names. so if you have a dataset called mypool/illegal-anarchist-bomb-recipes, don't encrypt that with zfs

storage/media/adult :D

does it slow disk i/o, use more cpu, anything disadvantages like that?

geli encrypts the entire disk, so without the encryption key you can't even tell there's a zfs dataset on it

alepzi: not that i know of, both should use AESNI for encryption on modern CPUs

one feature I like of zfs-native-encryption over geli is that you can ad-hoc load and unload keys

ok well that cuts out the whole geli layer so prolly smart for me to switch to

alepzi: however one benefit of zfs native encryption (as i was discussing with jbo earlier) is you can transparently send the encrypted dataset to a remote system without decrypting it

oh hmm

for example on my laptop I only load keys of datasets I need, then unload them again.

that does sound pretty cool

can't easily do that with GELI afaik unless you have more hardware

fire up the web browser -> unload dataset keys :p

yeah, geli can only decrypt the entire pool

so kinda seems like native zfs encryption is better in every way except dataset name leak

you'd need separate pools to do that

lw, can you have more than one pool on a drive with geli?

jbo: i've never tried but couldn't you apply geli separate to two partitions? that's how encrypted swap works

dunno

just do geli on partition level, not disk level

hence I"m asking :p

i think geli can work on any geom device and a partition is a geom device...

yeah always encrypt your swap for sure :D

that makes sense

lw, that mediaelch PR probably has to wait. my desktop is awfully slow at testporting

jbo: no rush, i only use mediaelch when i download entirely legal, public domain films from reputable websites

lw, is there a "zfs way" of checking whether the src and dest datasets are "equal"?

ok why is poudriere making my wayland so sad

something like mtree but then to check whether sanoid/syncoid did the thing

wayland is making itself so sad :p

what the heck

Jan 11 01:43:07 ilythia kernel: swap_pager: out of swap space

Jan 11 01:43:07 ilythia kernel: swp_pager_getswapspace(28): failed

Jan 11 01:49:16 ilythia kernel: swp_pager_getswapspace(27): failed

Jan 11 01:55:29 ilythia kernel: swp_pager_getswapspace(11): failed

better that than a broken pipe

i have 32GB RAM and it's not even close to used

Mem: 3772M Active, 14G Inact, 2903M Laundry, 9971M Wired, 1559M Buf, 1228M Free

ARC: 3835M Total, 1480M MFU, 1025M MRU, 30M Anon, 65M Header, 1213M Other

wtf is 14GB inact doing?

you might want to read about memory management of the FreeBSD kernel

jbo: will that give me a magical sysctl to fix this problem?

Title: Memory - FreeBSD Wiki

lmao what is this le-fay.org/tmp/30d/YaSCFT.txt

swap is 100% full, memory is empty

<jbo> lw, is there a "zfs way" of checking whether the src and dest datasets are "equal"?

jbo: i'd probably do like diff =(zfs get all mypool) =(ssh myhost zfs get all mypool)

but i guess that's not what you mean by "zfs way"

I'm looking for zfs-diff I guess :p

i don't think that exists

it does

does it? why did you ask then :-P

oh this shows all differences

i thought you just wanted properties

because the manual says "between two snapshots of a given filesystem"

but that is not what you asked, i am bad at reading

jbo: this wiki page is not helpful, why do i get 'out of swap space' errors when i have 14GB inactive?

lw, because your swap is full according to your own reports

Mem: 3783M Active, 14G Inact, 2896M Laundry, 9753M Wired, 1558M Buf, 930M Free

root@ilythia /h/lexi# swapoff /dev/nda0p2

swapoff: /dev/nda0p2: Cannot allocate memory

...

i blame the vmm

jbo: anyway if 14GB of RAM is Inact why would it matter if swap is full?

isn't inact meant to be basically pages on the freelist

inactive is not "free". that would be more your clean queue

this reminds me of early FreeBSD ZFS where it didn't free ARC pages properly and you'd run out of memory, except i limited ARC to 8GB

the inactive queue holds pages that need to be passed to the backing storage first

jbo: are you sure? the wiki says it's "pages evicted from the buffer cache", in which case surely they can't be pending writes to the backing store

and AFAIK inactive pages don't become free pages immediately. instead, inactive pages are flushed, then become cache pages and only then free pages (if it ever happens)

in any case something is definitely wrong here, because i'm barely using any memory and yet something is causing out of memory errors

everything I say is AFAIK

top says 3.2GB active, which is 10% of total memory...

