Mine has too, the qt webengine, but it's due to a depends that keeps looping. I believe it was alsa-plugins causing it. I forget "why" it said.

I'm a bit confused about boot environment stuff. it looks like my current BE is zroot/ROOT/default, but /usr is zroot/usr, a separate mount point. if I created a new BE and upgraded that, wouldn't that alter /usr and thus affect the backup BE?

or will creating a new BE not only make a clone of zroot/ROOT/default but also of zroot/usr?

I think it does, but only if you specify "bectl create -r ..."

so reading the bectl man page stuff about boot environment structures, just running into additional confusion. it's talking about how the default auto ZFS configuration from the installer has zroot/usr with "canmount" set to off, thus /usr falls under the BE since zroot/usr isn't mounted, but zfs list clearly shows zroot/usr mounted at /usr

the man page is also saying that -r is not intended for the "shallow" structure I'm currently using

zfs list gives hints that zroot/usr isn't actually being used for anything, like it's only got 288KB space used, and mount shows that it's not actually mounted. I'm confused about why the installer even created this dataset, and why zfs list tells me its mount point is at /usr. it seems like the installer is making datasets for no reason, and zfs list is lying to me

how do i make links and stuff like that

like send a person a link

link to what?

like in general

you mean share a image or a pdf file with another person on irc?

i found which header common.h includes the wolfssl headers for the str.c imports

yes like send someone Hi this is a Instant Message google.com

do you mean private message?

YES

that is a must

you can private message people on this chat

write '/msg gry hi', it will be private message to me, for example

but it is not recommended to ask people questions about e.g. linux or freebsd in private messaging

most people answer such questions only in the channels, not in private messages

because they are not always available, and may have errors in their responses. talking in channel means someone else can correct or help out while gry is away

Also, not everyone is willing to accept private messages. Some configure their IRC client to discard those.

can anyone here elaborate on why zroot/usr even exists if it's not actually used?

lets see what 6.1 menuconfig looks like

trying to get pkgbase set up now, and I'm not seeing a way to set the repository as not automatic (as in, "pkg update" will not queue upgrades unless the pkgbase repo is manually specified)

is this just not possible or am I missing something?

tm512: it can be, i forget what theyre called, but a kind of anchor point for the fs structure

that way you can group a bunch of subtrees under that common node

mynam: ye alsaplugins seems to be the problem

currently installing everything from pkgbase. I hope this decision doesn't bite me in the ass later, but boot environments seem to make this very low-risk

if I break the system to the point of it being unbootable I could just boot into the last working BE, mount the broken one, and do what I need to fix it

interesting, the kernel from pkgbase doesn't actually give any build date: FreeBSD merak 14.0-STABLE FreeBSD 14.0-STABLE stable/14-n266669-a9ef2c901a8b GENERIC amd64

what do you mean zroot/usr is not used?

I clarified exactly what I mean, it shows barely any disk space used (under 1MB) and isn't being mounted at /usr according to mount

it has canmount=off

though now after creating a new BE and upgrading the base system through pkgbase, suddenly zroot/usr has almost 1GB in it yet it still isn't showing as being mounted

this stuff doesn't really make sense

bbl

zroot/usr isn't mounted in the standard BE setup, it just exists so that some datasets underneath it can be (generally for different configuration)

so anything that doesn't have its own mounted dataset under zroot/usr falls into the BE dataset

(likewise /var on a normal zfsroot systm)

great opportunities to make a seperate zpool to hold those things too

tm512: did you read?

its a feature

kevans: so it wanted the zroot/usr dataset to be part of the BE setup, I set it for canmount=on?

*if I wanted

ah, nevermind, having it default at canmount=off makes it part of the BE layout.

cedb: yes, I read what you wrote, doesn't really clarify much for me. I still don't understand what zroot/usr even has on it

tm512: it has nothing. it only exists so other things can exist under it, like usr/src and usr/ports

ah

and yes, this is a bit odd. but it avoids an issue with shallow boot environments where /usr isn't copied

it would make more sense to just move src and ports to /src and /ports with zfs root but... you know... tradition (and UFS users) :-)

if ZFS's memory issues on small systems are ever fixed (and 32-bit systems are retired), maybe we can get rid of both UFS and /usr at the same time, just put everything on / like GNU Hurd does

greybeards will explode but this clearly makes sense

it makes sense to have a common parent for a bunch of nodes even if it cant have data itself...

cedb: if /usr has to exist, then sure, the unmounted usr filesystem is fine. but it also makes sense to just remove /usr entirely

tm512, I bookmarked this previous forum discussion which explains zroot/usr in some detail. forums.freebsd.org/threads/why-are-…var-not-in-a-boot-environment.59844

Title: ZFS - Why are /usr and /var not in a boot environment? | The FreeBSD Forums

/usr dates from the days of the PDP-11 where a single disk was too small to contain the entire OS, so you had to put some of it on / and some on /usr. 45 years later, this is just legacy cruft

lw: i dont know anything about the layout debates but i mean in general for zfs its useful

that way one can take a snapshot of a bunch of datasets at the same time for example

cedb: why do you find it useful? (i'm not arguing, i'm actually curious if there's a use case for /usr, especially on zfs)

lw: multiple roots on zfs? set canmount=noauto or off for the one not used

I think if Ken Thompson were doing it a second time that instead of / and /usr I can imagine it would be /os and /usr and usr would really remain the user disk on this imaginary second time around.

