voy4g3r2: well ya ;)

what's the lib neutral way of adding privilege escalation to a program i'm making? like if i don't wanna expect the user to use sudo, but doas or anything that does priv esc

lw: it was always supposed to be /usr/local/share/man (see hier(7)), just that the mostly useless variables in the ports tree were wrong and so most ports were wrong as they used those variables

ah

.net core also doesn't support freebsd arm64 (at least last time i looked) but that's more understandable since it's not meant to be portable outside of the MS-supported platforms

So, Windows and Linux?

and Mac

ah, right

What about Solaris? WHAT ABOUT THAT.?

I did see sunos being mentioned. didn't really look at the arch's.

will check i a min

was just rebooting the RPi, but wifi suuuucks with 14.0. Using a supported wifi USB dongle thingy

takes forever to set the IP stuff, even though it will get an offer very fast.

no idea if oracle cares for that for java support, but pretty sure MS doesn't care if .net core supports solaris

but for the java thingy I'm having issues with, if it supports Tier 1 archs then Oracle should support aarch64 now as well.

or at least in the latest OpenJDK. this uses 17, not sure what the current stable is

and the extra netif restart to get network up

I need to test if it's a lagg thing or not

meena: sunos has even sparc and sparcv9 support

no solaris at all

surely sunos refers to solaris, i doubt it runs on sunos4

hehe yeah, that was my idea as well. but I thought both were used?

Title: dpaste/RHBY (Plain Text)

Hello

Title: Sixels or Unicode image previews · Issue #324 · ihabunek/toot · GitHub

handbook says thin jails are less secure because they share base and i think processes aren't as isolated maybe? but so how likely are thin jail escapes?

alepzi: can you elaborate on your thinking process there, about why you think "processes aren't as isolated maybe?"

trying to imagine how you got the is making me very confused, so I need you to explain this before we go anywhere else

"Disadvantages of Thin Jails" section in docs.freebsd.org/en/books/handbook/jails/#thin-jails

Title: Chapter 17. Jails and Containers | FreeBSD Documentation Portal

first 2 points

and "The jail can be thought of as an almost complete standalone FreeBSD installation, but running within the confines of the host system. This isolation ensures that the processes within the jail are kept separate from those on the host and other jails." in docs.freebsd.org/en/books/handbook/jails/#thick-jails

Title: Chapter 17. Jails and Containers | FreeBSD Documentation Portal

you realise this is strictly talking about Filesystem resources, right?

i mean it's talking about processes so wtf does that have to do with filesystem resources?

imo "processes" implies shared memory

like a way for a jailed process to access the running memory of the host or other jails

a jail is, at its core, a (set of) process(es) that are running in fancy chroot

like any other container technology it starts from Filesystem isolation, then adds process isolation, then network isolation and so on

meena: i'm not sure that's ever going to be merged because development of the tui has moved to tooi. but i'll consider it if tooi gets image support, ivan was working on it at one point

ya and i'm talking about the process isolation

alepzi: thick vs think jails is strictly about the nature of the Filesystem isolation. it can affect executables, it could affect what resources those executables see or can manipulate, but it has nothing to do with a process

but doesn't fs imply process too?

there are actually releases for tooi now so i could port that, but i think it makes more sense to hold off until it's more mature, we haven't even decided where the config file should live yet

a process is an executable, or a routine that is loaded into memory and executed on the CPU. and yes, most of those things are loaded from the Filesystem, but in unix, if you modify a running process' executable, that does nothing until it restarts

i do need to do subpackages for audio/pulseaudio at some point though

of toot??

