so i guess no swap for me because 13.3 had a bug in it

alepzi, Did you find a bug report on it? Sharing is caring.

I am running 13.2R here due to using the radeankms module out of precomiled pkg packages and those are compiled against 13.2R.

no bugs.freebsd.org/bugzilla/buglist.c…tring&query_format=advanced&v1=13.3

Title: Bug List

alepzi, After I fixed the /etc/fstab entry I simply rebooted. I had no reason not to and I wanted to ensure that everything worked at boot. With the fixed /etc/fstab my 13.3-RELEASE-p1 system has swap enabled okay.

is that the 1 that didn't have swap before but it has it now?

Yes. I must have missed putting anything in /etc/fstab for swap on that system. It's actually my zfs backup server so its only function is to backup my other zfs machine which is actually in use. So I never noticed that it did not have any swap configured.

oh what was the error you had in /etc/fstab? maybe i have the same 1

The error was that it was zero sized. And it had apparently been zero sized since install based upon my looking at old snapshots.

mind showing me the before/after for the relevant /etc/fstab line?

Here is how I looked at old snapshots and the fixed version of the file. termbin.com/i3j3

where does it show 0 sized and where does it show the new size?

the 0 0?

I did that for loop because I didn't think wildcards were expanded in the .zfs directory. But they are. So that for loop was silly. This works: ls -l /.zfs/snapshot/*/etc/fstab

In ls -l output the first column is file mode, then number of inode links, then user, group, then size. In my paste the size was 0 for them all, then datestamp month, day, year, then filename.

i don't understand what you're saying. so what does the working fstab line look like?

I showed it in termbin.com/i3j3 but here is a paste with nothing but the /etc/fstab file for swap here termbin.com/37nn

ok well my fstab line looks the same and it doesn't work for me so *shrug*

I am using geli encrypted swap using ephemeral keys.

ya i configured encrypted swap too

Here is what it shows when I swapoff, then swapon, (just to show the messages), then swapinfo. termbin.com/cecl

Do you get errors when you swapon?

Also for me "gmirror status" shows me the swap mirror since I am using an array so I have swap mirrored here.

This section covers it but for non-mirrored swap. docs.freebsd.org/en/books/handbook/disks/#swap-encrypting

Title: Chapter 20. Storage | FreeBSD Documentation Portal

And they do fancy stuff which I don't think is needed now since the defaults are okay.

when i run swapoff it says no such file or dir

swapon -a still says invalid parameters

anyone know why the encrypted swap on my host isn't working? termbin.com/c4yx is my host's ZFS config in bsdinstall installerconfig

why is it that a thick jail can run n daemons, but a thin jail can only run 1 (ONE) daemon?

Because if you put multiple daemons in a thin jail, it's more likely they'll conspire to escape.

april fools answer or for reals?

It's been the 2nd of April for almost 12 hours now, but it was indeed a joke.

"cool"

alepzi, There is no reason you can't put two things into a jail. But one of the goals for jails is isolation so it is divide processes up into logical modules. That's regardless of thick or thin jails.

ah so the advice i heard somewhere (can't remember) that thin jails should only run 1 daemon was just opinion and not a hard fact?

I think that is just a design choice decision. Definitely not a hard fact.

tyvm rwp

Let's get our definitions in sync though. Think jail means a non-clone dataset or regular file storage. Thin jail means a clone of a template. Right? Or something different?

yep

template being a snapshot of a base

Title: Chapter 17. Jails and Containers | FreeBSD Documentation Portal

thin jails, clones of templates, can have their own state that builds up over time right? even though they start with the same immutable base

Thanks V_PauAmma_V as that is a good thing to have understood.

I think the thick jail can do pretty much anything. It's the default way to do things.

I think that thin jails are an optimization. Good for when one is doing something that the disk space optimization helps with.

But if one is running a long running jail and is upgrading the jail then over time the files from the clone that are shared will be removed and replaced. That will expand the disk space and obviate the benefit from the clone.

but thin jail is immutable shared base (template clone) + their own individual files/state right? because i can't see how n thin jails could be useful if they could ONLY be immutable duplicates of eachother

So clones are great for temporary ephemeral jails created on the spot for something and then discarded afterward.