I haven't studied this in a while

lw, any chance that you're getting screwed up by TMPFS with insufficient memory?

no tmpfs here, i disabled it in poudriere

that must be fun when building electron

it's not too bad, takes about 4 hours

wut? is that a clean build or with cache?

maybe it's my ~5MB/s of background NFS I/O causing pages to not be freed

jbo: clean, with ccache it's like 50 minutes

sounds like somebody is streaming

i might post this to a list because i'd like to know what's going on. not sure what the right list is though... -current?

or -questions

are you running current?

yes

then I'd say so.

although i'm pretty sure i've seen this on releng/14.0 as well

the current ml has the benefit of having more developers with "intimite" knowledge of VMM (I assume)

interestingly there are similar messages from earlier while i wasn't running poudriere: Jan 3 18:26:54 ilythia kernel: swap_pager: out of swap space

anyone see more kernel panics when switching to zfs native encryption from geli?

yes, but only because of PR#275306 which was fixed in (i think) 14.0-p3

275306 – 14.0-RELEASE: ossl(4) causes data corruption on encrypted ZFS filesystems/volumes bugs.freebsd.org/bugzilla/show_bug.cgi?id=275306

alepzi, what are these random questions about?

wow

well, in that case i didn't switch "from geli" since i've never used geli

well, that sounded more negeative than necessary

jbo why assume they're random?

not sure if it's 14 or zfs but lately it's felt a lil buggy in freebsd and zfs land

i think .0 releases are usually a lil rough though

lw, based on what I understand, syncoid is "by default" not setting the mountpoint on the dest host

jbo: that matches my limited experience

lw, why does the dest host dataset need allow mount then?

"then"

I mean in general

you'd think that it can replicate the dataset without mounting

jbo: my suspicision is, say the filesystem is /foo and the child filesystem is /foo/bar, and you've sent /foo and /foo is owned by root, now you can't can't create /foo/bar? but this doesn't really make sense since the zfs send for /foo should have included the mountpoint... so... idk

not feeling confident running this on a production server yet :/

maybe one day I'll understand how zfs mountpoints truly behave

I'm currently also in the process of ditching the jail management solution I used in favor of just raw jail handling

today in skynet news | 1 Jan 11 Jamie Landeg-Jones ( 19) BSDforge is alive.

lw, the mediaelch testport for qt5 just failed - did you testport that?

jbo: i did, can you show the log?

lw, on which target (version, arch)?

i can't testport it right now since i'm bulding normal ports (you know, electron)

jbo: uh... i guess 15-current, amd64? but whatever you have is fine

well as a committer I have to test reasonable/sane configurations which is why submission-to-commit can actually take such a long time and why its nice to have a whole separate beefy build server

oh, i meant, can i see the build log from the failure you mentioned

lw, the qt5 flavor failed on 14.0-RELEASE on amd64: bsd.to/17L6/raw

Title: 17L6

ty

you're probably missing the buildutils

oh that's weird, i'm sure i fixed that for qt6, maybe qt5 needs a different USE

buildtools:build and qmake:build if memory serves right

yes

Title: ports - FreeBSD ports tree

no, it doesn't use qmake, it uses cmake

still needs the build tools

does it still need qmake though, that's weird

yeah, see the commit I made & linked. that's also a cmake based build

jbo: ok, i'll test a fix once this poudriere is done

i'm sure i tested it with testport though because i said in the PR: "fix testport errors"

maybe that doesn't build both qt6 and qt5 version

Ominous: lists.isc.org/pipermail/bind-announce/2024-January/001242.html

Title: Pre-announcement of BIND 9 security issues scheduled for disclosure 17 January 2024

CrtxReavr: this is going to be yet another nsupdate issue, i bet

lw, you have to test all flavors

jbo: i thought testport did that. but clearly not

lw, if you don't specify the flavor it will build the default flavor

(i did test qt5 manually but i probably had builttools installed locally)

:)

lw, you're running wayland, right?

i am

I assume that is not nvidia hardware then?

