is anybody here bored right now and has a working linux docker environment?

depends, what do you want to do?

jbo:

souji, somebody submitted a build that failed in form of a Dockerfile and I don't have a setup ready to test it

souji, simulton/QSchematic #65#issuecomment-1950975618

Title: Build faild when disable QSCHEMATIC_BUILD_STATIC under linux · Issue #65 · simulton/QSchematic · GitHub

65 – certian password entry errors confuse vipw forever bugs.freebsd.org/bugzilla/show_bug.cgi?id=65

I'll take a look at this

souji, is my understanding correct that it's a matter of copy-pasting that Dockerfile and running docker? or would that be more effort for you?

jbo: no, I think I just need to build the image

jbo: For me it does not find the headers QPointF and QObject

souji, so same issue then :/

wait a second...

souji, how good is your docker knowledge? All I know is that this builds out of the box in a Ubuntu VM and some other Linux distros - but don't have a docker based CI

it should make no difference if you build it in a docker container or a VM

that's what I thought - hence I was wondering if somebody can reproduce this :)

does the build work in a VM?

yes

also in the github action runner

what OS do you use?

Ubuntu 2-something

although that is not building & installing the GPDS dependency manually, instead it uses -DQSCHEMATIC_DEPENDENCY_DOWNLOAD=ON

builds also work under FreeBSD

In that case it might be some debian problem

I'll try to use a ubuntu image for the docker container

souji, I hope that's not a major effort on your end.

jbo: did you also tried to run it with: QSCHEMATIC_BUILD_STATIC=OFF?

souji, interesting...

souji, that is indeed failing o.O

souji, I just checked and the CI has not been updated for that scenario

souji, seems to work on FreeBSD. time to investigate why those includes are not being found. I can certainly reproduce this in an Ubuntu 23 VM

ok, at that point I have no clue how CMake works... Good luck

I appreciate your help, thank you!

no problem

fixed :)

nice :)

what was the issue?

Title: cmake: Fix qschematic-wiresystem-test target · simulton/QSchematic@66a7cb1 · GitHub

forgot to update the CMake script of a test case which was still hardcoded to link towards the -static target .__.

ah ok xD

jmnbtslsQE, please include my nickname in the message so I get a notification.

Back to php, Let me give you an example: I'm asking which is better to use to get to the store bus or train, and you answering - you better smell food before eating...

man, I really love bectl(8) so much. It's a helpful companion for the CURRENT user. Takes away the fear. :)

kenrap, I had so many times issues with bectl

how come?

its ok if zfs is working properly, but once it become corrupted - recovery and mounting partitions become sooooo difficult, next to impossible

IMHO - recursive snapshots + !!! exporting snapshots to some external/ different storage regularly is a MUST

bectl basically substitutes a boot environment with snapshots ..

nerozero: how often do your zfs filesystems become corrupted?

Degraded =/= Corrupted, I had couple of times issues loading zfs after upgrading

On a related note, I do take advantage of making recursive boot environments with the -r flag when creating them

lw, I had it twice, 1 happened when upgrade the bsd, second time due to hard drive issues

snapshot =/= backup, the backup is when you put your data to a different storage media, better - not connected ( all the time ) to a given machine

On the same installation I'm using, I went from 13.2-RELEASE -> 14-CURRENT -> 14-STABLE -> 15-CURRENT and didn't have a single zfs corruption

I will consider doing the backup approach as well

it was back when freebsd was not build around openzfs

But my lesson was lerned hard

if I recall correctly it was 12.x -> 13.0 but maybe it was earlier

I could have a dedicated external drive to store my exported snapshots backups

And exported snapshot gives you a chance to restore entire system on a different machine from scratch

zstd doing compression quite fast so pipe zfs send to zstd

if recover is need - just prepare new boot partitions on a fresh drives and receive back your data

Sounds great!

keep 1-2 snapshots on the machine so in case of troubles - you will be able to roll back quickly

and do not forget to make recovery freebsd live usb drive

always handy

yeah, I need to download a (working) CURRENT usb img to flash a usb drive with.