cedb: i don't think you need /usr for multiple roots. just have zroot/src and zroot/ports, they'll be shared between BEs the same way /usr/src and /usr/ports are today

lw im not talking about /usr specifically, just the concept of of having empty datasets

cedb: oh sure. i'm not arguing against the existence of zroot/usr as it is today... it's a bit confusing the first time you see it, but it makes sense to have it

zroot/usr a placeholder template so that other datasets can inherit from it.

i just imagine a future where usr doesn't exist at all :-)

And there nothing stopping anyone from reconfiguring their /usr/{src,ports} dataset mountpoints to /{src,ports} anyway

Since it has been all of these years I am hoping it does not change but I could certainly imagine an alternate timeline where things are different and still self-consistent and working.

rwp: the only issue i can see here is people with ancient systems that have been upgraded across multiple FreeBSD versions, running UFS, with separate /usr slice. then if you suddenly move everything to /, they will be a bit screwed. but that's a pretty niche use case nowadays...

I think it would all work to change it but then it would be different.

The only thing getting in the way of Just Changing It Locally is that then forever things are uniquely different for you on that system and everyone else is doing things the other way.

idk i like having longer prefixes

rwp: on a technical level, that's what everyone does with their systems using ports :P

The way ports "take over" /usr/local took me some getting used to. I rather wish pkgs went in /usr/ports intead (like NetBSD?) and that way /usr/local would just be for truly local installations. But I understand how things arrived there with compiled ports.

yeah, i dislike that too. i wanted to move my ports to /opt/pkg but that means you can never use compiled ports... and building ~900 packages for my desktop from source just takes far too long

But conceptually it is definitely possible to use different file system organizations. I have not test driving this yet but I want to test drive Gobo because they are using an interesting (interesting in a good way) file system layout.

Check this out: wiki.gobolinux.org/Overview/What-Makes-GoboLinux-Unique/index.html

Title: What makes GoboLinux unique :: GoboLinux Documentation

And also wiki.gobolinux.org/Overview/GoboLinux-Filesystem-Hierarchy/index.html

Title: GoboLinux Filesystem Hierarchy :: GoboLinux Documentation

They have basically organized things by topic rather than by type. I call that a 90-degree turn in how to look at and organize things.

so zroot/usr existing only for /usr/src and /usr/ports makes sense, I think I was being thrown off by zfs saying it was mounted on /usr even though it wasn't, and I almost would've expected zroot/{ports,src} instead with them being mounted at /usr/{ports,src} instead of there being a whole zroot/usr dataset just to contain those two

unless mounting zroot/ports to /usr/ports would be more complicated than what the zfs startup script is doing to auto-mount things

That forum link I posted above discusses things pretty well. It's just a mount point to use for inheritance and to fork those off of the root boot environment.

rwp: yeah, reflecting back on trying Gobo, I kind of wish they didn't alter the caps of the original package names in their /Programs directory

kenrap, I must imagine that the author came from a MS type background since it rather looks like that to me. But current Android also uses that convention too so maybe from there. Don't know.

tm512: sounds like you need to read about zfs a little, which is fair, its not exactly simple

i messed up my "multiple roots" on zfs setup once which was..not fun

To be fair that question about zroot/usr is frequently asked by many people who encounter it and go, what's up with that? A lot of people ask that question.

rwp: that's my only nitpick, rather than /Programs/LibPNG as mentioned on the site, just leave it as /Program/libpng, so it's easier to tab complete for the package names and be consistent with projects name case-wise

And I am oldschool where no self-respecting person would use anything but lower case letters, no vowels, and definitely no whitespace!

rwp: ye no shades i just meant, since zfs seems to be endorsed as a "why use ufs when you can zfs" one might expect to not have that much reading to do when in reality ehhh

Don't forget the "zroot/var" which is not mounted; is used to throw /var stuff around ( tech.lgbt/@parvXtl/110881340918873940 )

Title: parvXtl: "#FreeBSD #var_strewn_about #bootEnvironment #boot…" - LGBTQIA+ and Tech

cedb, I had zfs save me on a flaky bit of hardware last year and now I feel I owe it one. I have stopped using UFS except for the smallest of RAM systems.

And so far though sometimes people ask, what's up with that, there wasn't anything that anyone NEEDED to read or know. It all worked out of the box without needing to know that particular detail.

kenrap: yeah, the opposite; if it's mounted, then data in /usr is no longer part of the BE

cedb: I have been reading about it

I'm glad the automatic ZFS configuration the installer did was at least a sane configuration, so I can take this bit-by-bit

disk configuration giving sane defaults isn't something that's a given. in particular I strongly dislike when disks get broken up into tons of partitions as if I want to have an explicit cap on each main directory's disk usage

kevans: I found out by reading the fine manual here under "Boot Environent Structures": man.freebsd.org/cgi/man.cgi?query=bectl&manpath=FreeBSD+15.0-CURRENT, even learned there were differences with shallow and deep BEs by using canmount=off and canmount=noauto respectively.