?? no, for the jack output module in PA :-)

ok well thin jails *are* less secure than thick jails somehow, right?

alepzi: forget thin jails and thick jails for a week or three, and focus on understanding jails

and i am but respectfully i have a right to ask questions even if you don't see the point

does sys/queue.h not do arrays? i'm sure this was added at some point, but it doesn't seem to exist

it's not that i don't see the point, or maybe it it's like that, but to me it feels like you haven't quite grasped that a jail is, first and foremost, just a bunch of processes, isolated from other bunches of processes, at the kernel level.

ya and i'm asking questions to learn specifically more about "isolated from other bunches of processes"

coulda been answered by now too heh

for j in (seq 1000)

sudo -H jail -c persist path=/rescue

end

you can jexec into any of these 1000 jails (or into every), and try to find out what you can find out about the host, and what you can find out about the other jails

1000 must be thin jails because that's minimum 1TB just for jails to have their own base each

do you remember what kevans told you about that?

"thin" and "thick" jails are just terms the handbook made up, they don't exist in concrete terms in the OS itself

ya i'm talking about the pattern the handbook teaches. a shared base vs a duplicate base

read that loop, tell me what it does.

run the jail in jail's home

run which jail? where? what's running in that jail?

there's no target user so i guess that's root

-c creates a new jail

complete your thoughts, write them down, then test it

persist makes jail stick around

i mean i don't get your sidequests i'm just asking a few questions about jails after reading the whole handbook page on it and you're playing games

handbook says a disadvantage of thin jails is security and you wouldn't acknowledge that so i just don't get what your angle is

I'm giving you this sidequest because you don't seem (my observation) to understand what a jail is. any attempts from me to explain have been fruitless you keep asking the same questions

I want you to understand what a jail is, first.

So, think about that loop. formulate your hypothesis(es) (one of them was that it's gonna use 1TB (of what?)) and test them

no i'll ask my question elsewhere where ppl aren't so arrogant to ignore someone and tell them what's what

🤷🏻‍♀️

it's basic engineering. you can apply it to learning: what's your thesis about this thing? how do you test if your thesis maps to its reality. if it doesn't, how do you find a better thesis

I have already answered your question that thick vs thin only concerns how you manage Filesystem isolation between jails, but you keep asking the same question. take a few hours away from it, and come back fresh at it

if jails run a process how do you jail a node.js app that uses nginx to reverse proxy and the nodejs? can it be self-contained in the jail?

that's something i would (and do) separate

why?

I run this IRC sever in a jail. it's a nodejs app. It's got its own Filesystem for config and uploads and for an SQLite database, abd it only listens on a local network

if you separate everything into its own jail how do you network them?

vnet?

In front of that, i have Apache httpd as terminating TLS proxy, running in its own jail. the only jail that gets a public IP routed / NATed. it runs no billions lines of random JavaScript, just mod_proxy, mod_ssl (mod_md) and mod_security

they talk to each other via an internal network

Title: website/howto/jails.md at main - pkgbase/website - Codeberg.org

this is a bit outdated, but the gist is still largely exactly the same as my current setup

I've gotten rid of puppet and that's now a couple lines of shell script

kevans: found another fun netlink thing: it only aligns data to 4 bytes, so the 8-byte values are misaligned le-fay.org/tmp/30d/BQ9p3H.txt

this seems to be by design: /usr/include/netlink/netlink.h:#defineNL_ITEM_ALIGN_SIZEsizeof(uint32_t)

(unless there's something i'm meant to be doing to make it align properly...)

hrm.. this mandoc -Tlint is showing a whole bunch of stuff..

must focus, links important.. clean up second

oh no, we don't have LeakSanitizer on FreeBSD? but it's on NetBSD :-(

the interface giving you headaches still?

did you get to resolve the hash map frustrations

i ignored that for now and just used a linked list, might revisit later

hrm a fortran reference in gprof

f77(1) in gprof man page.. but does not look like f77 has been in freebsd since 4.0

ah, jemalloc apparently has some sort of built-in leak detection

weird f77 -> g77 GNU fortran

so from freebsd 4.0 -> freebsd 6.4 it existed.. freebsd 7.0 g77/f77 is gone from base

i will chalk this up to, not touching fortran.. next :)

lw: beyond checking man.freebsd.org would you recommend any sources to see PREVIOUS version of man pages for freebsd?

i am trying to confirm/deny hskbd(4) in hidbus(4) man page and going through msn.freebsd.org i do not see that it EVER existed...