In my case I bought 64GB fast flash drive and installed headless bsd there

with read/write access to it, but you can do the same with a live image, you just need to modify a mounting type and expend it to entire drive, not too hard to do

how do you modify the mounting type of an img?

that would be something interesting for me to keep in mind

kenrap, you dont, you can modify content of the live image on say usb drive

mount it and growfs

and change fstab

you can install a new ports there afterwards say vim is a must to me with some plugins and some poudriere keys

gotcha

Title: Chapter 20. Storage | FreeBSD Documentation Portal

if I recall correctly image mount its partition in 2 steps, so you need to do that twise on both partitions

I just figured out on my own how to resize the old school MBR slice partitions and then the freebsd-ufs partition for the usb filesystem, since the img file flashes with the MBR table. I haven't done this before in FreeBSD, so that's how "new school" I am here

and now I can growfs(8) it

Awesome!

and make install to it from what I already built with my CURRENT build

ages ago I used to build my own kernels, now days it is way to time consuming and hard to maintain, so I stick to generic

AFK

That's how I was with my Linux days, but overtime I got so tired of it when I didn't want to deal the tediousness of rebuilding because of missing driver/module and just wanted to use generic kernel with their initramfs built in. In this case with FreeBSD, I rather have the GENERIC prebuilt modules there ready for devd to load them just from plugging something compatible in. No fuss and it's GSD-friendly.

GSD == Getting Sh*t/Stuff Done :)

some people do linux because gsd

that's not my point, and of course sure.

Hello.

How can I dedicate a separate ip for jail?

...add the following lines to /etc/rc.conf:

defaultrouter="192.168.1.1"

what should be here?

what if i connected through 192.168.100.1 router?

hi , i just installed samba419-4.19.4, now there is no start script in /usr/local/etc/rc.d no more

never mind, it wasa me

Any developers/committers around? I've got sparc related question I'd like to ask in private ;)

kaktus: elo

y0

kaktus: now that you're here I've got someone to blame

i blame freebsd

ketas, people that do linux because gsd probably don't have any serious stuff to get done :p

(mostly joking/teasing)

lw, ping (question regarding sublime-music)

jbo: hi

lw, good morning

lw, I guess I should give you the courtesy of taking back the sublime-music PR? :D

lw, I recall that when we talked about it you said it needed python 3.11. According to the patch 3.10 is fine too?

jbo: i built it with 3.11 because it's what i have here, 3.10 should work

I can already feel the pain testing this

jbo: based on the comment that 3.11 is coming "soon" and we'll skip 3.10 entirely, we could just make it require 3.11 instead of spending hours building 3.10 to test it

lw, before I run into the same trap again: did you successfully testport for 13.2-RELEASE and 14.0-RELEASE too? :)

lw, yeah, that is what I was thinking too...

no, because i don't have X/Wayland installs on those versions to test with, i'd have to set up dedicated VMs or something

maintainer gotta maintain, bro :p

so everyone who maintains a port that uses X keeps a VM of every supported FreeBSD version around to test on?

I do

and most maintainers I know do too

there is no hard ruling but maintainers are expected to test (also runtime test) their packages on common configurations/setups.

lw, I'm wondering whether we should just sit it out until 3.11 has actually become the default - rather than handling the sublime-music PR upfront and having awkward discussions about it. What is your opinion on this? Are you in a hurry with this PR?

does that make anything easier? the testing procedure is the same, it's just a case of setting DEFAULT_VERSIONS+=python=3.11 in your make.conf(s)

if I read the patch correctly DEFAULT_VERSIONS+=python=3.10 should work too, no?

lw, I have limited CPU time. right now I only have one 32-cores/256GB-RAM box left for dicking around. I take it that this would probably take up +10 hours :D

but I don't have a good feeling for the python deps tree

nerozero: your question is nonsense

it's also not related to freebsd

lw, I hope I didn't piss you off - honestly just trying to get your opinion!

nerozero: unless you're talking about ports and packages when you say "modules" - in that case you just upgrade to lang/php$VERSION, then lang/php${VERSION}-extensions

(though the extensions one also has PHP has a dependency)

jbo: you 'only' have one machine with 32 cores and 256GB RAM? maybe that's why all this compiling seems so easy for you :-) i have to test everything on my 8-core desktop, and poudriere kills interactive performance

nerozero: if you're upgrading extensions, ensure that lang/php${V}-extensions build the same extensions as what you currently have installed

jbo: yes, python3.10 should work too, but then you don't know if it works with 3.11, right? (i guess this makes python ports hard to test because you have to build with every python version, it's a bit easier in this case since only 10 and 11 are supported, and i assume we don't need to test with 12)

jmnbtslsQE, thank you for reply. No I dont use php-extensions

lw, I have two machines with 28-cores/126GB RAM each and one with 32-cores/256GB RAM. but only the latter one is currently not busy. My desktop is a rather slow i7-8086k with 64-GB RAM. I am desperately trying to raise the money for an upgrade to a Xeon w5-3435X :D