Title: bectl

also re: zfs, it just occured to me today that if i do need to install Linux (for gaming), i could just install it on another boot environment (i.e., a filesystem under zroot/ROOT), boot it from EFI, and share my home directory etc. with freebsd. which is neat

If there is a problem it is that datasets are too lightweight and too efficient. And then people figured out how to use them in clever ways to provide for features like boot environments. And so then we have multiple datasets right from the start. But if you looked at my system you would find that I have created a lot of datasets for various uses. Because they are so easy.

kenrap: ah, glad I could help. (I wrote that, too :-))

kevans: awesome, you're the best! ;)

next thing I want to figure out about zfs is setting up an encrypted dataset to store passwords in and probably all of firefox's stuff as well. since this is a laptop, and the probability of theft is a bit higher

so if someone stole my laptop, they might get a free laptop out of it, but they're not going to get access to like, my paypal account or my bank account

tm512: I roll with GELI + a curse on my laptop for protection. it works really well

the curse is brilliant, the battery's fine but if you unplug from AC the laptop dies.

kevans: do you prefer geli over zfs native encryption? (because you can't boot from a natively encrypted dataset...?)

for that reason, but also for the longest time zfs' native encryption wasn't that stable/usable so GELI won out on my setups (and I haven't killed the habit of using GELI yet)

kevans, You actually drop the system when the AC is unplugged? Or your laptop just happens to drop when the AC is unplugged? I am rather in shock with the thought of it either way.

lw: theres this docs.zfsbootmenu.org/en/v2.3.x with instructions for different distros

Title: Overview — ZFSBootMenu 2.3.0 documentation

rwp: sort of makes sense with a little paranoia

cedb: interesting... i was actually meaning to look for a bootloader that could do this and wasn't grub, this looks handy. thanks

rwp: the latter, I think the integrated graphics end up drawing more power than spec'd or something to that effect, so the whole thing locks up

although it's not clear from that page if it can boot freebsd

it uses kexec so i guess not

The word "dies" that was used was disconcerting. I would see an immediate graceful shutdown maybe though. And now reading that gpu is pulling power to the point of drop maybe. Sigh.

this laptop also can't boot linux without panicking in i915kms, so the curse is very much so real

i think youd chainload with another bootloader first

It's cursed! What model of machine is it?

kevans: unrelated question, let's say you had a freebsd issue where the system completely hanged. how would you go about debugging that?

it's the initial iteration of the frame.work laptop

i guess first try over serial and see if it can still break into ddb?

lw: first step is see if the break-to-debugger sequence works to try and get a dump

I have a friend with one of those and so far I haven't heard him report problems. He runs Fedora on it.

yeah, serial also works if you have it

i don't have a serial UART on this system but i could connect a USB serial port... what is the break to debugger sequence?

(is this as simple as sending a serial BREAK?)

In this case though it seems like it does not matter what OS is running. I would start by seeing if it drops at the boot prompt. And then other systems. Isolate if it is truly hardware or not.

rwp: yeah, markj@ has another of this very same model. at the last bsdcan he had some linux on a flash drive to be able to drive the presentation displays... worked fine on his, panics on mine. no reports of weird instability from him

lw: serial BREAK is one, there's also a keyboard sequence... ALT+CTRL+ESC, maybe? let me double-check

kevans: already got geli loaded for encrypted swap, but it sounds like just using a native zfs encrypted dataset for what I want is going to be the cleaner approach rather than making a zvol and then piling geli and another filesystem on top

kevans, Just to be clear he was using his frame.work laptop, right? He wasn't using your frame.work laptop booting his USB boot image?

tm512, So far the wisdom has been not to put swap on zfs because zfs needs memory resources which also uses swap which can create a resource starvation deadlock.

rwp: right

So swap (so far) should always be always be on a non-zfs partition. And GELI supports ephemeral keys which are perfect for swap. Single use keys that evaporate. No one can scrape anything out of swap afterward.

rwp: it's not on zfs, it's a separate partition on the SSD that is encrypted with a temporary key

it's the installer's default for encrypted swap

That's all good then. No worries!

lw: there's one that's ~ ^B (see sys/kern/kdb.c:318-ish) -- but needs an option to enable it

rwp: i think swap on zfs is fine if you have enough memory. it's a problem if you're swapping due to serious memory pressure as it can deadlock

but you can't dump on zfs so... you probably need a separate swap slice anyway

kevans, That does sound like it is something specific about your frame.work machine. And if you had a bunch of spare parts you might be able to mix and match and swap GPUs and such and isolate to something specific that if swapped would avoid the problem. Can you boot on battery? Does it just boot for a while and then die? Obviously I don't need to know but it is an interesting curiosity.

rwp: I'm talking about zvols when it comes to having part of the drive encrypted

kevans: i don't have a sys/kern/kdb.c ... am i missing something obvious?

subr_kdb.c, sorry

ah

rwp: it'll actually run fine on battery until xfce fires up

but I generally have xfce fired up unless I'm hacking on an airplane, in which case I only don't have xfce fired up because I can't work on battery like that :-)

kevans: ok ic, so iiuc it's enough to have a (USB?) serial console connected, "options KDB", and type CR ~ ^B to break into kdb?

need to buy another USB serial adapter to try but this sounds fairly straightforward

KDB + ALT_BREAK_TO_DEBUGGER

(why does nothing come with serial ports nowadays...?)