The template is shared. Then cloned. The clone is a live modifiable file system. It will act like a full file system after that point.

what if it's never upgraded? can the base part stay immutable, and have it just build up its own state over time?

I think thin jails should never be upgraded. That's a design choice. It's not prevented or anything. But instead I think if upgrading the jail a new clone would be created from a new template and a new jail created and configured from it.

yea

exactly

And also it just is not worth creating a clone for a thin jail if preparing one jail, or even five jails, since disk space is not really a problem these days. But if creating 100 jails in parallel then that is where it is beneficial. Or creating 100 jails one after the other in sequence.

a template is just a snapshot of an expanded base right?

Correct.

Start with a dataset. Create a snapshot. Clone the snapshot.

so let's say i want to advocate fbsd and give out shells like the old days. so i expand base into dataset, snapshot, clone 1000x, then add a tiny customization to each 1 (pub key), then 1000 ppl each get a shell account on their own install

that sensible?

Uhm... Sure. I might not do it that way. But it is a valid design. It would work.

how would you do?

I just give people a login on the system without the jails. (shrug.) That's the way it has always been before jails. Works.

if you have to ask, its not.

ask what?

Yes, ask what? I don't understand either.

So alepzi here is the problem I see with the clone for 1000x shell logins for people. How do you upgrade the jail?

People will have their own data there. And probably would have made customizations such as installing whatever ports/pkgs they need. This makes it hard to discard the thin clone jail and then build a new jail because that would lose all of their customizations.

yep

so what if the user thin jail is configured so /home is on a network share so after blowing away thin jail and recreating, user ssh back in and their user files are still there?

That would be good for the user files. And if the user only installed files in $HOME/bin for example and never pkg install then that would be okay.

..amazing

freebsd is the best OS to ever exist

FreeBSD is an excellent system. And it just keeps getting better.

But in all honesty other systems also have features which are similar. FreeBSD just has almost all of the good features in one place.

And ZFS is one of those killer features. Which has fledged out like a baby bird and now has left the nest and is now available on other systems.

When using ZFS and the ZFS feature set it is the same on the other systems that also support ZFS.

1 thing is freebsd needs to realize rust isn't just a meme and the hype is real. base needs to get rewritten in rust piece by piece. that would make freebsd take its lead back from linux

Jails and FreeBSD networking is another one of those features that I find a lot easier to work with on FreeBSD than on other systems. Can be done on other systems. But not as easily as using FreeBSD jails.

patches welcome

really? i read the mailing list thread about it a couple months ago and ppl kinda said no because it meant bundling the rust toolchain in base i think?

don't remember and don't totally understand

I am also not convinced that rust is the path to paradise. It's not without cons.

there's a good amount of build support required, but it's certainly feasible to integrate as an external toolchain

imo the people with the build-fu aren't motivated by the rust part, and the people with the rust-fu aren't motivated by the build part

rwp ya i hear ya but i've been learning it for a couple months and imo the hype is real. try it yourself? (not snark)

i mean i didn't mean that as snark, i really meant try it

ok maybe i can learn kevans ty for the nudge

one of the key points of the thread is that you won't be rewriting something incredibly load-bearing in rust to start off with

you kind of have to sell the benefits and ease its way in

ya, a tiny leaf function

or smth

I have spent time learning rust and working with rust. I admit I am not enthralled by some of the syntax. I would say I prefer Go-lang syntax better.

I haven't seen that in FreeBSD the big problem is memory safety. FreeBSD is a mature software base and AFAICS the main problem is not bad pointer access.

I think if we took the entire FreeBSD code base and if we were able to do a mechanical automated translation to rust that in the end we would have exactly what we have now. It would just be a different language. But things would pretty much be the same thing we have now.

there are logic bugs and stuff that fall out too tho

Is Rust as fast as C in every circumstance ? Or as portable ?

fast ya, probably not QUITE as portable

yet

another thing is, the next gen will be doing way more rust than c or even c++

so it's good for longevity

True. I was studying Rust for a while. I've since switched focus to Zig instead.

zig seems cool

like it?

