Is it possible to debug/trace/observe firmware? I have a large zpool that just stops working. no errors in dmesg, DTrace tracing shows me that everything is fine, I keep going back to the disk controller being shitty

sure, you just gotta hook up your Saleae correctly to it.

doug ordering that might take a while. anything I can do from the OS level?

not that i know of. drive manufacturers generally take pains to keep anyone from being able to see what's really going on in the hardware.

I think this storage card is doing something wrong. and ZFS is not liking it

hello

Hi

angry_vincent: hello! :-)

if accept4() returns -1 and errno==ENFILE/EMFILE, is the fd left in the accept queue, or is it discarded?

meena: i know "how long to leave logs" is basically a "how long do you want them?" sort of thing, but i was just wondering if other people have found it useful to change the default retention, because i do find the defaults quite short - especially on a modern disk (i.e., any disk made in the last 20 years) where you could store months of logs with no problem

i'm actually wondering if we should bump the defaults

the small number of users on tightly resource-constrained platforms can always reduce it again (i put /var/log on tmpfs on my RPis anyway)

kevans: i noticed emaste@ added himself as cc on my netlink bug. that usually means something interesting is about to happen...

do not cloud me meena

there, disks space comes at a premium again

i'm sorry, it's like ⅓ of what I do

i've spent the last 6 months moving all my stuff from clowd to onsite

it would be cool if i could do that, butttttt

Is there a technical article that documents the difference between FreeBSD jails and Linux containers?

beastwick: i don't know of one, but fwiw, linux containers aren't really a thing. linux has a very generic framework based on cgroups and namespace that let applications construct various practical systems (like containers), whereas jails are basically jails and that's it.

beastwick: found one, diva-portal.org/smash/get/diva2:1453017/FULLTEXT01.pdf

it's hard to compare them because you can do almost anything you want with linux containers

lw kenrap thanks

I am curious about privilege escalation. Jails were easy to setup for me, but I am tearing my head out trying to make an unprivileged container.

Are FreeBSD jails secure/protected from priv escalation by default?

They are ran as root so I am skeptical.

if there are no kernel bugs that allow privilege escalation, and you configure them correctly - yes, in theory (but all answers to 'is it secure?' are 'in theory')

by configure it correctly i mean that if you mount /etc in a jail or pass through a /dev device or something, that can compromise security and freebsd won't stop you doing that

jails don't really run as a particular uid. the jail's uid 0 is a different user than the host's uid 0

(this is what linux calls 'user namespaces', freebsd doesn't really have a specific term for it because it's just part of jails)

OK a default FreeBSD jail, that runs as root, is probably just as secure as a *unprivileged* Linux container. A privileged Linux container is probably a lot less secure than a FreeBSD jail.

That is to say, there are still exploits for all of them.

i don't know what privileged/unprivileged means when it comes to linux container (since afaik, linux doesn't have 'containers', so that would depend on the specific application you're using)

but in general yes, a jail or container is less secure than a VM, and a VM is less secure than a dedicated hardware system

Privileges for Linux mean UID/GID mappings. In the Linux world the root user in a container can be mapped to a user that does not exist on the host. This would ideally prevent issues if a process escaped the container.

otoh, a jail/container is more secure than just running an application on the host

it's like inviting people for dinner and then pouring their food on the table

Is there any limit on number of VMs that would be NAT'd on host system? I guess once I read something like the system would be out of free ports, if there're too many VMs and using NAT?

tercaL: i think that would be a limit of either pf or ipfw, depending on which you're using. i think both of those support using multiple external addresses to avoid running out of ports

lw: It's PF in my case

tercaL: yeah, i mean in that case it's not really a limit on number of VMs/jails, it's on number of connections, which depends on what on the VMs/jails are doing

although if you use non-VNET jails (i guess not in your case since you mentioned 'VMs' specifically) they share the port space with the host

I am trying to decide between using quarterly with cherry picking ports from latest, or using quarterly and a latest jail. Any advice? Only thing I can think of is that the latter approach scales better than the former.

beastwick: what exactly do you need?