That does sound like something in the graphics subsystem then. If it were me I might put it on a kill-a-watt meter to watch the power drain as it boots, disconnect the battery, boot it on AC power and see how much it spikes at that point. Might be a software workaround to slowly turn on GPU cores sequentially or something to avoid a sharp spike.

and I don't know offhand if USB serial as such will work, but if this is x86 you might have XHCI DbC support that could work with some WIP by hrs

is there a "write a crash dump and reboot" key sequence?

might be easier to debug this with a post-crash dump

rwp: the problem is that even if it's stable running xfce4 and oops unplug, it still goes awol... very annoying with cats

closest thing is break to debugger

Cats! And I bet that afterward they don't even show any sympathy at all.

not even a little bit

ALT_BREAK_TO_DEBUGGER is a kernel option? i don't see it listed in the default configs

yeah

alright, let's recompile with that and see what happens if the problems recurs

it's described a bit in sys/conf/NOTES

Speaking of serial ports, is there an installer image that would allow an install using the serial port console? Or must I build my own install image to do so?

rwp: doesn't that work on the default installer? i install bhyve VMs that way a few times

yeah, it should Just Work(TM). recent freebsd will even splat the installer out on all consoles rather than just the default console

I know 13 does not so I assume recent means I should try 14 on a serial port install which I have not yet done.

can't speak to 13 but i've done this with 14 and 15

on EFI though, maybe it's different with that awful CSM loader

Oh that is another twist I had not thought about. It might also be related to Legacy BIOS boot versus UEFI versus CSM.

The time has come for me to relocate. Good night all!

nn

i am mildy impressed that playing Factorio under Wine with ported Linux amdgpu GPU, my CPU is still idling at 2.2GHz / 32C

not sure who to be impressed by here though, maybe the Factorio developers for writing a game that actually uses CPU efficiently :-)

bleh so this *.pkgsave crap with using pkgbase is rather annoying. but I'm guessing sitting and waiting for FreeBSD to compile would be more of an annoyance

tm512: i'm extremely dubious that pkgbase will be ready for 15.0 release (as some people claim) when it still has no equivalent of etcupdate

lw: it might be because the same game under wine at times can run better with FreeBSD than Linux, but that's a rare occurrence. So you might be experiencing that.

kenrap: tbf i haven't tested it under Linux so it might just as well there

I still can't shake the feeling that I could pull off binary upgrades to -STABLE by using the snapshot sets

also i'm using wine-devel 9.2 which is not in ports (i submitted the PR yesterday...)

like mounting a boot environment, extracting the sets into the BE, and running etcupdate between my current BE and the upgraded one. I dunno though

tm512: you could try building from source with meta mode. i think i might have scared you off that the other day but it's *probably* okay for -stable where there are fewer changes

well it sounds like that initial compilation is just going to be an ordeal

yeah, if you only have a dual core cpu that's going to take a while, but you can leave it overnight or something

lw: how does wine-devel 9.2 handle WoW64 for you, like dealing with the 32-bit stuff?

kenrap: not at all, terrible, 0% success. i had to install 32-bit i386 wine from pkg.freebsd.org to run a 32-bit app

Gotcha, thanks for sharing that

i know very little about Wine though so it's possible there's some secret option i could set to make that work better

lw: kinda want to get a better idea of this laptop's thermals before leaving it entirely unattended going at full blast, tbh. it's probably fine, though

just under moderate load I've seen it go above 60C whereas my desktop more or less tops out around 60-65C

60C isn't that bad, laptop CPUs can be rated to 80-100C

i used to have a Pentium M laptop that was rated for 100C, that got pretty warm

kind of a good comparison too because this laptop basically has the mobile version of the CPU I've got in my desktop. an i3-10110U in the laptop and an i3-10100 in my desktop

I know laptops leave a lot less space for the CPU to "breathe" but this is a much lower-powered CPU too

but yeah I'd like to monitor how the laptop handles sustained load, like the equilibrium point between the CPU's heat output and the laptop's cooling. maybe I'm just a bit on edge because of how toasty my old laptop gets. I ended up turning it on its side when compiling ffmpeg from source so that the exhaust fan was pointing directly up, in an attempt to help it cool more effectively

lw: pkgbase doesn't need etcupdate?

pkg does all of the config file merging

kevans: i find that hard to believe, some changes simply can't be merged automatically. for example, how does pkg merge the root /bin/sh change to /etc/master.passwd?

or does it actually have an etcupdate-like interface to do this, and it just doesn't work when doing the initial pkgbase install?

i'm actually not sure what it does on conflict, the /bin/sh change was long enough ago that I don't remember how I crossed over it

initial install is definitely special, because it doesn't know anything about the config files it's clobbering

but pkg does a 3way merge that can handle a significant chunk of changes

doesn't pkgbase do some kind of config file backup policy thing, like making a *.pkgsave of them or something like that?

i have never seen pkgbase do that, but that's probably because ports mostly installs ".sample" files and never overwrites existing config files

I guess I'm recalling something else then

|Credits: The water cooler. (Note, this is the requested credit)

heh

ah, FreeBSD-EN-24:02.libutil is nice too... it should obviously be an SA, but someone managed to massage it into an EN because it doesn't technically affect the base system

ports don't get merging at all

config files are specific to base, anything fron ports is sample by policy

(I sort of wish sysutils/cmdwatch would get merged into base, but oh well)

(don't ask me why, I suspect it's because we don't have any control over those so it's higher risk)

|Using kqueue(2) with a process using rfork(2) can panic the system.

how the fuck is this an EN

a local user can panic the system? clearly an SA

Found via -current@ list: Unsuitable SSD/NVMe hardware for ZFS - WD BLACK SN770 and others, github.com/openzfs/zfs/discussions/14793 c 202304

Title: Unsuitable SSD/NVMe hardware for ZFS - WD BLACK SN770 and others · openzfs/zfs · Discussion #14793 · GitHub

kevans: well I just upgraded my 14-STABLE system through pkgbase, it just clobbered everything in /etc. I had to restore my configuration through the backups it created