voy4g3r2: check out the src version you want and grep for it

okay, let me see what that unfolds.. i can find the source file and shows this .Xr and my gut is telling me.. remove

but lets see what we find with grep, thank you!

i find it's useful to keep a checkout of at least the currently supported stable branches around for things like this

yeah

i am still chugging along on that pull request

i have expanded 'covering my bases' to man.freebsd.org, raspberry pi, amd64

i got dinged with zzz as it is NOT on armv7 but it is on amd64

and my little command find /usr/src -name "<insert file name>" -type f

but now we have a little find / grep magic, thanks!

voy4g3r2: if you're in a repo, git grep 'blah' might be a bit faster. or git ls-files rather than find

hm, is recvmsg() guaranteed to only read a single message (or part of message)? not two or more in one call?

I thought I was having issues with wifi on my laptop, but last night with the Raspberry P4 and a USB wifi dongle I noticed the same issues. But, I use lagg to easily switch between onboard NIC and wifi. Without lagg wifi is just fine. Anyone else noticed this?

What happens is that a DHCP lease is received, and applied, but the network it still down. After restarting netif three times is finally works.

Seems I'm not the only one: forums.freebsd.org/threads/lagg0-do…ade-from-freebsd-13-2-to-14-0.91312

Title: Lagg0 doesn't work properly after upgrade from FreeBSD 13.2 to 14.0 | The FreeBSD Forums

Someone else tried "lagg" with wired & wireles connection, to be told that does not work for WiFi; one alternative was of "netgraph" & "bridging": tech.lgbt/@Anniiii⊙fd/111691564568971020

Title: Annie: "I am usually quite against guis for pretty much a…" - Ferrodon

s/&/& other was of/

parv: it may be broken currently, but "to be told that does not work for WiFi" sounds wrong (e.g. docs.freebsd.org/en/books/handbook/…#networking-lagg-wired-and-wireless)

Title: Chapter 34. Advanced Networking | FreeBSD Documentation Portal

Well, if someone succeeds with lagg for wifi & ethernet && am still here, would love to read how that works out

I had tried earlier & did not work for me. So yeah

before 13

Using lagg for copper ethernet only - 1GE and 10GE. But that's not what you're asking.

well, I had it setup in a broken way where ethernet and wifi where diffrent subnets, it worked somewhat

AFAIU, it must be direct connection both ethernet and wifi without any switches and wifi routers.

Hello. How do I install after ssh?

i'm installing to Orange Pi One H3

Here there is no need to enable SSH additionally, you can just ssh freebsd@ipaddress

with default password freebsd

but where is my TUI install program, might I ask?

freebsd@generic:/bin % whereis sysinstall

sysinstall:

V-T60: if you dd the image to the sd card (or something like that) it's already installed, that is a pre-installed system. if you want to install on other media, you can run bsdinstall

/dev/ufs/rootfs 55G 1.7G 49G 3% /

lw: can i use OpenBSD in FreeBSD jails?

i want an OpenBSD VM, but my system is not very high on performance

not that i'm aware of, you could run freebsd vm on bhyve but i don't think arm64 bhyve support has been merged yet

once i wanted to migrate my OpenSMTPD mail server from OpenBSD to Debian, but that didn't work

everything is located differently, and setup was too complicated from OpenBSD user point of view

hope that won't be the problem here

This is so weird and I'm finally running out of ideas. My Wi-Fi doorbell camera is accessible from clients on my wired LAN, but it's NOT accessible from clients on the same Wi-Fi LAN. Wi-Fi AP is in bridge mode, so no routing or firewalling.

Only thing I can think of at this point is that it's some firmware issue with the camera. I did misconfigure one of the other cameras with the wrong ip/gateway and so I had to hard reset it, so the only way I can think of that potentially interfering with the doorbell camera is some kind of weird/sticky/whatever ARP entry in the Wi-Fi AP or

something, but that seems like a stretch.

but what is root password?

that is definitely not freebsd

My main gateway is and it's possible that something got messed up there, but not sure yet.