jbo: no, Radeon RX 6800 XT

never had a non-intel or non-nvidia GPU. does that work well?

it has worked flawlessly in freebsd (except for that loader(8) issue), but i haven't tried any real 3D apps on it yet

I adore that nVidia provides FreeBSD drivers themselves officially. no CUDA tho :(

i've been meaning to try Factorio or X4 but i always have other stuff i need to be doing, like these darned ports

I can land your ports more quickly if you test then more thorougly in the future :)

well ok, i mean i didn't even know testport existed when i submitted these

that's fine - it's a learning process. nothing wrong with that. that's why I tell you :)

i guess if i was a ports export i could just commit them myself, but i'm not, so i do what i can :-)

now you also know that testport doesn't build all flavors :p

s/export/expert

that's a long way to go - gotta start somewhere tho :)

jbo: i didn't mean i waste time waiting for you, i mean i waste time fixing the ports because of my own errors

nothing wrong with that. gotta learn stuff.

but also i've been submitting a lot of patches for the new version of net-im/toot recently

which is actually pretty interesting

... also i submitted an update patch for the current net-im/toot and before it was applied a new version was released, so i made a patch for that, heh

that's a good start :)

wait, the came out wrong

i mean the author of net-im/toot is making a new, unrelated app which i've been submitting packages for, and in the mean time i also made some patches for the existing port

the former patches are not freebsd related

jbo: so here's a question, how do you become a ports committer? i've submitted a few patches for src but i don't see any benefit to having a src commit bit... but being able to commit to ports would handy. is it just a matter of learn how things work then asking?

lw, as far as I can tell its much, much easier to become a src committer than a ports commiter. AFAIK there are something like 4000 committers but only 165-ish are ports committers. the rationale is that screwing up in src is less disasterous than screwing up in ports

hmm

i guess it's true that my src patches have been accepted much more easily than ports commits

lw, in my case it was engaging in FreeBSD community stuff for the better part of 10 years, contributing to ports in terms of PRs and patches and stuff for a few years and maintaing a healthy amount of ports (although that one is low in my case). plus I am an "embedded developer" so I played the "I touch a lot of software that is not commonly used" card

port is basically a rube goldberg machine in the end

jbo: 10 years? no wonder there are only 165 committers

there are no hard rules on this AFAIK. but there is a vote even after you pass the basic "does it make sense?" bar

my recommendation: just keep going. don't try to force anything.

i'm not pushing, i'm just curious

that's the correct approach :)

I'm still under mentorship and I don't expect that to change any time soon either.

my blood pressure is still skyrocketing ever time I push to the repo :p

i set up a git fetch hook to mention you on irc every time you push to ports

(this is lie, i did not do that)

hah :p

yeah that was an almost-shit-my-pants-again moment indeed

there has to be a better way to do this stuff

what stuff?

i submitted a PR for a port recently because it wrongly installed a binary setuid root, and it was completely ignored until an unrelated non-committed submitted a PR which a patch which ended up being committed

s/non-committed/non-committer

jbo: ports stuff, like not putting so much load on a small number of people

lw, small number of people is probably very intentional in this case.

lw, you can always mail to the ports ML to bring stuff to attention

i think (i don't mean this in a negative way at all) that ports committers are pretty overloaded

stuff easily gets missed on bugzilla especially if its not properly assigned, tagged and stuff. we do luckily have the triage team tho :)

i did mail -ports about something else (devel/py-urwid has been broken for months) and got zero replies

again, not complaining. but it's not a great situation

FreeBSD is certainly not perfect - we all try to do our best tho.

python stuff is it's own story entirely. you can mail python@ for stuff if necessary

i know it's not perfect, i'm not complaining, it just feels like maybe there's a better way to allocate available resources? idk

based on my whole-life experience, I think the "active" FreeBSD ports team is doing an excellent job

it's always a trade off tho :)

this is really just a response to learning there's only 165 ports committers, i thought there would be more

oh, fixed my swap problem Swap: 18G Total, 2048M Used, 16G Free, 11% Inuse

at least until it decides that's not enough either

don't quote me on the exact number. but when I was given the commit bit I was congratulated with "welcome to an extremely exclusive club" :D

might be 168 now, 172, dunno.