(the *.pkgsave files)

parv: i saw that thread, wasn't the problem just that user didn't cool the ssd enough?

granted many consumer SSDs don't make it clear how much cooling they need

lw: I have not reached that point mentioned yet; the comments are certainly interesting

s/ mentioned//

... about half way there

Re ZFS issue 14793, OP did not mention if extra cooling solved their problem with WD SN770

** sigh **

parv: but imp@ did point out they had several temperature trips

lw, Wait are you talking about the issue on the mailing list or the above ZFS issue?

the mailing list

lw, Ah right. I have not gone throught _that_ thread yet. Thanks

i haven't looked at the zfs issue, i just read the thread as it seemed interesting

zfs eh

here machine just blew up with git

lw, Ok both read; both were interesting. (Next time: really need to get the SSd with heat sink & large(r) fans)

apparently git pull on ports asked to allocate up all the ram, so with 4g ram it was 3.6g wired, then kernel killed userland off to take more

was real wtf

had to limit git, but is it just git's fault?

note that i limited arc to 512m and kernel before it was like 256m so rest of that was that git, hmmm, mmapped?

sure, one could argue that everyone has 128g ram but meh

hw.physmem: 309188386816

some of us, anyway

ketas: there are ways to check out without using so much memory

ketas: were you asking about this in #bsdmips the other day?

yes

ah

and i solved it i think

yeah i was about to say, i thought you fixed that

well, by choking git, yes

rtprio: good for you

after i found this: ketas.si.pri.ee/misc/top-wired-out-of-memory.1707894761.txt

then i also found forums.freebsd.org/threads/server-f…sing-git-to-update-ports-tree.88651

Title: Server freezes when using Git to update ports tree | The FreeBSD Forums

i didn't realize what actually happens

rtprio: you have 287GB of memory? i'm fairly sure your system has nothing to offer as far as ketas' problem goes :-)

ZFS is still terrible in low-memory situations and this is a legitimate problem

sad eh

yep. sadly it doesn't use zfs

it?

the system with 256gb of ram

oh

i mean other tasks on zfs work here

reasonable speeds

git clone --depth 20 or --single-branch should help a great deal

unless you need full history

i used those suggestions there

to limit git

btw, it's really great that resolvconf puts in a bogus ipv6 resolver when the one in rc.conf is perfectly functional

your rdnss should work

# Generated by resolvconf

nameserver fe80::86d3:43ff:fe00:9a63%vtnet0

in rc.conf, tho?

rtprio: resolvconf doesn't do that... are you sure your router isn't advertising a DNS address?

no, and furthrmore what was in this file before was fine

meh dns at ll

lw: shouldn't it only do that if it's dhcp?

ketas: not rc.conf. i'm tired

rtprio: no, RA messages can include DNS server addresses

change it or make it work

or disable resolvconf

RA is in route advertisements?

*As

yeah

but, what advertises linklocal rdnss?

i don't think rtadvd did it

rtprio: yes, RA = router advertisement

rdnss / dnssl is awesome

use if you can

yeah, fe80 is local, the router shoudln't advertise as this isp isn't even using ipv6

it comes from isp eh0

?

rtprio: this has nothing to do with what the upstream ISP is doing... if the router thinks it has a functional DNS resolver, it may advertise its address as DNS server in RA

so isp has ra enabled but it isn't even working v6?

the fix for this is to configure the router to not do that

hope not

(assuming you don't want it to, anyway... my routers advertise correct DNS resolvers in RA messages)

meh "routers"

it's some consumer crap; i don't recall seeing how to turn off ipv6 on the lan

owwww

i miss my edgerouter where i could actually accurately control these things

i though v6 would go better

or at least clearly be aware of them

in cpe's

apparently not

why you can't have it?

own router

here i have it

rtprio: the only advice i can offer is to not use "consumer crap" :-D

the isp lowered the bill if we took it; and bumped the speed

i mean, you have 256GB RAM, surely you can afford a proper router

haha, you would thing

i think they wanted it because the isp can remotely manage it

my isp gives me ftth, they have their own little huawei gpon bridge, from there it's fbsd

oh there it is in "ipv6 lan setting"

ra service. dhcpv6 service .

fwiw on our MikroTik devices this is entirely configurable...

[lexi⊙celo] > /ipv6/nd/print where interface=vlan106

Flags: X - disabled, I - invalid; * - default

3 interface=vlan106 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=high hop-limit=unspecified advertise-mac-address=yes advertise-dns=yes managed-address-configuration=yes other-configuration=yes dns=1:8b0:aab5:106::10,2001:8b0:aab5:106:3::8 pref64=2001:8b0:6464:0:66::/96

why the fuck is this on by default

/96?

ketas: NAT64 prefix is always a /96 because that's the size of the IPv4 address space (128 - 32 = 96)

oh

parv: yeah WD used to make good HDDs but their SSDs have been known to be sucky for Linux when they started making them. Not surprised by its ZFS problem here.

unsure who makes good hdd's now

ketas: Crucial, Seagate

i decided i'll mix manufs

that's the entire list as far as i can tell

crucial hdd? :)

oh hdd

then just seagate

with ssd i don't even know

buy Exos, everything else is just bad

buy two different and mirror?

ketas: if you can get the right details from your GPON provider, you can get a SFP(+) adapter that does both [EGX]PON - so you use that as a demarcation point and terminate the FTTH in your own device that's plugged directly.

i used to buy only seagate hdds

eh... in my raidz i have 4x Exos and 4x HGST, but i don't think HGST make disks any more

but now i went all 3

or at least they don't tell them to ordinary peons

s/tell/sell

HGST is now just a datacenter brand from WDC.

debdrup: well i could

Inland makes really reliable (nvme) SSDs imo and I would put Crucial as a 2nd to them.

debdrup: tell me more about this. GPON is encrypted, right? how do you get the encryption key to terminate it yourself?

