00:10:57 hi all. 00:12:23 Im thinking about install 14 in my laptop, which is a lenovo legion 2021. anyone tried to already ? 00:13:00 hcl doesnt say much, probably is outdated :\ 00:25:16 I am interested in running pi hole in a linux jail, is this feasible or should I be looking into running a linux vm through bhyve? 00:25:28 I see some forum posts of people setting up linux jails. 00:35:49 <[0x1eef]> pedrohex: I don't know about Lenovo Legion. But 14 runs well on my Lenovo Thinkpad L14. I get by without wifi support. I'd suggest to try it and see :P If there's any problems it is usually wifi or graphics card, and there's usually alternatives depending on your requirements. 00:41:13 [0x1eef], thought 14 did fix the wifi problems. graphics, isnt the nvidia driver available ? 00:41:35 it is.. 01:35:12 beastwick: You can do fancy things with jail networking and vnet. 01:35:41 beastwick: I've been thinking about this myself just today, as I need to get a test environment running, and Chromium under FreeBSD appears to be a bit fragile. 01:45:22 mason I have seen linux chrome in a jail as the use case 01:45:52 mason I will probably attempt the jail first, if that proves too hard then I will move on to the vm 01:46:29 mason I can't see the jail not working though for this use case, the linux compat layer runs some really interesting/good stuff these days, really cool 01:47:31 list of native linux games that work is suprisingly more than I would of expected if that's your thing, so I can't see pi hole not functioning, unless for some reason it requires messing around with pf for packet routing, which I doubt 01:48:53 beastwick: I need Chrome (or Chromium) in a jail, and OpenConnect. I can do OpenConnect in a straight FreeBSD jail. Curious if it'll work in a Linuxulator jail. 01:49:30 Ideally my stuff will work just in FreeBSD but it's not just at the moment. 01:49:38 is openconnect related to openvpn? I just tried to do openvpn in a jail, stopped because of the aforementioned must do some pf fu for packet routing 01:50:10 ironically, might be easiest for me to put openvpn in a light vm 01:50:15 i really would like to isolate it 01:50:32 beastwick: Different. It's Cisco's VPN. 01:50:51 And it works nicely in jails. 01:51:16 gotcha, I will take a look at that 01:53:02 beastwick: I don't think you want it if you've not got Cisco's AnyConnect on the other side. 01:55:50 oh yeah true, I don't :D - I take it that anyconnect isn't free 04:27:36 my microphone doesn't seem to work in freebsd 04:44:39 Dang. 13.3p1 was hard to install on a 512M ec2 instance. heh. 07:47:58 morning 07:50:08 morning 07:50:21 Morning 08:02:23 morning 08:12:05 Evening. 10:48:27 Anyone see why bsd.network seems to be offline? 10:50:31 Because the like to be offline, of course! 10:50:54 No seriously, except for the server admins, nobody knows unless they publicly announce something. 11:07:15 remiliascarlet: Seriously, yes, I was hoping someone had heard something. :) Say, from the server admins. :) 12:46:47 Hi, I need to move/delete one file that's on a broken sector (o whatever it's called in zfs). When I try mv I get Input/Output error, how can I force its deletion? 14:12:19 https://trioptimum.com/~crtxreavr/tmp/MemTest86-Report-20240328-143548.html 14:49:55 hi!, can anyone take a look at this? https://github.com/bazelbuild/bazel/discussions/21734 14:49:55 Title: no template named 'enable_if_t' in namespace 'std' · bazelbuild/bazel · Discussion #21734 · GitHub 14:51:06 I'm trying to build the library OpenXLA, that uses Bazel and it seems to be having issues detecting the right gcc version 18:30:46 I have @work a FreeBSD host that we are using for forwarded logs from many systems. The log file for that data is between 155 GB and 165 GB daily. The newsyslog log rotation is set to archive up to 5 of these and is using bzip2 compression. The log compression is taking over 15 hours each day. I have been pinged about the extended CPU usage by our VMware team. Will I gain any compression speed using one of the other compression options available 18:30:46 with newsyslog? 18:32:08 unixman_home: yes - try the 'Y' flag to use zstd, which is much faster than bzip2 and should still provide good compression 18:33:21 zstd(1) allows quite a bit of configuration over the speed:compression ratio balance but i'm not sure if newsyslog exposes that 18:33:57 lw, okay thanks. In hindsight I should have looked to see if I could find any comparison data for these compression algorithms, mea culpa. I'll do that now. :) 18:45:32 zstd has an adaptative mode, which is supposed to adapt the compression strengh to max out the throughtput 18:51:07 unixman_home: another option would be to use ZFS compression - overall compression ratio might be lower, but since it compresses on the fly, cpu usage is smoothed over the day with no spikes 18:53:41 Got it. 18:53:55 This host is using UFS. 19:00:58 unixman_home, u can try xz too - even with default options it's faster than bzip2 and have better compression. 19:01:45 VVD: amusing timing for that :D 19:02:33 ? 