it was around 165 when I became one.

so for example like, the issues in my ports have been because they're new ports and i did them wrong, but i'm fairly sure i could update an existing port with fewer issues

being a ports committer is not what I would consider a fun activity btw. It's just my way of contributing / "giving back"

mainly because someone else already did the hard part

i certainly wouldn't expect it to be fun, i just want to fix issues on my freebsd systems :-)

lmao if i wanted something fun i'd choose literally any git repo other than ports.git

you can help a lot without a commit bit. being a commiter just puts the blame and pressure on you. PRs that contain patches for existing ports are alway, always highly appreciated.

not to spill any secrets here but I think it's also self explanatory that committers are picking which PRs they handle. if you're a submitter with a good reputation you'll get much quicker turn around.

i'm used to people hating me but i don't think i've submitted enough PRs for that quite yet

it's more about the quality of the patches I'd say

well i do have 16 open PRs. but uh, i think most of those are ones i cc'd myself on

imagine if commercial users of freebsd hired 10 ppl to do nothing but fix bugs freebsd would get so good

on a more src-oriented note i don't understand why we can't get this committed: freebsd/freebsd-src #957

Title: libkrb5: avoid crash if MD4 is not available by llfw · Pull Request #957 · freebsd/freebsd-src · GitHub

it's broken, upstream will never be updated, the fix is trivial

alepzi: they do? netflix, klara, darpa, chelsio, amazon, iXsystems, plenty of other companies pay people to work on freebsd

and sony :p

ilythia /s/main (main)> git log|grep 'Sponsored by'|head -5000|uniq -c|sort -nr|head -10

37 Sponsored by: Netflix

33 Sponsored by: Juniper Networks, Inc.

30 Sponsored by: The FreeBSD Foundation

27 Sponsored by: The FreeBSD Foundation

26 Sponsored by: Serenity Cyber Security, LLC

25 Sponsored by: Netflix

24 Sponsored by: Juniper Networks, Inc.

24 Sponsored by: Kumacom SAS

22 Sponsored by: Netflix

21 Sponsored by: Innovate UK

('the freebsd foundation' includes a lot of donation from companies like sony)

lw, to round off this conversation: just keep going and don't feel limited by not being able to commit yourself. everything you can contribute you can without that ability.

wait, that was a bad command

ilythia /s/main (main)> git log|grep 'Sponsored by'|head -5000|sort|uniq -c|sort -rn|head -10

1528 Sponsored by: The FreeBSD Foundation

648 Sponsored by: Netflix

352 Sponsored by: Klara, Inc.

343 Sponsored by: Rubicon Communications, LLC ("Netgate")

238 Sponsored by: Juniper Networks, Inc.

173 Sponsored by: Arm Ltd

166 Sponsored by: Beckhoff Automation GmbH & Co. KG

109 Sponsored by: Beckhoff Automation GmbH & Co. KG

104 Sponsored by: DARPA

99 Sponsored by: Chelsio Communications

how about not spamming the channel?

that's 3760 out of 5000 commits that were sponsored, well over 50%

lw, regarding your GitHub pull request: 1\ I think that whole GitHub story is a bit controversial, 2\ Personally (!!!) I would have extendend that krb5_set_error_message() message to say why (i.e. because MD4 is lacking)

jbo: no harm when it's this quiet

If one squints really hard, you might be able to see a sony commit in there somewhere ;)

haha

nice use of unix piping tho, lw

it's still not perfect because of the whitespace, but if i try it again you'll probably murder me

nah :p

but I assume that will be some sed WOL

i was thinking awk '{print $3-}'

i guess freebsd awk doesn't like that syntax

le-fay.org/tmp/30d/QRD3eZ.txt same result basically

i wonder why DARPA submits so many patches

oh, that's CheriBSD

lw wow cool

the main difference between freebsd and linux is linux has a lot of users who sell it to customers (redhat, canonical, ...) while freebsd tends to have users who use it internally (netflix, klata, juniper, ...)

so the 'end user' experience in freebsd might be less polished but that doesn't reflect on the internals

like, netflix is not sending patches to make wayland better

(well idk, maybe they are, but i imagine that's not their main focus)

Hmm, would Netflix use wayland in any way for their business internals?