lw, yeah, as a committer I'll have to test for both 3.10 and 3.11 if I do my job properly right now. hence I'm trying to understand whether it's worth the pain or whether we can wait until we have 3.11 as default :D

jbo: also, this is not a trick question (i promise): you have to test on 13 and 14 before your commit will be approved, right - you can't just take my word for it that i did that? so isn't it a bit of a waste of time that we both do exactly the same testing? :)

jbo: i can't answer that, i guess it's a question for python@

nerozero: i think the php-extensions port/package is a good way to install the extensions that you want. you just need `make config` to choose the extensions to install (or `poudriere options [...]`

if you don't have any extensions to install then there is nothing to do than just upgrading the PHP package/port

jbo: my feeling is that since 3.11 is about to become default, and 3.10 has never been and never will be the default, it makes more sense to just test on 3.11, but apparently my feelings don't exactly align with the project on this

Yes I do have poudriere but due to php often putting staff unto core modules the extention ruining everything

lw, the review/approval is only because I'm still under mentorship. that might go away soon (or not) but it's unrelated to being a regular committer. To actually answer the question: as a committer I'm responsible to ensure that nothing stupid happens and I will take the heat if it does. as much as I do appreciate your skill and experience I don't think that any committer would currently push this without properly testing it :p

lw, well, some of the project's decisions are also not on par with my preferences, but rules are there for a reason - I adhere to them even if it's not what I would be doing myself :)

partly also because there is a shit ton of stuff I simply don't know (yet)

there isn't a rule on this, is there? (what python versions you have to test on... at least besides the default, which is 3.9)

so - if there is no specialized approach like do-upgrade -from=php81 -to=php82 then IMHO there is no straight forward way which is works

s/unto/into/

part of begin a ports committer is "be reasonable". Right now I would be pushing a port which cannot work with the default version and 3.11 is not there yet so I feel like I should also be testing with 3.10 given that this is not an unlikely scenario that users are currently encountering.

btw, you'll have to install navidrome or subsonic to actually test the app, it can't play from local files...

(or i could give you vpn access to my instance temporarily)

nerozero: what do you mean by module ? i have not had problems with this approach for some time: build updated extensions package, which includes the extensions that i want, and build updated php package. install them on a test instance and ensure it works. then install in production

lw, as a committer I am not responsible for runtime testing, only build testing. runtime testing _IS_ the maintainers job.

nerozero: the only extension i've had issues with is YAML, which can be built manually (not sure if that is the issue you encounter)

ok

lw, I appreciate that you are willing to consider giving me VPN access to your instance - that is very telling :)

like openssl recently was moved into core

jbo: please leave it for now, i'm busy at work and also need to do some tech work and home and won't have time to do this for at least a week or two (it's probably going to take a couple of days to test at least)

s/and home/at home

and a lot of other minor changes

upgrading from 7x to 8x had A LOT of different things. Anyway thanks for reply.

lw, alright. but just to be clear: This was supposed to be an open discussion - not me trying to be opinionated. I am very willing to move this forward before 3.11 lands if you'd like that. It will definitely take a couple of days tho.

OK

lw, so if you're even the slightest amount of salty about this please let me know now :D

lw, other than that - I am looking forward completing 277020 and 276996 :)

in the mean time i hope the package builder gets around to building the security/krb5-ldap flavour that Cy made for me

sounds like you're surrounding yourself with the mighty power of the committers lol :D

(apologies for the long review durations on my end - can't do much about it - part of the process of learning on my end).

well, by 'made for me' i mean i opened a PR and he committed it, we didn't have a secret meeting about it :-P

hah :p

lw, any ETA on the other two open PRs? (absolutely not necessary if there's none, just in case I could plan in the CPU time slots)

jbo: for 276996, do i need to test with every (supported) Go version?

i think, rather than doing this manually, it might makes sense setting up a local CI instance i can do automated testing on

lw, don't quote me on this but in this case I would expect the maintainer to test against the default go version only but definitely for 13.2-RELEASE and 14.0-RELEASE (and 15.0-CURRENT in your case).

not sure what people use for that other than gitlib which i really dislike

lw, you can setup different environments in poudriere and then just have a shell script. that is what I usually do. and when it comes to testing different port option combinations (which we have to), I do those by hand.

poudriere doesn't help with runtime testing, i'd need something to install the package, set it up with a config connected to a postgres instance, etc (at least for the exporter, wine i guess has to be tested by hand)

lw, I think(!!) that the situation with go versions is a lot less dire than with python versions. Hence my "opinion" above.

lw, as long as it's headless you can use the poudriere interactive mode. I do assume that you can have the postgres instance external to that jail.

anyway, i need to do some home work this week which is becoming more urgent (mount a new access point, move a couple of things to the rack, replace a switch...) which it going to take up my tech time for a few days, hopefully that'll be done in a day or two then i can look at setting up testing for those PRs

sure - no hurry from my side.