There are only three big manufacturers of spinning rust left, who've bought up the rest.

but those sfp's are kind of same

they run full os

they told they don't do other cpe's

debdrup: i'm interested in this becuause our FTTP ONT has what's obviously a standard BIDI SFP in it, and i'd love to just put it into our switch and do away with the ONT...

well i guess i could run own sfp

The SFP(+) modules run a RTOS that does the PON deencapsulation for ingress and PON encapsulation for egress, yes - but it's better than having a whole device sitting on the wall, if you can swing it.

lw: that's why you need details from your provider

it's tiny free device

actually i know huawei sfp gpon onts exist

debdrup: what details do i ask for? our provider is fine with very technical questions so do be specific :-)

FiberStore have them.

lw: LOID, username and/or password are what you'll usually need.

i asked isp but they they told no

serial here

Yea, they might also need serial cloning.

i was actually wanting sfp but then dropped that idea

instead i wrote monitoring script for hg8010h

debdrup: what's the username/password for? is that a GPON thing? we have a PPPoE username/password but that runs on top of the fibre

pppoe still?

oh god

ketas: yeah, everything in the UK uses PPPoE, it's a cultural thing

i mean i know why it's used

fs.com/de-en/products/133619.html is what I ended up grabbing, if memory serves - but you'll want one that matches the specific transceiver details.

but

Title: GPON ONU Stick with MAC SFP 1310nm-TX/1490nm-RX 1.244G-TX/2.488G-RX Class B+ 20km DOM Simplex SC/APC SMF Optical Transceiver Module (Industrial) - FS.com Europe

Yea, PPPoE is pretty widely deployed in both the UK and Germany, still.

imagine doing 1gbit/s via pppoe concentrator

ffffs

It's why ng_pppoe(4) has been updated in FreeBSD fairly recently.

ketas: yeah, that's what ng_pppoe(4) is for.

glad that i got rid of it

debdrup: i think the issue here is our ISP isn't responsible for the GPON backhaul... they just get a PPPoE connection over the backhaul network. so in that case i guess they can't provide us with the details we'd need

isp found way to provide dhcp

so it's dhcp+dhcpv6+ra

and second dhcp in vlan for tv

apparently what content providers require

also qos maybe

lw: ah yeah, if they're doing the fiber equivalent of getting access to the eBSA on the DSLAM (sorry, I don't remember the right vernacular for it, most of my ISP knowledge predates wide fiber deployment), that'll make it difficult to actually hand out anything but a pre-configured CPE device.

debdrup: fortunately no issues with the CPE, but i think the service they pay for is "transport PPPoE from A to B"

so our CPE works fine as long as it does PPPoE

debdrup: does that sfp work here?

ketas: depends on the transceiver details and where "here" is

(which it does... i just find it extremely silly that the Internet comes in as fibre, then it converted to copper, then is plugged into a 1000BASE-T SFP...)

Multiple VLANs with varying kinds of auto-configuration isn't an issue, because that happens on the Ethernet layer - the SFP modules just terminate the PON itself, and pass the Ethernet traffic to the host device that the SFP module is plugged into.

debdrup: i heard that despite gpon is like standard, they use huawei olt's and they have their own, iirc, encryption extensions... and to question why ffs huawei, they told, that it was only one which worked... even used lawyers to get interop but no dice

fuck standards eh

the fiber-optic discussion is strong with this one

so i kind of dropped the idea

they might also upgrade network

then my sfp is useless

switch i have in place doesn't have sfp too :p

but that's easy fix

i actually have ones with that

managed switches are miracle and i'll never go back

before it i used those cpe's with vlan switch chips in them but that's so crappy

a manged switch is just a box with a switch chip in it...

true but

those speedtouch cpes telia used here suck

now it's same shit different name

they *do* vlans

i also used wrt for that

also does vlans

ketas: can I please ask that you use commas instead of an enter button? Reading the stream of conciousness text can be.. difficult, and you're not in a rush to write out things as IRC isn't short for Instant Relay Chat, but rather Internet Relay Chat :P

maybe

but isn't it often like single sentence or so on one line?

lw: a managed switch and an unmanaged switch both have a switch chip in them; the difference is that the former has a control pane that lets you configure some of the details of the switching, whereas the latter _just_ switches between each port.

debdrup: yeah, sure i know that, maybe i was a bit imprecise

ketas: getting too bogged down in it wasn't my intent, it's just easier to read a conversation between multiple people if everyone tries to avoid stream-of-conciousness writing, that's all.

i recall unmanaged switch hacking, they do have config ports

although tbh i find it quite funny to describe Atheros or Realtek crap as a "switch chip" when compared to proper ICs... but it's not wrong

they run full l2 in them anyway

you just don't see it

lw: the fun part is when an unmanaged switch uses the exact same chips as the managed ones do, just that the place where the flash chip to store the control pane OS is unpopulated on the circuit board.

perhaps bit better asics?

