01:56:30 Is it possible to debug/trace/observe firmware? I have a large zpool that just stops working. no errors in dmesg, DTrace tracing shows me that everything is fine, I keep going back to the disk controller being shitty 02:07:25 sure, you just gotta hook up your Saleae correctly to it. 02:08:38 doug ordering that might take a while. anything I can do from the OS level? 02:11:11 not that i know of. drive manufacturers generally take pains to keep anyone from being able to see what's really going on in the hardware. 02:13:01 I think this storage card is doing something wrong. and ZFS is not liking it 05:13:58 hello 06:16:42 Hi 06:26:59 angry_vincent: hello! :-) 11:52:16 if accept4() returns -1 and errno==ENFILE/EMFILE, is the fd left in the accept queue, or is it discarded? 12:02:10 meena: i know "how long to leave logs" is basically a "how long do you want them?" sort of thing, but i was just wondering if other people have found it useful to change the default retention, because i do find the defaults quite short - especially on a modern disk (i.e., any disk made in the last 20 years) where you could store months of logs with no problem 12:02:36 i'm actually wondering if we should bump the defaults 12:03:22 the small number of users on tightly resource-constrained platforms can always reduce it again (i put /var/log on tmpfs on my RPis anyway) 12:26:54 kevans: i noticed emaste@ added himself as cc on my netlink bug. that usually means something interesting is about to happen... 12:46:01 * meena mumbles something about cloud at lw 12:46:18 do not cloud me meena 12:46:29 there, disks space comes at a premium again 12:46:44 i'm sorry, it's like ⅓ of what I do 12:47:19 i've spent the last 6 months moving all my stuff from clowd to onsite 12:49:06 it would be cool if i could do that, butttttt 14:04:13 Is there a technical article that documents the difference between FreeBSD jails and Linux containers? 14:10:55 beastwick: i don't know of one, but fwiw, linux containers aren't really a thing. linux has a very generic framework based on cgroups and namespace that let applications construct various practical systems (like containers), whereas jails are basically jails and that's it. 14:11:08 beastwick: found one, https://www.diva-portal.org/smash/get/diva2:1453017/FULLTEXT01.pdf 14:11:21 it's hard to compare them because you can do almost anything you want with linux containers 14:13:14 lw kenrap thanks 14:13:44 I am curious about privilege escalation. Jails were easy to setup for me, but I am tearing my head out trying to make an unprivileged container. 14:14:01 Are FreeBSD jails secure/protected from priv escalation by default? 14:14:11 They are ran as root so I am skeptical. 14:14:42 if there are no kernel bugs that allow privilege escalation, and you configure them correctly - yes, in theory (but all answers to 'is it secure?' are 'in theory') 14:15:07 by configure it correctly i mean that if you mount /etc in a jail or pass through a /dev device or something, that can compromise security and freebsd won't stop you doing that 14:15:41 jails don't really run as a particular uid. the jail's uid 0 is a different user than the host's uid 0 14:16:01 (this is what linux calls 'user namespaces', freebsd doesn't really have a specific term for it because it's just part of jails) 14:18:14 OK a default FreeBSD jail, that runs as root, is probably just as secure as a *unprivileged* Linux container. A privileged Linux container is probably a lot less secure than a FreeBSD jail. 14:18:30 That is to say, there are still exploits for all of them. 14:18:48 i don't know what privileged/unprivileged means when it comes to linux container (since afaik, linux doesn't have 'containers', so that would depend on the specific application you're using) 14:19:21 but in general yes, a jail or container is less secure than a VM, and a VM is less secure than a dedicated hardware system 14:19:52 Privileges for Linux mean UID/GID mappings. In the Linux world the root user in a container can be mapped to a user that does not exist on the host. This would ideally prevent issues if a process escaped the container. 14:19:53 otoh, a jail/container is more secure than just running an application on the host 14:43:20 it's like inviting people for dinner and then pouring their food on the table 15:05:05 Is there any limit on number of VMs that would be NAT'd on host system? I guess once I read something like the system would be out of free ports, if there're too many VMs and using NAT? 15:06:49 tercaL: i think that would be a limit of either pf or ipfw, depending on which you're using. i think both of those support using multiple external addresses to avoid running out of ports 15:07:14 lw: It's PF in my case 15:14:08 tercaL: yeah, i mean in that case it's not really a limit on number of VMs/jails, it's on number of connections, which depends on what on the VMs/jails are doing 15:14:40 although if you use non-VNET jails (i guess not in your case since you mentioned 'VMs' specifically) they share the port space with the host 17:03:50 I am trying to decide between using quarterly with cherry picking ports from latest, or using quarterly and a latest jail. Any advice? Only thing I can think of is that the latter approach scales better than the former. 