19:02:37 VVD: https://www.openwall.com/lists/oss-security/2024/03/29/4 19:02:38 Title: oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise 19:02:40 your sshd might become slower though ;P 19:05:08 <[diablo]> Hi good evening #freebsd I hope you're all well 19:05:49 <[diablo]> I've got a new motherboard with a AMD 7840HS CPU, and I'm not getting any thermals with 13.1-RELEASE-p9 ... anyone know what could be wrong please? 19:07:26 [diablo]: i can't remember which temperature sensors are built into the kernel, but try 'kldload amdtemp' and see if it helps 19:07:40 > Due to the working of the injected code (see below), it is likely the backdoor can only work on glibc based systems. 19:08:35 xz -V 19:08:35 xz (XZ Utils) 5.4.5 19:08:35 liblzma 5.4.5 19:08:44 <[diablo]> hi lw good evening, yeah that module is loaded 19:09:06 <[diablo]> it's in the kernel 19:09:14 VVD: this particular issue depends on systemd as well, and freebsd imports xz without the autotools required for the backdoor and the tests 19:09:30 there might be more things that weren't caught that we are vulnerable to, however. but this particular issue isn't one on freebsd at least 19:09:45 [diablo]: and you don't have the dev.amdtemp sysctl nodes? in that case not sure, sorry :-/ (that driver works for me, but this is a 7800X3D on 15.0 so quite possibly needs a different driver) 19:10:07 er, 5800X3D 19:10:34 <[diablo]> nope, nothing 19:11:22 <[diablo]> TBH this FWIW is TrueNAS, but as its kernel module I jumped in here 19:11:56 on x11vnc it's not possible to close port 5900 in ipv6 ? 19:21:46 dstolfa, my understanding from our security team is the sshd vulnerability does not affect FreeBSD. TBH, I have not looked into it personally and am just relying on an e-mail our sec team sent out. 19:22:13 unixman_home: it doesn't, see my comments above. there are a number of reasons why this doesn't work on freebsd 19:22:18 unixman_home: it doesn't... but there's some concern the user might have done similar things to other projects 19:22:34 (for example they worked on libarchive, but apparently those commits have been audited and are fine) 19:23:04 Okay, my apologies for not reading all the things before jumping in, dstolfa. :D Thanks, lw. 19:28:31 Hi 19:28:43 how to debug service restart ? https://0x0.st/Xzik.txt 19:29:34 -v doesn't help much 19:40:16 can thermal paste on a laptop go bad after only 3 years? 19:40:19 as5 19:40:26 not cheap stuff by any means 19:41:16 i had freebsd do an emergency shutdown while not doing anything particularly intensive 19:41:30 due to acpi thermal trip 19:44:57 Dust, bad fan 19:45:02 Bad sensor 19:47:25 i don't get something, i manually edit /etc/passwd, but changes are ignored 19:47:59 vipw... 19:48:00 wt 19:48:03 eoli3n37: don't edit /etc/passwd, use vipw(8). on BSD, /etc/passwd is generated from /etc/master.passwd, vipw does that for you 19:48:12 thanks 20:38:04 sfox, Unusual. Not impossible. Dirt blocking airflow more likely. Failing fan more likely. But physically something wrong with the cpu cooler attachment maybe. I do this work a lot so I would be comfortable removing and inspecting. 21:57:21 hm, how do I debug local-unbound? I only get SERVFAILs, upstream dns server works 22:04:14 nimaje, I hear that and I must ask if your clock is set? unbound by default will check DNSSEC and that depends upon time being correct. Resulting in what you are describing. One possible way from the many ways things might fail. 22:05:17 nimaje: the only advice i can offer is to not use local_unbound; install it from ports and configure it normally. i found local_unbound opaque and hard to manage and i'm not really sure why it even exists (i guess so DHCP magically works...) 22:08:38 which reminds me - does freebsd include a DHCPv6 client nowadays? 22:08:50 man -k dhcp and dhclient(8) suggests not 22:15:29 I found the logs meanwhile, it says "local-unbound[45068]: [45068:0] notice: init module 0: validator" and "local-unbound[45068]: [45068:0] notice: init module 1: iterator" but no idea what those mean 22:16:18 clock is correct 22:16:52 nimaje: 'validator' means it loaded the DNSSEC validator module and 'iterator' means it loaded the normal recursive DNS module, both of those are normal 22:17:11 to rule out a DNSSEC issue, you could temporarily remove 'validator' from unbound.conf's module-config 22:17:12 I also am not using local-unbound because for some reason it does not install correctly for me. Therefore I am using unbound (not local-unbound) and just configuring it normally. 22:19:31 Additionally sometimes I am debugging because DNS Is not working but what is not working is the domain I am looking up and DNSSEC is bodged up. Now I always start with https://dnsviz.net/ and look at the report on the domain first. If it is broken then I will know why DNSSEC is failing. Seen that problem several times. DNSViz site FTW! 22:19:32 Title: DNSViz | A DNS visualization tool 22:19:52 dnsviz is great but it's more for debugging authorative server issues than local recursors 22:20:22 authoritative? idk how to spell that 22:23:26 Yes. But if the upstream domain is broken then the downstream unbound can't validate it and sometimes that is the problem I see rather than local resolving being entirely borken. 