Traffic does have to go through that box.

ok, root/root

Hmm, wait. Wi-Fi peers don't have to go through the FreeBSD box, but the other boxes do, the ones that are accessible.

_xor: any chance the AP is set to deny client-to-client communication? this can be separate from any firewall configuration

lw: Good point. Checking now, though I'm not getting my hopes up.

Hmm, so I can ping the camera from another Wi-Fi client, but no L4 traffic seems to be getting through.

So my phone and laptop, both of which are on Wi-Fi, can communicate with each other fine. They can ping each other and I can SSH between them.

Both my phone and laptop can ping my doorbell camera too, they just can't do anything beyond ICMP. Tried to cURL an open port on the camera and it just hung (didn't immediately fail, so it was trying to transmit eth frames somewhere).

What's weird is that if I enable my WireGuard tunnel on my phone (regardless of whether it's on Wi-Fi or Cellular), then it's able to communicate with the camera fine. Really strange.

how long do people usually keep logs for? i've just set maillog to 30 days on a couple of mail servers, but i'm wondering about increasing the others too

lw: depends on what you need / use logs for

rtprio: good to know

this is a pretty neat tooL; bhyve.npulse.net/#hero

Title: BVCP: FreeBSD Bhyve Project

no source code but man it makes setting up -CURRENT a lot easier than commandline

voy4g3r2: been using cbsd here, which also has LibreNMS monitoring support as well via HV::Monitor

Hello

Can i use ext4 inside of jails?

passthrough the hdd inside somehow

or is this non-working absolutely?

I may be missing something, but "passthrough" is a virtual machine concept, not a jails concept.

probably you're not missing anything

hi all

But if you mount (using kernel support or FUSE) an ext4 partition from outside the jail with a mount path that's inside the jail root, you should be able to access its contents from within the jail, albeit with a different pathname than the mount path (ie, if the outside-the-jail mount path is /var/jail/myjail/mnt/myext4partition and the jail chroot is /var/jail/myjail, it would appear as

/mnt/myext4partition)

so freebsd actually works with ext4?

but only read only? or what is the trouble?

I'm not familiar enough with ext4 support to tell for sure. It may depend on which FUSE file system you use. (sysutils/fusefs-lkl may let you access it read-write.)

how could I connect to mobile network (I got sim card port in my thinkpad) from tty?

Do you have an interface for it ? Then ifconfig would probably be the way to go.

I see just em0 (ethernet) and lo0 (wifi)

let me reboot

lo0 is usually the loopback interface - all traffic on that interface stays local.

don't these usually appear as serial devices that talk PPP?

after reboot still just lo0 and em0

V-T60: yes, see ext2fs(5)

i would start by looking through dmesg and see if you have something that looks like it could be a modem (might be a USB device)

Are ports installed like normal packages? I can't find a difference as I don't have it installed on anything at the moment, but I think I was told that ports are just compiled from source and I think(?) are normal packages other than that.

zayd: yes, nowadays ports builds a pkg and installs that

lw: so it's like what the aur is for arch linux?

not really, AUR is extra/community repository, ports and packages are the same software, ports is just the source for packages

although i suppose you could consider all of ports an "AUR" for the base system...

is there a way to search the non port packages without having freebsd installed on something? is everything in ports available in the normal packages

freshports.org

not sure about searching (try freshports?) but yes, every port is available as a package, unless the build fails

ok, thanks then.

There is no non-port packages AFAIK. All packages are built from the ports tree with the default build settings. Compiling a port yourself lets you tweak those build settings. Usually the main reason for doing that, or grabbing an update faster.

(or for a very small number of ports that can't be built as packages for legal reasons... i don't know if any of these still exist?)

hmm, "pci2: <network>" looks like might be responsible for mobile network

does ports.freebsd.org have the same packages as freshports? it looks like i'm getting what i'm looking for more often with ports.freebsd.org

oh, my wifi interface is probaly iwm0, not lo0

graso: what is you wwan car ?