17:08:02 beastwick: what exactly do you need? 17:08:49 Hi meena :) I'm not sure to be honest. I keep bouncing around different ways of accomplishing the same exact thing. 17:08:59 our latest stuff generally doesn't randomly break (if we ignore chromium for a minute there) 17:09:44 Yes, part of me is trying to mitigate "breakage", but it's not production stuff anyway. At this point I've wasted more time fiddling with the problem then ever experiencing a broken system. 17:12:45 Is IPv6 + PF broken on main (54c62e3e5d8c)? 17:13:19 54c62e3e5d8c pf: work around icmp6 packet-too-big not being sent when binat-ing 17:40:39 zapata: that's not completely broken, just binat 18:01:31 I am building 5f086566e02a with 54c62e3e5d8c reverted. 18:07:34 lw: Thanks a lot! 18:07:58 didn't know about the detail on Jails. 18:08:56 tercaL: i can't remember what i said that you're replying to but you're welcome! 18:11:03 lw: "although if you use non-VNET jails (i guess not in your case since you mentioned 'VMs' specifically) they share the port space with the host" 18:11:26 The NAT thing :) 18:11:32 ah right :-) 18:13:44 beastwick: on jails vs containers, i think the big thing on freebsd to pay attention to is devfs and its rulesets 18:15:36 linux containers are mostly namespaces (isolation of things) and cgroups (resource quotas) 18:19:23 on freebsd both is handled by jail(8) such that a jail is not particularly aware of resources not explicitly shared with it 19:04:58 Hello! I'm new to FreeBSD and having a great time :) However, I am struggling with configuring pf as the firewall. I have some issues with jails (I am using bastille), but most importantly at the moment the server cannot "reach itself". Meaning, I can `curl my.server.com` from my local machine, but if I `curl my.server.com` or `curl localhost` from the server itself, it fails... I *think* this is 19:05:00 a pf issue; here's my pf.conf https://termbin.com/0e6p 19:06:33 I'm running caddy in a jail configured with bastille. I did run `sudo bastille rdr caddy udp 443 443` and the same for tcp and 80. Indeed, I am able to curl the server from my local machine, so I think caddy is not the issue, but some weird routing problem 19:07:28 Oh, maybe it's not pf at all but routing issues? I had to manually configure ip address and routing when I first booted freebsd 19:07:53 (I hope this *is* a support channel) 19:08:36 this is a support channel 19:16:39 Okay I think I confirmed this is an issue with jail networking. I tried running a python http server on port 9999 in the host, allowed it in pf, and now the server could curl itself. So the problem is that ports 80/443 are redirected to the caddy jail, and for some reason external connections are getting through but not if they come from the server itself. 19:18:23 On a separate note, if I keep `antispoof for $ext_if inet` then my jails cannot reach the internet, commenting it out works --- but only sometimes. I think I also had to allow.raw_sockets. but sometimes they stop being able to connect until I restart them. The whole thing is weird and has me confused, so I'd appreciate any help 23:13:08 This where I can ask a random question about managing packages? 23:14:24 hi, I am in desparate need to find a comprehensive guide of how to install GUI. I have tried the handbook to the t, but at the end I get a blank screen with a square blinking on the top left hand corner, this happens with both xfce and kde and associated steps, I am in no way a nooby, I can install arch in about 20 mins with btrfs lvm the works and any kind of gui on top, but i have been struggling to get gui on the freebsd 23:14:25 set up any help will be greatly appreciate it, my test machine is a intel nuc pro 13 with intel iris graphics 23:17:46 I'm on FreeBSD 14.0-RELEASE, installed a package (php82-matomo) using poudriere. I want to upgrade matomo using Matomo's built-in mechanism, not packages, as no package update is available; how do I tell FreeBSD matomo is no longer managed by pkg/poudriere, but without deleting matomo from the system? Something like pkg delete php82-matomo --donotdeletefiles 23:19:26 johankent: You followed the directions at https://freebsdfoundation.org/freebsd-project/resourcesold/installing-a-desktop-environment-on-freebsd/? Do you get as far as "startx" working? 23:19:27 Title: Installing a Desktop Environment on FreeBSD | FreeBSD Foundation 23:24:35 hi, no start x keeps giving an error that frame buffers are not define, and server refused connection, the user belong to the video group and sysrc entries are validated, i even give root association to video group as well 23:25:40 .. defined 23:31:00 cacya, Here is a good place. Also #freebsd-ports would be a good place for questions about pkgs. I don't think there is a a way to pkg delete a package from the database without also deleting the associated files. But you can always save those files off before and then restore them afterward. 