22:24:05 Basically there are an infinite number of ways for things to fail. But only one way for things to work correctly. 22:24:07 ok, seems like the upstream dns server in this network doesn't support dnssec 22:24:33 If there is no DNSSEC then that can be scratched off as not the problem. 22:25:35 nimaje: did turning off DNSSEC in local-unbound fix it? i am interested in this issue since i haven't run into it before 22:26:01 i would have thought unbound would fall back to recursing itself if its forwarders returned invalid dnssec data or didn't support it at all 22:26:50 If the upstream domain does not have any DNSSEC records then everything works using traditional DNS without it. DNSSEC is not (yet) required. 22:27:04 I know you are reviewing the /var/log/messages logs but there are no other clues to a problem in there? 22:27:17 rwp: yes, i think the issue here though is that unbound is configured to use a forwarder, and the forwarder doesn't support DNSSEC, which is different to the domain itself not having DNSSEC records 22:27:45 ... which is not a situation i've run into since all my recursors support dnssec (and run unbound :-) 22:28:07 Where was the data point of DNS being forwarded stated? I don't see it. I don't think we know the exact unbound configuration yet. 22:28:35 no, maybe not. i think that's how local_unbound is configured by default in the rc script though, right? it takes the contents of /etc/resolv.conf and turns it into unbound config 22:28:40 All we know is "I only get SERVFAILs, upstream dns server works" and I don't know exactly what that means. 22:29:16 (tbh this is why i don't like local_unbound, you really have no idea what it's doing behind the scenes...) 22:29:28 Hmm... I guess I don't remember what local-unbound tries to do by default. I just know it failed to work for me. So I fell back to the regular unbound pkg. 22:29:55 i remember having some issues with it too but i don't think that was dnssec related, i don't remember what the problem was now 22:30:29 I am using unbound with forwarding for my own domain and it works okay for me with forwarding. 22:31:16 yeah, i just set up anycast unbound here and it's working well, i think i'm still going to deploy a local unbound from ports (not local_unbound) to get DNSSEC validation on the local host though 22:31:39 maybe if i do that i'll give local_unbound another try and see how it goes 22:32:22 lw: yes, disabling validator "fixed" it 22:33:13 nimaje, As I understand it when using forwarding the local nameserver has no sec information and is relying upon the upstream nameserver to perform validation. 22:33:41 the config here sets the dns server given via dhcp as forwarder for "." 22:34:30 Therefore with BIND I must set "forwarders { 192.168.230... }; forward only; dnssec-validation no;" for named. But for unbound it seemed to do this automatically. 22:35:49 possibly related: https://www.ctrl.blog/entry/unbound-tls-forwarding.html 22:35:50 Title: Actually secure DNS over TLS in Unbound | Ctrl blog 22:36:40 (DoH + DNSSEC-validatoring resolver should be end-to-end secure...) 22:36:41 in another network it works fine, not sure what the problem here is, but shouldn't dnssec work to, even if passed thrught multiple recursive dns servers? 22:37:12 nimaje: it should, but some broken resolvers might reject recursive queries with the dnssec flag set. interested to know what dig says? 22:38:13 "dig example.com @resolver.ip.address +do" or something 22:39:12 actually maybe delv is better for this since it provides more explicit output 22:39:18 % delv le-fay.uk ns @dns.svc 22:39:19 ; fully validated 22:40:33 no dig in freebsd, but drill gives back some RRSIG if I pass the -D flag, which should make drill use dnssec if I understand that correctly 22:41:09 drill is the same syntax as dig. 22:46:34 hm, if I replace dig with drill in that command I get NXDOMAIN, does that mean dnssec validation fails? I can't find +do in drills man page 22:51:29 nimaje, as to lw's request, this is what I see here using my local resolver: https://termbin.com/ae1c 22:51:43 (since https://bsd.to is still ofline) 22:52:51 And this for dig: https://termbin.com/s5ue 22:54:34 I have always used dig. I had heard that drill was supposed to be dig compatible. But, I guess it is not! 22:55:09 after a bit of fighting with pkg I installed bind-tools and tried delv, yes, that upstream dns server doesn't do DNSSEC correctly 22:55:27 With drill -D here: https://termbin.com/kfa5 22:55:55 So... Time to use a local caching server? Or to switch to a different upstream nameserver? 22:56:27 Good hunting! I am run IRL. BBIAB. 22:58:45 well, local_unbound is a local caching server, but maybe time to let it do all the resolving, instead of using whatever dhcp gives me as upstream 23:02:22 seems like drill is compatible with dig, just the man page is incomplete (+do made a diffrence, NOERROR vs NXDOMAIN) 23:12:10 Number of packages to be removed: 25 ...whenever I see this doing a pkg upgrade, it always induces a slight panic. /py37 stuff, nothing to actually panic about 23:31:10 x11vnc -rfbportv6 0 23:31:28 to disable listening all ipv6 port 5900 23:31:33 not documented 23:47:57 hm, py37; forgot to run pkg autoremove for some while?