That would be interesting to know

kenrap: perhaps some of their freebsd-focussed employees run it on their desktop?

i have no idea though

heh: 499e84e16f56013e24fb69ae8ecfe75180e8d704 copyright: Bump the copyright date. Sponsored by: Netflix

i doubt netflix cares about the copyright date so i guess they just pay imp@ to do stuff

I wish Wayland would get more love, but from the opinions I've gotten so far, the API is a pain in the neck.

...and I run Wayland on my desktop.

in fact all of imp's commits seem to be sponsored by netflix

_xor: i know netbsd complained about it because they didn't want to implement libinput...

which, is fair, they have their own input system, why should they clone linux's?

lw: netflix technically uses a specialized FreeBSD system derived from CURRENT, so your idea is not farfetched at all.

my main concern about wayland is that GNOME is going to dominate it with their CSD crap and whatever else and ruin it for normal users

well, the X11 API also sucks, is Wayland at least an improvement?

zwr: yes and no, it's an improvement for systems that use KMS/DRI (which includes freebsd) but it means the compositor (window manager) has to manage all the OS-specific stuff so niche platforms like netbsd get screwed unless they implement the Linux APIs

... or write their own compositor, which isn't really a great solution

it's fair to dislike it because it's another aspect of the Linux Leviathan, which is the reason we have timerfd in freebsd now

posix is dead, all that matters is being compatible with linux, the microsoft of unixes

well adding 16GB of swap space has apparently fixed my 'out of swap space' errors but i don't really understand why

i still have 11GB of Inact memory

to be honest, timerfd has the benefit that you can poll() (or any better "wait on many fds" function) for a timer or file or anything else that works via fds and create something like a reactor program, and that's a design that works really well for many kinds of programs and scales well with threads up to a point. you can rig other APIs like clock_nanosleep() to do the same thing, but it means spawning a

thread which is a waste of resources. microsoft actually got this right with more or less everything being a HANDLE there.

zwr: but you can already do this with kqueue EVFILT_TIMER

but yes, Linux generally has inferior API design to the BSDs, and it pains me whenever a BSD implements an inferior Linux function for Linux compatibility. Most recently, NetBSD got getrandom() when they already had the superior arc4random()

the functionality of timerd is fine *for linux* because their epoll() api is so limited, but freebsd already has an API to do that... but we have to implement the Linux API because Linux is the standard

anyone here work with iocage at all? i am getting confused.. i create a jail, with an ipaddress, then i ssh into this new ip address...but it does not ssh into the machine..

nevermind..

iocage console <jail name> for now

ah, you need -l

but this should be the default for consistency with traceroute

probably done due to v6 address lengths

there's basically no difference in practice le-fay.org/tmp/30d/vUeM5r.txt

i might send a patch to make this default

Title: traceroute6: remove -l flag by llfw · Pull Request #1023 · freebsd/freebsd-src · GitHub

meena: i don't remember if we talked about this, but can non-committers submit patches on phab? and if so how do you know who to add as reviewers?

lw: yes, you can create account and submit reviews

there are some rules in there that would possibly add the reviewers (if someone is interested in the parts you modify), otherwise check last committers who modified it, and/or send a request to hackers@/net@?

hello o/ how do I go about debugging leaking nmbclusters? I have a pair of bird bgp routers running 13-STABLE from about a month ago and the active router is leaking mbuf clusters like crazy

I didn't have metrics for mbufs until yesterday so I can't say for sure when this began, but I strongly suspect it was when I updated in december, from 13-STABLE-384a885111ad (december 21, 2023) to 13-STABLE-2cbd132986a7 (december 19, 2023), where I also upgraded bird2 from 2.0.11 to 2.14

&8

ugh, I mean from 13-STABLE-384a885111ad (december 21, 2022) to 13-STABLE-2cbd132986a7 (december 19, 2023)

I am looking for a way to identify what might be causing this, and hopefully get it fixed, what are some things people usually do when hunting mbuf cluster leaks? is it possible to see a list and what allocated them?

tykling: how many/which network related src commits were between those dates? is it possible to try 2.0.11 with 384a885111ad ?