Hi meena :) I'm not sure to be honest. I keep bouncing around different ways of accomplishing the same exact thing.

our latest stuff generally doesn't randomly break (if we ignore chromium for a minute there)

Yes, part of me is trying to mitigate "breakage", but it's not production stuff anyway. At this point I've wasted more time fiddling with the problem then ever experiencing a broken system.

Is IPv6 + PF broken on main (54c62e3e5d8c)?

54c62e3e5d8c pf: work around icmp6 packet-too-big not being sent when binat-ing

zapata: that's not completely broken, just binat

I am building 5f086566e02a with 54c62e3e5d8c reverted.

lw: Thanks a lot!

didn't know about the detail on Jails.

tercaL: i can't remember what i said that you're replying to but you're welcome!

lw: "although if you use non-VNET jails (i guess not in your case since you mentioned 'VMs' specifically) they share the port space with the host"

The NAT thing :)

ah right :-)

beastwick: on jails vs containers, i think the big thing on freebsd to pay attention to is devfs and its rulesets

linux containers are mostly namespaces (isolation of things) and cgroups (resource quotas)

on freebsd both is handled by jail(8) such that a jail is not particularly aware of resources not explicitly shared with it

Hello! I'm new to FreeBSD and having a great time :) However, I am struggling with configuring pf as the firewall. I have some issues with jails (I am using bastille), but most importantly at the moment the server cannot "reach itself". Meaning, I can `curl my.server.com` from my local machine, but if I `curl my.server.com` or `curl localhost` from the server itself, it fails... I *think* this is

a pf issue; here's my pf.conf termbin.com/0e6p

I'm running caddy in a jail configured with bastille. I did run `sudo bastille rdr caddy udp 443 443` and the same for tcp and 80. Indeed, I am able to curl the server from my local machine, so I think caddy is not the issue, but some weird routing problem

Oh, maybe it's not pf at all but routing issues? I had to manually configure ip address and routing when I first booted freebsd

(I hope this *is* a support channel)

this is a support channel

Okay I think I confirmed this is an issue with jail networking. I tried running a python http server on port 9999 in the host, allowed it in pf, and now the server could curl itself. So the problem is that ports 80/443 are redirected to the caddy jail, and for some reason external connections are getting through but not if they come from the server itself.

On a separate note, if I keep `antispoof for $ext_if inet` then my jails cannot reach the internet, commenting it out works --- but only sometimes. I think I also had to allow.raw_sockets. but sometimes they stop being able to connect until I restart them. The whole thing is weird and has me confused, so I'd appreciate any help

This where I can ask a random question about managing packages?

hi, I am in desparate need to find a comprehensive guide of how to install GUI. I have tried the handbook to the t, but at the end I get a blank screen with a square blinking on the top left hand corner, this happens with both xfce and kde and associated steps, I am in no way a nooby, I can install arch in about 20 mins with btrfs lvm the works and any kind of gui on top, but i have been struggling to get gui on the freebsd

set up any help will be greatly appreciate it, my test machine is a intel nuc pro 13 with intel iris graphics

I'm on FreeBSD 14.0-RELEASE, installed a package (php82-matomo) using poudriere. I want to upgrade matomo using Matomo's built-in mechanism, not packages, as no package update is available; how do I tell FreeBSD matomo is no longer managed by pkg/poudriere, but without deleting matomo from the system? Something like pkg delete php82-matomo --donotdeletefiles

johankent: You followed the directions at freebsdfoundation.org/freebsd-proje…-a-desktop-environment-on-freebsd/? Do you get as far as "startx" working?

Title: Installing a Desktop Environment on FreeBSD | FreeBSD Foundation

hi, no start x keeps giving an error that frame buffers are not define, and server refused connection, the user belong to the video group and sysrc entries are validated, i even give root association to video group as well

.. defined

cacya, Here is a good place. Also #freebsd-ports would be a good place for questions about pkgs. I don't think there is a a way to pkg delete a package from the database without also deleting the associated files. But you can always save those files off before and then restore them afterward.