23:33:40 If it were me I would "pkg info -l php82-matomo" to generate a list of files, back up those files with "tar cvzf php82-matomo-4.13.3-snap.tar.gz $(pkg info -l php82-matomo)" then pkg delete php82-matomo and then restore the deleted files with "tar xvzf php82-matomo-4.13.3-snap.tar.gz". If you are running ZFS with compression enabled the "tar" 'z' option is truly optional. 23:34:22 But probably if you are installing something like that from upstream you would simply want to do an install from upstream so that there would not be anything getting out of sync. 23:35:24 VimDiesel is that a separate document? I have a hunch that the culpit is the video driver, I do install the rdp package, and put the kdm915 entry into /etc/rc.conf, but since the xorg server is going haywire, i think i am missing a step to define the video drive 23:35:52 johankent, I was going to ask if you had loaded the Intel driver in /etc/rc.conf but I don't know what the name of it is as I am not using it myself. 23:36:11 Also that VimDiesel is a bot so while it does answer some questions it mostly supplies information about URLs seen. :-) 23:37:15 rwp thank you, I would not tell he was a bot lol 23:37:17 johankent, I am not sure but I think maybe you need kld_list="i915kms" as the correct driver to load, set that in /etc/rc.conf. 23:37:34 yes, that is what i put in there 23:37:47 i am on my debian box right now 23:37:51 VimDiesel sometimes fools people so just count yourself as one in the many. I myself sometimes can pass the Turing test, on good days. 23:38:37 Thanks rwp. I initially used pkg because it was available and I thought it would stay somewhat current, lesson learned for matomo. 23:39:20 cacya, I think everyone should mostly start with binary pkg packages because that is simplest and works for most people. If you have a specific need for something then you can do something different of course. 23:40:06 johankent, I see this matrix: https://wiki.freebsd.org/Graphics/Intel-GPU-Matrix 23:40:07 Title: Graphics/Intel-GPU-Matrix - FreeBSD Wiki 23:40:26 you know what I just noticed 23:40:29 vi /boot/loader.conf 23:40:37 I think i have somehow skipped this entry 23:40:49 kern.vty=vt 23:40:55 i will instally from scratch 23:41:09 i have an older intel box, do't want to ruin my nuc drives 23:41:25 and do theh vim on the loader.conf file and see where I get with that 23:41:27 What's wrong with kern.vty=vt ?? I'll note I also have that too. But probably no longer needed. 23:41:41 i was not putting that in 23:41:44 that is what I am saying 23:41:55 but this guide says to put in before you attempt startx 23:42:30 I found it necessary in 12 but I don't think it is needed anymore in 13. And in any case you could just add it and reboot (reboot for /boot/loader.conf changes) with no need to install from scratch. 23:43:08 Also the graphics driver most typically is loaded later from the /etc/rc.conf file. So kld_list="i915kms" or whatever driver is used would usually go there. 23:43:16 echo "exec /usr/local/bin/startxfce4 --with-ck-launch" > ~/.xinitrc 23:43:44 so this line here do i do the ~ path, or I have to figure out theh exact path for .xinitrc , which is under X11 right? 23:43:48 yeah, vt is default these days 23:44:41 johankent, I don't understand your question about ~. The ~ expands by the shell to be $HOME. So ~/.xinitrc is okay. 23:45:29 ok thank you 23:46:40 Tidbit of history. The ADM-3a terminal had "Home" and ~ on the same key. And so ~ became synonymous with Home, and so it was used for $HOME. 23:49:43 johankent, You also said your user was in the "video" group too, right? id | grep --color video 23:50:24 yes that is all done both video and wheel 23:50:47 and visudo have wheel group users enabled 23:50:48 And you also inspected "less /var/log/Xorg.0.log" for "EE" error lines too? 23:50:58 basically sudo whoami ------> root 23:51:10 that no, let me take a note of that one 23:51:15 I don't run X as root. I run X as me, rwp, and not as root. 23:51:28 yes run x as me 23:51:31 true, 23:51:44 don't run it as root, dont' think gui will ever load as root 23:52:20 that .0 is that a zero or an 'O' 23:52:28 Somewhere along the way X has a setuid-root but the rest of it does not. Best not to run X as root just for safety reasons. Too easy to exploit. 23:52:41 Xorg.0.log is a zero in the middle. 23:52:48 i agree with you, onlinux kde won't load the root account period 23:53:03 ... on linux 23:53:07 The immediately previous log is Xorg.1.log as they get rotated down. Hint: This is the same on your Debian box too. 23:54:42 On Debian they use kernel capabilities to avoid the need for the setuid-root under the idea that all uses of root no matter how small are evil. And then they stir in a bunch of other mysticism that I do not agree with which breaks some of my uses of things. So on Debian I install xserver-xorg-legacy to return to the previous way which is not broken for me.