I'd expect them to use usb nowadays

what is this? ugen3.3: <ULT-Best Best USB Device> at usbus3

i try to connect HDD with such an adapter

i had this line on my daily driver

but i don't - on single board computer with FreeBSD 14.0

@babz how could I check it?

this is the notice that the ugen device has attached to the USB bus

but why i don't get this on single board computer?

the adapter is getting light up

try jiggling the cable

try a different USB port, some of those SBCs have weird... things with their USB

and make sure the USB controller itself is detected in dmesg

lw: i have only one usb port

and on this port i attached USB hub

with this USB hub wifi adapter works fine

but when USB adapter for SATA is attached, nothing happens

despite of the fact the USB wifi adapter is connected or not

i tried to connect additional power to the usb hub, but this doesn't help

does usbconfig lists anything ?

yes, but with/without USB SATA nothing changes

the same output

i connected USB ethernet and it indeed appeared

both in usbconfig and everywhere else

and on your pc where it's enumerated ? it should say its speed and the current it's expecting

ugen3.3: <ULT-Best Best USB Device> at usbus3, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA)

well, 500mA 5v

but i tried with additional power

with 5v 2a power adapter connected to USB hub

weird

is there a good guide to setting up a freebsd system so it is suitable for handling more sensitive data? by sensitive, a credit card would be a good example, although this data is not credit cards

for example, i am thinking that turning off swap would be part of the process,...

ugen3.2: <ULT-Best Best USB Device> at usbus3, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA)

oh, this appeared

i connected straigth to the usb port

straight* so this is either usb hub problem

or idk what

but through usb otg wifi works fine

fuse: failed to open fuse device: No such file or directory

what does it mean?

oh, well, kldload fusefs

i mounted

whoever's adding storytime fluff into the handbook is going to ruin it. 7.2 3 paragraphs of bullshit about bulgaria

for any curious: docs.freebsd.org/en/books/handbook/network/#config-network-setup -- I see nohting about bulgaria

Title: Chapter 7. Network | FreeBSD Documentation Portal

daemon: i guess they mean developers handbook

yuripv: hey, i am not sure i udnerstand your do while looop comment

with the help of kenrap, we figured out to do this approach: gist.github.com/kenrap/d2e7d03854ed6dc31d6cc8c880a11a23

Title: git-step-guide.md · GitHub

and we did use a for loop

yuripv: forgot to mention, it is in reference to this comment you made :freebsd/freebsd-src #1072#pullrequestreview-1834714425

Title: A set of changes to manual pages that were identified to be out of alignment by chrisdavidson · Pull Request #1072 · freebsd/freebsd-src · GitHub

ohhh.. looks liek when i rebased the branches, i sucked in other people's commits, the do/while

voy4g3r2: i did no such comment

ohh, my bad

yuripv: i do have one nugget to ask.. i started doing mandoc -Tlint on a lot of files and there are quite a few warnings, is there threshold of sorts to say what is going to be touched vs not?

like a STYLE issue you ignore verus an error in link

Title: dpaste/XMeh (Plain Text)

Hey, so I am trying to install netdata on truenas core outside the jail by using pkg-fetch on another machine and transferring the needed packages over... So far it's been working until I got a fatac gcc error that it can't compile so I tried doing a simple hello world file and compile it and get this ' fatal error: stdio.h: No such file or directory' I am not at all good with C but I would guss

that's an indication that no libc is installed? Is there a package I can fetch and install on the box to fix it?

bblinky: it's not that the libc isn't installed, there's every chance that's still under /lib/libc.so.7 — but the headerfiles aren't installed

Right, is there any way I can fix that ? :)

meena: I am quite inexperienced with both gcc and BSD... But I like to get my feet wet

bblinky: first off, I would try regular cc; if that's not installed you know that TrueNAS Core is very much stripped down and unstripping it will be a lot of work

y/eah, there is no cc...