If it were me I would "pkg info -l php82-matomo" to generate a list of files, back up those files with "tar cvzf php82-matomo-4.13.3-snap.tar.gz $(pkg info -l php82-matomo)" then pkg delete php82-matomo and then restore the deleted files with "tar xvzf php82-matomo-4.13.3-snap.tar.gz". If you are running ZFS with compression enabled the "tar" 'z' option is truly optional.

But probably if you are installing something like that from upstream you would simply want to do an install from upstream so that there would not be anything getting out of sync.

VimDiesel is that a separate document? I have a hunch that the culpit is the video driver, I do install the rdp package, and put the kdm915 entry into /etc/rc.conf, but since the xorg server is going haywire, i think i am missing a step to define the video drive

johankent, I was going to ask if you had loaded the Intel driver in /etc/rc.conf but I don't know what the name of it is as I am not using it myself.

Also that VimDiesel is a bot so while it does answer some questions it mostly supplies information about URLs seen. :-)

rwp thank you, I would not tell he was a bot lol

johankent, I am not sure but I think maybe you need kld_list="i915kms" as the correct driver to load, set that in /etc/rc.conf.

yes, that is what i put in there

i am on my debian box right now

VimDiesel sometimes fools people so just count yourself as one in the many. I myself sometimes can pass the Turing test, on good days.

Thanks rwp. I initially used pkg because it was available and I thought it would stay somewhat current, lesson learned for matomo.

cacya, I think everyone should mostly start with binary pkg packages because that is simplest and works for most people. If you have a specific need for something then you can do something different of course.

johankent, I see this matrix: wiki.freebsd.org/Graphics/Intel-GPU-Matrix

Title: Graphics/Intel-GPU-Matrix - FreeBSD Wiki

you know what I just noticed

vi /boot/loader.conf

I think i have somehow skipped this entry

kern.vty=vt

i will instally from scratch

i have an older intel box, do't want to ruin my nuc drives

and do theh vim on the loader.conf file and see where I get with that

What's wrong with kern.vty=vt ?? I'll note I also have that too. But probably no longer needed.

i was not putting that in

that is what I am saying

but this guide says to put in before you attempt startx

I found it necessary in 12 but I don't think it is needed anymore in 13. And in any case you could just add it and reboot (reboot for /boot/loader.conf changes) with no need to install from scratch.

Also the graphics driver most typically is loaded later from the /etc/rc.conf file. So kld_list="i915kms" or whatever driver is used would usually go there.

echo "exec /usr/local/bin/startxfce4 --with-ck-launch" > ~/.xinitrc

so this line here do i do the ~ path, or I have to figure out theh exact path for .xinitrc , which is under X11 right?

yeah, vt is default these days

johankent, I don't understand your question about ~. The ~ expands by the shell to be $HOME. So ~/.xinitrc is okay.

ok thank you

Tidbit of history. The ADM-3a terminal had "Home" and ~ on the same key. And so ~ became synonymous with Home, and so it was used for $HOME.

johankent, You also said your user was in the "video" group too, right? id | grep --color video

yes that is all done both video and wheel

and visudo have wheel group users enabled

And you also inspected "less /var/log/Xorg.0.log" for "EE" error lines too?

basically sudo whoami ------> root

that no, let me take a note of that one

I don't run X as root. I run X as me, rwp, and not as root.

yes run x as me

true,

don't run it as root, dont' think gui will ever load as root

that .0 is that a zero or an 'O'

Somewhere along the way X has a setuid-root but the rest of it does not. Best not to run X as root just for safety reasons. Too easy to exploit.

Xorg.0.log is a zero in the middle.

i agree with you, onlinux kde won't load the root account period

... on linux

The immediately previous log is Xorg.1.log as they get rotated down. Hint: This is the same on your Debian box too.

On Debian they use kernel capabilities to avoid the need for the setuid-root under the idea that all uses of root no matter how small are evil. And then they stir in a bunch of other mysticism that I do not agree with which breaks some of my uses of things. So on Debian I install xserver-xorg-legacy to return to the previous way which is not broken for me.