(or bisect)

lw: what yuripv said

If a process is in D state, how can I check *what* is it waiting for?

antranigv: usually the function it's sitting in should give you a clue, so really, just the usual

meena what do I do if I can't even kill -9 a bhyve vm?

kill -30  ;-)

Kalten wait, is that a joke or a real signal? :D

antranigv: /usr/src/sys/sys/signal.h interesting: 30 is SIGUSR1—it could be, that it is just an unhandled signal terminating most?

Title: BSD Now 541: Learning and Teaching

antranigv: So, did that work?

Yo. noob to bsd. Is there a simple way to skip bootloader menu (unless holding some key) and show a custom boot splash? I found some info on splash but it seems outdated and not supporting UEFI etc.

Is it a bad practice to take a backup of a running bhyve VM instance (actually doing tar on the 'disk1.img' VM disk while it's running)? Should the VMs be stopped before doing so? Any data loss possibility, otherwise?

lw: is this related to your Kerberos complains, freshbsd.org/freebsd/src/commit/cb3…ba7bf7ca7c4cb97ed2c20ab45af60382cfb ?

Title: FreeBSD / src / cb350ba / kerberos: Fix numerous segfaults when using weak crypto - FreshBSD

If "powering them off" is needed for a healthy backup procedure, and in case of dozens of VMs running, how would you handle that?

tercaL: yes, that's bad practice not just on bvhyve. Generally, the recommended way to do this is to freeze a VM, then take a snapshot, then unfreeze it. that generally takes maybe 5 seconds altogether

meena: Oh, thanks. "Freezing" a VM? What's its switch?

I just know vm poweroff, start, stop, destroy and so on.

dunno how to do that in bhyve 😬

tercaL: zfs snapshot of the running volume (from the host) works well in that context

dunno if it's recommended or not

prob not but ive not seen any ill effects on fast hardware

hmm, even though splash(4) only supports the old syscons(4), vt(4) is capable of a "graphics mode" which makes me thing it's possible to have a boot splash. But I guess that requires a splash-like reimplementation for vt to begin with *shrugs*

tercaL: some folks run incremental backups every 15 mins on running systems

but backing up a disk? power it down every time

disk1.img that is. use zfs volumes for the backing store of the guest

recovering from "instant" snapshot of a volume would be the same thing as if your machine lost power at that very moment

would that imply bad news for the snapshot?

the filesystem is suposed to remain coherent

that doesnt mean it's content is supposed to make sense

the reason im asking is because I've seen people writing they're incrementally snapshotting at short intervals. I'm presuming they're able to recover if where they're snapshotting from becomes unusable. They are not interrupting services

depends what you are doing

ie if you snapshot while an update is running, don't expect the backup to boot

there must have been testing for this

ive not seen it mentioned that either a live system should not be snapshotted or, if not that, that the system needs to be quiet, or how quiet. But that might just be down to not reading all of whats needed

i mean it's lore that a system needed to be off or quiet due to the inconsistent data risk but i thought copy-on-write was meant to eliminate that

once again, it's equivalent to pulling the plug, but without the electrical/mechanical damage

yeah i understand. but i thought zfs works round the consequences.

^^same here

does anyone have experience driving a fan through GPIOs? This is for a raspberry pi?

I plan to create a script to gather cpu temp and speed up/down the fan

so i'm trying bhyve. and trying to passthru a nic device but having no luck. bhyve won't boot and just exits with status 4

any ideas?

i set vmm_load="YES" in boot loader, and pptdevs="2/0/0", then -s 5:0,passthru,2/0/0 to bhyve

i see bhyve.log has Unable to setup memory (12)

Buy moar rams.

right reduced memory from 14gb to 12gb, boots now. weird that it only happened after i added passthru :/

I was joking. . . sorta.

well it worked lol

But the memory allocated to passthrough, likely couldn't be paged (swapped), which is likely the reason.

sysctl -a | grep iommu

Title: Mozilla Community Pastebin/zTepkrgK (Bash)

for i in $(sysctl -a | grep iommu | cut -d: -f1) ; do sysctl $i ; done

lol what :p

(it didn't really do anything different)

Well, not output wise, but. . . somehow it seemed less ghetto.

depends what kinda ghetto you live in i suppose

Though, for that matter: sysctl hw.iommu

either way. is my pastebin missing something and i can't use iommu?