Maybe it's a rabbithole of not necesarry

yeah, so, we've got no stdio.h and no cc, compiling something on it will be difficult

But compiling something *for* it won't be impossible.

if you could identify the version of freebsd it was originally based off of, and it has a memstick image you could live usb into the system

The last time you couldn't get a binary on a system without a compiler on it installed was some time in the 1970s

now you use ai 8)

daemon: I think it's based on 13.2

gpt sucks at coding :p

bblinky, so in theory ... download.freebsd.org/releases/ISO-IMAGES/13.2 -> download.freebsd.org/releases/ISO-I…BSD-13.2-RELEASE-amd64-memstick.img

Title: Index of /releases/ISO-IMAGES/13.2/

if you was to put that on a usb and boot the system from it, you could pkg add using that to re-establish those base libraries

at your own risk of course :P

might be worth a dd to an external disk

I might try it.. Right now I am just messing arround on a disposable vm for my own ammusement

daemon: do you really mean pkg add? as in PkgBase?

meena, I mean I always use ports for everything -_-" I thought pkg add was what we used now days for pkg things

if a daemon is controlled through a unix domain socket, i'm guessing the daemon should be responsible for creating the uds file when it starts up, and the ctl bin just connects to that socket file?

whichever process created whatever file would own it, but what you described would be expected behaviour

never mind, we don't have PkgBase builds for 13: pkg.freebsd.org/FreeBSD:13:amd64

is it possible for multiple instances of the ctl bin to be running (like by different users) all connected to the same socket the daemon created?

Title: Index of /FreeBSD:13:amd64/

alepzi, yes, because the daemon may be accessible by all instances

all files written by that daemon will be in its user:group though (by default)

unix sockets are not special

so the uds file is 1 writer, 0-n readers

just think of them as file based TCP

ah file based TCP makes sense

and it's bidirectional right? like the server can emit data to the socket, and n clients can both receive that data as well as emit their own to the daemon side?

it can be there is some technicalities in that but yes it supports it

TCP on a file

if client 1 emits a message to the socket file, will the other clients receive it also?

in most cases yes

you can actually play around and test it with ncat and the openbsd version of netcat

ncat is part of the nmap package

-U option if I recall correctly

yep here we go, thx

btw you know if most data programs send over uds is text, or binary, or both?

there whatever you want

cool

sake as tcp and af_unix

udp/tcp/af_unix are protocols

whatever you send over them you can define

you might want to check this out ... en.wikipedia.org/wiki/OSI_model

Title: OSI model - Wikipedia

if it's possible, think it's a nice feature of a daemon to be line oriented text so ncat can be a little cli?

that was the thought years ago, infact smtp and IRC are designed that way (more for telnet clients than nc)

its really a question on compression at that point

and no its not really relevant now days

most people are not console hacking

and those that are can bodge a client in perl to unwrap the encryption and other stuff

so for every new daemon with a socket based control they make a custom client instead of just using ncat?

well no the standard control is via signals not sockets (af_unix_

even dynamic reconfiguration is via signals?

not just restart/stop

and there is a very precise list of how those should be handled here: man.freebsd.org/cgi/man.cgi?sektion=3&query=signal

Title: signal(3)

well normally yes

REHUP fore 're-read your config' etc

ya but what about fully dynamic configuration, no config file to speak of

no idea, the only applications I have ever seen with that use databases instead

Imagine my surprise :|

ok i'll read up on signals

thx daemon

ew

vi doesn't exist, but vim does...go figure.

Well, by default I mean. I always expect vi to be present.

_xor, nano instead of ee as well

kinda weird :P

join #politics

absoluetly not

sorry about that, just installed weechat, and still getting comfortable with the interface

;)

I do have a question for this channel though, I have a server that has zroot zpool with 4 drives stiped, will it be possible to get this zpool down to a single drive without having to rebuild the whole server?

...striped

i cannot help there, maybe someone will chime in

daviddossi, the direct answer is no.

daviddossi, however. a traditional dump and restore would put your files back on whatever config you would like

so kvm or usb boot

ok thank you, that is what I thought based on what I have read thus far, was just wondering if there were a shortcut :-)

I understand the os and zpool better now, and having everything under a huge zpool does not make sense, very impressed with the system though, it is solid like a tank, reminds me of the old good days of solaris, but much friendlier in my mind