Switches don't use ASICs.

what do they use then?

huh? isn't a switch chip an ASIC by definition

i mean, i know a lot of them nowadays have a complete CPU on the die, but

so they run an os?

i'm always wondering how do they work

I guess it depends on the specific device, but the ones I've seen use dedicated switching ICs, meaning they could in theory be ASICs that come pre-loaded with a switching core.

to forward frames by mac, isn't it complex

debdrup: you aren't confusing FPGA and ASIC are you? a switch with an FPGA core would be odd, but a switch chip is kind of inherently an ASIC since the "application" is "switching" (or routing)

Where ASICs _really_ get used is for those CPE devices that claim to do way faster speeds than the ~500MHz MIPS/ARM CPU can handle (which is also the case for the Unifi Security Gateway, for example).

have lookup tables for every port, etc

lw: yes, yes I am.

ketas: I mean, I wouldn't be surprised if you can find devices that work like that - doing LUTS is cheap in circuitry design, afterall

LUTs

s/$/*/

hmm cheap?

all hw?

Well, cheaper than including a FPGA, at the very least.

I never said all hardware..

those things run some code?

There's too many ways to design circuits for ICs, and you'll probably not be shocked to hear that circuit engineers are rather opinionated. :P

FPGAs do.

ketas: re: how switch chips work: the entire thing is based on a type of memory called TCAM ("ternary content addresible memory") which is best described as a hash table implement in hardware. for each frame received on a port, the IC looks up the destination port(s) in the TCAM and forwards it.

hmm

hw hash table eh

lw: that's assuming it's a store-and-forward chip, yes.

(L3 TCAM is more complicated, it's a TST in hardware, which allows shortest-prefix matching)

Cut-through switches do a whole-ass different design.

but sw can be implemented in hw

debdrup: aren't all switches store-and-forward nowadays? (honest question, i really have no idea)

i find cpu's complex

lw: nah, anything requiring low latency is still cut-through, as far as I know.

hmm, i wonder what the Marvell switch chips in our kit uses

they are L3 switches, so i assumed they use TCAM to support prefixing matching

apparently you can also do ip in hw

It's a more expensive design to be sure, so you won't find it in chips where the customer isn't expected to pay a premium.

for speed

ketas: sure, that's "easy".

It's a bad idea for a whole bunch of reasons, but you _can_.

ketas: yes, all "carrier-grade" gear does IP in hardware, and usually MPLS in hardware as well

how?

That's what I was talking about before; those CPE routers all do IP in hardware.

simply by implenting logic in circuit?

ketas: how -> TCAM. you store the routing table in TCAM, then you can ask for the best match route for a specific IP address.

the reason this gear is expensive is that TCAM is expensive

The problem with doing IP and routing in hardware is that any time you're looking to do something even slighty custom, you're suddenly not on the fast-path through hardware, but going through the CPU.

(well, that, and that Cisco/Arista/etc. know that ISPs will pay a lotof money for it)

There's no way to do +10Tbps in software, though. *shrug*

imagine how horrible it was to switch to ipv6

throw chip out

..what?

:p

implementing a TCAM switch chip for IPv6 is really not difficult at all

the cost in supporting IPv6 is mostly around the software to interact with it

but it's a new chip?

well, yes, but every new model of switch has a new chip in it

why is v6 adoption slow btw

i've had it for 20 years

It's over a quarter century old.

because there's no benefit for western ISPs to implement IPv6, so why would they?

first tunnel, 10y, then native, 10y

look at somewhere like India, IPv6 adoption is huge there

> 50% of *all* Internet traffic in India is IPv6

some servers got vy

v6

fb, google

FB, Google are not ISPs

To be clear, it's more about the cost it'd require for existing ISPs with big IPv4 allocations.

well i was talking about other side too

there is a huge cost to ISPs to support IPv6 when you consider the cost to replace CPEs, to provide tech support, etc

There's a _shedload_ of middleware devices that'd all need to be upgraded.

this cost is not insurmountable, and in the US, Comcast deserved credit for their IPv6 support

CPEs and tech support aren't that bad; the first get cycled out fairly regularly, and tech support is a running cost.

but you can understand why most ISPs just don't bother

v4 still works?

:)

Nobody's disabled it so far.

Well, no ISP.

i'm fairly sure that any ISP that provides IPv6 also supports v4, yes

I don't do v4 on my LAN because I'm a nerd. :P

v6 only lan?

although my VM provider doesn't give me an IPv4 address. they charge more for that.

but they aren't a consumer ISP, so...

v6-only LAN with FQDNs, yes.

ketas: v6 only LAN is possible but comes with a lot of caveats

lw: i recall seeing a cheap provider that charges extra for v4 addresses

rtprio: [#freebsd] <lw> although my VM provider doesn't give me an IPv4 address. they charge more for that.

rtprio: yea, I've seen that.

i have wondered about doing v6 only lan for some devices

if i did more v6 i would need to carefully plan firewall rules

since it wouldn't be hidden behind one or two ports of nat

v6 only works great with Apple macOS or iOS and fairly badly with anything else, because Apple is the only vendor who put the effort into making it work

fw is needed anyway

NAT isn't for security, anyhow.