looks fine

CrtxReavr: it only lists keys in hw.iommu

my passthru device doesn't work though. it's a windows guest and it says "cannot start" in device manager :/

babz, as does 'sysctl -a | grep iommu'

hmm reboot "kinda" helped. no more error, but now says network cable unplugged (it's a nic)

no, it also matches hw.vmm.iommu

but whatever

Not on my system. . . but whatever. >=]

could be wrong device i guess, passing thru all nics :p

can i get 'vncviewer' for freebsd? or something else i can run from command line in "kiosk mode"

as i understand getting gpu passthru to work is a hassle?

especially with windows

omg ethernet works

I have a FreeBSD vm that keeps on freezing under heavy php load, I can't put my fingers on it

when it freezes, I see under top many processes in STATE: *vm pa

what does that do ?

man top

STATE is the current state (one of “START”, “RUN” (shown as “CPUn” on SMP systems), “SLEEP”, “STOP”, “ZOMB”, “WAIT”, “LOCK”, or the event on which the process waits)

* means it's wating for a lock

how can I troubleshoot this ? There's literally nothing in the logs

the box just seizes up

not in console, /var/log/messages

in esxi I see the vm taking like 12Ghz of cpu

i think vm_pa is for vm_page_grab

I would be suspecting memory resource exhaustion stress. (Just checking but you don't have swap on zfs do you?)

I would reduce the memory resource footprint for the system. Perhaps add more swap so that it can survive long enough to at least log something.

But the problem might be hardware. The machine might just be crashing due to hardware problems. And then that is not a software problem to solve.

Good luck!

the physical host itself has plenty of ram, the vm sits @ Mem: 7667M Active, 1795M Inact, 1727M Laundry, 2760M Wired, 1245M Buf, 2002M Free

swap isn't even in use

the whole system starts being sluggish, then eventually freezes up completely. If I kill the http connections, it comes back eventually in ~2-3 minutes

last1, Hmm... No idea here. Sorry. Hopefully more clues will present itself. Perhaps set up a remote logging syslog to capture final bits?

I would keep a terminal logged in with a "tail -F /var/log/messages" at least with the hope of seeing something when it happens but it sounds like that would not be helpful in this case.

I would keep a terminal logged in with top running and hoping that it might show a clue.

I realize these are pretty brute force and ignorance approaches to debugging this. I am hoping someone else will have better ideas for you.

That 2 minute recovery though may be a clue. The "Internet Lifetime of a Packet" is 2 minutes. And you said if you kill the http then this happens.

Just brainstorming here but is it possible you are getting an attack abuse from the Internet that is attacking your web server and it is consuming all networking resources?

Perhaps a SLOWLORIS attack? en.wikipedia.org/wiki/Slowloris_(computer_security)

Title: Slowloris (computer security) - Wikipedia

no, it's not an attack

I have been seeing those hitting my servers on and off rather routinely.

it's the apache/php processes that keep on taking resources

What limits have you set on those processes? Perhaps reduce those further?

what do you mean by limits ?

I am always tuning MaxRequestWorkers to prevent the network from overwhelming my web servers with abuse.

Especially if it is using PHP which consumes significant memory for every interpreter module.

I'll be honest here and admit that my Apache+PHP servers are all running Linux and not FreeBSD. But have plans to change that in the future. But on Debian/Ubuntu /etc/apache2/mods-available/mpm_prefork.conf needs to have MaxRequestWorkers adjusted from the default there of 255 down to something the system has memory for or it will OOM Killer out trivially when the net abuse hits it.

How large that can be varies depending on how much ram the server has available. Maybe 32 is a good limit if it has a lot of ram. Maybe only 12 on a small 1GB Linode VM. (I like Linode btw).

oh, I'm way past that

I always thump on my own servers using "ab" the apache-benchmark tool to stress a machine myself. Effectively attacking myself. But then I can watch the machine and see how it reacts.

How it reacts to the inevitable abuse that will come from the hostile Internet. And then I tune things until it handles it okay.

Honestly the best way to harden Apache from network abuse is to switch to Nginx. Nginx is shrugging off the Slowloris attacks and hardly noticing for example. But Apache I am still tuning around and sometimes needing to restart as needed reactively.