Howdy, folks. :) Apparently I am missing where encrypting ZFS datasets on FreeBSD is documented. I just went through docs.freebsd.org/en/books/handbook/zfs and did not see what I need to set up an encrypted ZFS dataset. Is this covered elsewhere than in the handbook?

Title: Chapter 22. The Z File System (ZFS) | FreeBSD Documentation Portal

unixman_home: Best to use GELI. The installer will do it.

unixman_home: Native ZFS encryption has many issues.

mason, thanks!

unixman_home, Good background article: klarasystems.com/articles/openzfs-native-encryption

Title: OpenZFS Native Encryption | Klara Inc

unixman_home, I strongly disagree on the native ZFS encryption has many issues comment.

I am using that very successfully for many years. From what I can tell, the only real drawback nowdays is that it exposes the datasets (i.e. an attacker will now that they exist even if they can't decrypt them)

rel: forums.freebsd.org/threads/geli-vs-zfs-encrypted-dataset.84721

Title: ZFS - GELI vs ZFS encrypted dataset | The FreeBSD Forums

rwp, jbo, thank you!

jbo: Um. There are a bunch of data-loss bugs, some quite recent. It's dangerous code.

jbo: If you want to risk your own data, fine, but let people know about the risks rather than party-lining them into data loss.

are those bugs documented or are they just some rumor?

tsoome: Pretty extensively documented.

you can't get more secure than lost data ;-)

link?

tsoome: Nope, busy just now. If I get some time. If you ask in the ZFS channels, someone will have a compilation handy. PMT used to maintain one and still might.

paulf, lol

mason, I'd also be interested in seeing those links (totally understand that you're busy now)

Once I'm done migrating VMs I'll dig it up, unless someone finds it sooner.

Here, actually. This is a reasonable read: phoronix.com/news/OpenZFS-Encrypt-Corrupt

Title: OpenZFS Native Encryption Use Raises Data Corruption Concerns - Phoronix

And PMT just noted openzfs/zfs #15837

Title: Permanent zpool errors after a few days of making natively encrypted zvol snapshots with sanoid · Issue #15837 · openzfs/zfs · GitHub

15837 – NIC: ex0: Intel EtherExpress Pro/10 stopped working bugs.freebsd.org/bugzilla/show_bug.cgi?id=15837

As I recall the majority of bugs I have read about recently were in the area of send|recv of encrypted datasets. Which I could imagine would have some corner-case issues for sure.

> A Phoronix reader wrote in today about an OpenZFS data corruption bug when employing native encryption and making use of send/recv support.

indeed.

rwp: That last one is just snapshotting.

So, if you avoid snapshots, it won't bite you? =cough=

Also of note, look at the span of time FreeBSD's ZFS has been impacted. These are not new and not going away terribly fast.

It's worth noting the history of the issues.

Title: permanent errors (ereport.fs.zfs.authentication) reported after syncoid snapshot/send workload · Issue #11688 · openzfs/zfs · GitHub

11688 – clarify send-pr categories... bugs.freebsd.org/bugzilla/show_bug.cgi?id=11688

I have never been an early adopter of things like this. I am still waiting for 14.1 before I upgrade. I have not installed zfs native encryption yet. Still using GELI on the laptop.

I found 14.0 compelling enough that I've got it rolled out several places. I'm probably 50/50 right now.

rwp: Note that the most recent bug linked goes back to FreeBSD 12.

Title: Decryption errors start occurring after several days of uptime · openzfs/zfs · Discussion #15267 · GitHub

I am a little confused about those bugs. 15837 seems to be unrelated to zfs. 11688 seems to be a documentation bug? I don't know as I did not understand it at all. 15267 looks like a serious one in the area of send|recv though.

Anyway. Today, I'm clearing one of my Debian hypervisors so I can one again have a dedicated FreeBSD hypervisor/jail host. I've got VMs hosting jails now, but it feels like time to shift my infrastructure more solidly to Debian, migrating services to jails, etc.

i've seen that bug with sanoid causing data corruption on encrypted datasets... i posted on fs@ about it a while ago (no response though)

It'll be super useful when native encryption is as solid as most of ZFS. Illumos, for instance, inherits Solaris's lack of stacking block layers, so there is no equivalent to GELI or LUKS that can work on Illumos. Native encryption would fix that.