An ACL is needed for network security, irrespective of whether or not you have NAT.

i have vpn tunnel to my phone so it has own v6 ip

isp itself told that no v6 on mobile is because no device support

unsure

that sounds like nonsense, *all* phones support IPV6-only because a lot of carriers require it

yes, i could restrict my web page but i don't see a lot of point in adding an acl to that

actually my phone has hidden v6

Phones have some of the best IPv6 deployment, yeah.

it does volte, for that it does ipsec over ipv6 apparently

fun eh

but there is somehow no "wan" v6

phones are fuckup too

much as i love talking about ipv6, i have to go play Factorio, but /msg me or something if you have ipv6 questions, i'm always happy to help

watch out for biters

don't have to go

could stay here

debdrup: well nat only allows outbound traffic, typical fw rule setup

so it's kind of fw

NAT is _not_ a firewall.

most of times it has some fw rules too

anyway

No, it doesn't.

i can't come up with any solution that doesn't do nat with what's essentially a fw

packet filter

however you call it, you can't access host behind it

Go ahead and treat it like a firewall if you think it'll protect your network from all the things designed to do NAT traversal - it won't, but you can believe it all you want.

no it won't protect from it

if you need outbound filtering, you need fw

If you need packet filtering, you use a packet filter.

if you're on the Internet, you need a packet filter

but mostly on inbound?

You need to packet filter inbound packets as well. NAT will not filter packets.

NAT outbound implies inbound

much like i could have know in the inside of front door

it translates the inbound packets to an internal host

knob

wut? ur a knob

well nat drops inbound traffic if no state

it has nowhere to go

except to host, and there you have "actual fw" probably :p

besides, every host needs to be secure actually

I don't really care what you do on your network, as you're presumed to be responsible for what happens there - but it's bad advice to tell people that NAT functions like a firewall when it demonstrably does not.

we need to build things like that

it functions kind of one wat forwarder then?

y

one wat forwarder then? y?

what

Can you use a hammer on a screw? Sure. Should you?

debdrup: yes. you should.

orz

bang

I give up.

Do whatever you want, just don't give actively harmful advice.

noone should think nat protects tho

i am joking, but honestly, i would probably use a hammer on a screw if it was the easiest way to get it into the hole

this is why i am not a professional builder though

but that's now how most gets in

not

it's just that with actual routing, if no fw, everything gets passed, in and out

wasn't nat traversal from in to out anyway?

that needs fw

fuck knows, maybe everyone needs outbound fw too nowadays

someone decided to ddos me here, i can't filter it out because src is spoofed :p

can't point my finger anywhere too

despite 2 months of free net test

call it whatever you wish, with nat you need state mapped from inside to outside. bound to 3 hosts

stateful firewall with no outbound filter does same thing

Hello, with BSD Make the "$<" character appears to not point to the first dependency. Is there another variable to use or do I just need to hardcode that usage?

matthewp: $< (or .IMPSRC) is only defined in suffix-transformation rules, depending on your requirements you might use $> (or .ALLSRC)

ah no $> is also only defined in transformation rules

no $> might work

As the surgeon said, "let's operate and find out"

soundl like my appendix surgery

tm512: was it a pre-existing pkgbase install, or was this your first use of pkgbase?

lw, ping

trying to setup a very very basic nfs share for /pool0 to anyone on the network, i went with V4: /pool0 -network 192.168.1.0/24, but when i try to mount it on some debian client with `mount 192.168.1.188:/pool0 /mnt/fbsdnfs`, i keep getting access denied by server

any ideas?

`showmount 192.168.1.188` shows the pool0 export on the fbsd server as well as the debian client

good luck. you can try getting the error code from tcpdump and looking up the error code

i'm assuming you're trying to mount from a port < 1024

also, i've forgotten how it's supposed to be, but i have "V4: /" on a single line, then a separate line for the specific mountpoint(s)

Title: RFC 7530: Network File System (NFS) Version 4 Protocol

yeah, i think it might be your exports syntax (even if it's coming up in showmount, according to the manpage, the V4: [...] line does not actually export)

kevans: first use of pkgbase. do subsequent installations properly handle merging config files and whatnot?

tm512: yes

ideally bootstrapping pkgbase would be the same version you're already on so that you can more or less restore everything from .pkgsave safely

Hi all, quick question which I am looking for guidance. When I run # pkg ccheck -d -a I receive >>> pkg: No packages available to install matching 'openssl111' have been found in the repositories

I have posted the question in #opnsense as well (since the error comes from target opnsense system). unfortunately, I have no idea how to investigate this. Please any suggestions?

uf: your mount -t nfs needs to also state tha tyou're using nfs v4

it's 15:54 my time. there are ~15 messages in the last half hour (back to 15:27). then nothing for the prior 4 hours. did others experience that as well? i'm connecting through IRCCloud, and i think it fails to pick up everything in this channel sometimes

Somewhere in the Handbook I recall reading that it suggested, and I do too, that unless you really need v4 that one should use v3 as it is simpler and trouble free.

scoobybejesus: yes, there was a long period of silence from utc 1630-2023

okay thank you rtprio

cybercrypto: it seems like that error message is saying that nothing requires openssl111

do you have an openssl3 installed too

?

what are you trying to accomplish running `pkg check`; is there another problem

rtprio: pkg ipmi is complaining, I read from this log:

ipmitool has a missing dependency: openssl111

ipmitool is missing a required shared library: libcrypto.so.11

This is the openssl package I have installed: openssl-3.0.13,1 (no other, to my knowledge)

I am trying to sandbox an update (which I did and worked all the way) but now... when running pkg check, i got this error - which I dont know why.

>>> There are still missing dependencies.

Of course, the update worked and completed ok, I am trying to understand what is this 'error' before upgrade the production.

di the update straddle the openssl111 to 30 update?

rtprio: Sorry, I dont know how to answer that quesiton.

lw

one must be careful using index() in perl to find a match.. it will NOT always give you what you expect.