These servers are sitting behind CloudFlare -> Nginx -> Apache

with mpm_event running

they aren't hitting any of the limits from Apache workers nor php-fmp

*fpm

CloudFlare will protect you against a lot of these types of problems, probably should protect against Slowloris completely. But not all of them. Won't protect against MaxRequestWorkers with PHP being too high for example. You might still be running out of memory there.

Good to hear you are using php-fpm. FTW!

That's a different set of tuning needed there though. Can still be an issue. I would still look at it.

This is where I like "htop" and the bar graph of memory use at the top. There are other tools too and some others might be better. Maybe others here will suggest their favorite way of monitoring memory resource use?

I would keep an htop running in a terminal and keep an eye on it when it is failing and see what that is showing.

I would implement system trend monitoring such as with Munin or Cacti or Grafana monitoring and see if you see bad things happening.

I am still using the old Munin which I am happy with but all of the cool kids are using Grafana today.

alright, I've installed htop

maybe that will shed a bit more light

That bar graph of memory at the top is why I like it. Green is userland and then other colors to the right are buffer cache and other things. If you see the green bar graph consume all of the memory that is a bad thing.

do you have access to the hypervisor, or is it a managed vm ?

in any case: do you have access to a serial console ?

it's my hardware top to bottom, I have access to everything

there are no other messages in the console

when the issue starts happening, it's so badly frozen, I can't even do a reset from the hypervisor

esxi prints: failed to reset, lol

The hypervisor is still responsive to you though?

yes

this is 13.2 btw

13.2-p8 I think

it doesn't seem to be an exhaustion of resources though, it's as if something locks up

Since your hypervisor system is still responsive that would lead me to believe that it is not a hardware problem but something in software. I guess that's good. Because then the solution would be a software solution too. Good luck!

Significant pkg upgrade day today! My desktop wants 263 upgraded with 75 reinstalled, plus a ghostscript upgrade from 9 to 10 removing and adding a few. All looks okay.

My servers generally want a more modest 27+22 today.

Most of that on the servers is for perl module packages too. So actually pretty tame there.

damn. sucking up all that bandwidth should be fun!

It's unfortunate that most of the bandwidth is packages telling me the port has no maintainer and asking us to please help. :-(

rwp: I feel very happy you. It's always a pleasant feeling seeing numerious updates :)

*happy for you

i have built the drm-510-kmod from ports, and have done `kldload radeonkms`; i have made a xorg.conf file which refers to it. when i startx i get. Failed to load module (module does not exist) No drivers available, no screens found

is it good practice to set 600 on any files .bashrc sources? also is it good to set 700 ~ to make our whole home dirs private?

alepzi: who you sharing that computer with?

but does that even matter? because what if it's just me, but then some other account gets hacked into somehow

where do i put firmware so that the module which requires it will find it?

i guess i don't see the benefit to ever leave ~ open to reading

I'm guessing random semi-trusted daemons / programs. I do 700 on home as a precaution.

ah ok so i'm not crazy

I'm guessing they are a potential threat*

do you also set 600 for files bashrc sources? or just 700 on ~ and that's it

However, it won't help for untruested programs running as your user.

I do not use bash, so no.

which sh do you use dautor?

I use fish for interactive shell.

back in the old days, people couldn't finger you and read your .project/.plan if your ~ was 700, but you're probably not giving anything up now

Yeah... It's probably a default that should change one day to a more secure option.

i am going down the crazy rabbit hole of ports and have a question.. i am going to be testing this out in a bastille jail first and once i got this operational.. is there a recommended approach to move to host? i figure backups are good.. then is there like a handbook entry that discusses this in more detail

mfisher: yea i feel like there should be a better way for ppl to share with other users and daemons than having ~ be group or world read

like /var/share/alepzi

eww pf what a pain

this is a complex beast

anyone have exposure to bastille (container manager) and be able to have the host.. work as normal and "lockdown" the constainers? docs.bastillebsd.org/en/latest/chapters/networking.html this documentation explains locking down host and container.. down to JUST ssh.. but then basically i can not use anything.. like smb

Title: Network Requirements — Bastille 0.10.20231125-beta documentation

I'd interpret that as just as an example of how you can set up SSH for per-container direct access, not instruction that you can't expose containerized services using other firewall configuration