That native encryption doesn't allow for multiple keyslots, however, has bothered me a lot since before it was released.

Tragicomically I have a friend (running Ubuntu) who is compiling OpenZFS top of tree in order to avoid some of the known bugs in the Ubuntu stable release. But he was complaining that he keeps needing to keep compiling a new version due to the continuous finding of new bugs.

rwp: That's partly exacerbated by Canonical introducing new bugs of their own randomly/accidentally.

So yeah, people build their own and dance through hoops to suppress the shipped versions.

Meanwhile... I have not hit a zfs bug in FreeBSD during my normal use which is repeatedly doing the same things and I am not poking into the corners and it has been very solid for me for the last two releases 12 and 13 that I have been using it.

rwp: That and the immensely better integration is part of my ditching Debian on several servers.

there was also a fun bug in 14.0 where any write to an encrypted dataset would cause data corruption, but that only happened if you loaded ossl(4) which isn't the default

so... i can certainly understand people wanting to avoid zfs encryption right now

Let me be clear... *I* am avoiding the fun new features. But I do want *all of you* to use the new features. Work the bugs out of them before I get there! :-)

haha

FWIW, I just remembered/found openzfs/openzfs-docs #494

Title: Proposal: Consider adding warnings against using zfs native encryption along with send/recv in production · Issue #494 · openzfs/openzfs-docs · GitHub

I am poking at a different corner of things though. I am trying to run 4 displays. Anyone have that working?

If I add a second graphics adaptor (AMD Cedar HD 5450 using radeonkms) then of course I am forced to create an xorg.conf file, which I do as a snapshot of the running configuration with one graphics adaptor installed.

Then I install the second graphics adaptor of identical type, boot, vt console is okay, xinit then immediately crashes with a kernel general protection fault!

Logged "trying to bind memory to uninitialized GART" and other associated errors.

I pulled the card out so I could keep working on other things. But I need to start down the kernel debugging path on that one.

i would be mildly surprised if anyone had even tested DRM with two cards, tbh

A few years ago I was running xorg with two nVidia cards as my daily driver. If you ignore the "xrandr --setprovideroutputsource 1 0" magic incantation needed then it did work okay then.

Unfortunately life and time is what keeps everything from happening all at once. I will /suffer/ through only being able to use 2 displays for a while longer. :-)

heh

If I have to modify the REQUIRE line of an rc.d script, I assume I uncomment it?

CrtxReavr: no, that's a magical comment which is parsed by rc(8), leave it commented and just edit it

'k

Quick question with the security(7) man page. It talks about making sure that PTYs in /etc/ttys are specified as being "insecure" so that direct root logins via telnet(1) are disallowed.

Is this man page out of date? As far as I knew, telnetd isn't part of the base system

or is it in reference to those that still use telnetd?

RoyalYork__, I think you are correct. Though the feature is generic I rather understand that /etc/ttys is designed for hardware serial port terminals.

thanks

lw, that's not working.

I need named to start after dhcp6c is started.

Title: View paste 5EPQ

I think I see the issue.

Just ran a pkg upgrade and didn't catch that it removed Firefox, which appears to be missing from FreeBSD 14 quarterly. Any idea why this might be?

Title: Fallout list - FreeBSD pkg-fallout

hm, failed in build-depends firefox-123.0_2,2 depends on package: libvpx>=1.14.0 - not found

ah I see - I guess I should have snapshotted before upgrading packages. Still, a bit frustrating that I'm left without a working browser :(

seems like someone put firefox 123.0 into quarterly without checking that the changed dependencies are there as well

eek

stupid question, but will I need to wait a quarter for a fix?

ShinyCyril: you can temporarily work around it by installing it from latest

but yeah, not great.

hm, is cmt@ here, he cherry picked the firefox update without cherry picking the libvpx update

@dstolfa thanks for the tip - managed to install the latest libvpx :)

ShinyCyril: nah, the quarterly ports tree can be fixed by putting the libvpx update in there as well and if there are reasons against that, then by reverting the firefox update and then the builders have to build the fixed tree

Snapshot early. Snapshot often!

RoyalYork__, I spent a little time reading security(7) and honestly I am disappointed in it. It reads little like an authoritative OS manual and more like a personal blog posting of hints and allegations that one finds on the net.

As a blog we would forgive lack of detail because we know the person probably does not look at the source code. But for an OS manual I really expect more authority and detail. It reads as very slack writing to me.