If you want to get up to speed on the rust debate then here is the start of the recent discussion. There are a lot of good points throughout the thread. lists.freebsd.org/archives/freebsd-hackers/2024-January/002823.html

Title: The Case for Rust (in the base system)

Yep, so far I like it a lot.

nice

Hi guys, I'm trying to install 32-bit wine on FreeBSD 14.0 amd64. The handbook instructions freebsdhandbook.com/wine seem to be outdated, and I'm having a fair amount of trouble with this... is there updated documentation out there?

Title: Chapter 11. WINE

Ah, I see!

Ok, so I'm still having quite a lot of issues ;) It seems that wine in amd64 tries to install both 64 and 32 bit versions..? At least it asks me to run /usr/local/share/wine/pkg32.sh install wine-devel mesa-dri. Even when that is done however, I get the errors wine: could not load kernel32.dll, status c0000135.

Trying to pkg delete wine-devel and installing wine fails however, since the pkg32.sh script has installed a lot of stuff that pkg delete does not remove. How do I purge a wine-devel installation?

Figgured it out :) /usr/local/share/wine/pkg32.sh delete wine-devel mesa-dri; pkg delete wine-devel; pkg install wine; /usr/local/share/wine/pkg32.sh install wine mesa-dri. Works well now. This stuff should really be in the handbook I think.

So, if I understand it correctly, only wine64 is available for amd64 FreeBSD, and only 32-bit wine for i386 FreeBSD, in recent releases?

Hm, it seems that pkg32.sh installs a 32-bit wine with dependencies in ~/.i386-wine-pkg, but I don't know how to use this. Trying to rm -rf ~/.wine && ./.i386-wine-pkg/usr/local/bin/winecfg fails with "Make sure that your X server is running and that $DISPLAY is set correctly." The wine instructions in the handbook really needs revision...

dansimon: what you're referring to the handbook isn't. All official FreeBSD documentation is on doc.freebsd.org and anything else is not just out-of-date but also suspect.

For example, the version you're looking at predates documentation move to asciidoc+hugo as well as a whole redesign, and quite a few changes to the wine section in particular: cgit.freebsd.org/doc/log/documentation/content/en/books/handbook/wine

Title: doc - FreeBSD documentation tree

As for the rest, it sounds like issues with your PATH and other environment variables.

hey i have a question

what filesystem do you use for external backups?

just wanna know in case i break my system

A good backup follows a 3-2-1 strategy; 3 copies of the data, 2 different mediums (both physical as well as filesystems and online vs offline), 1 off-site.

To further improve your backups, read up on and implement RPO and RTO.

And do remember, if you don't automate testing of your backups, you don't know that they work when you need them.

yeah that's what ive been intending to do

alepzi, what makes you think Rust is just a hype?

According to Simon Laux from DeltaChat, switching from C to Rust is one of the best decisions for them for their core library

Farooq: those are two separate issues. "Rust is just a hype" is, indeed, giving it a little bit too little credit for what it's achieved in the past 8 years.

hmm

There might be actually a hype but that doesn't mean Rust is just a hype

Do we have an offtopic channel?

yeah iirc there is

But, a that's not what alepzi said. They said that "rust isn't just a meme and the hype is real." and that "base needs to get rewritten in rust piece by piece. that would make freebsd take its lead back from linux"

Linux already has Rust in the kernel. so I'm not sure we're taking any lead from them there…

Is there a thing in FreeBSD community to not steal stuff from Linux?

Like it's bad to take leads from Linux?

anyway, comparing DeltaChat (a mail based messenger) to an operating system is a non-starter.

I was trying to argue that Rust is not just a hype

And that it's useful in many cases

In OS, however, I don't have experience so I wouldn't comment

yeah, but it's hard to integrate

The build-system alone would eat three engineers, and keeping up with updates at least another two

The biggest proponents of rust have no idea what it's like to not work with it when not greenfielding code.

We need time to find good use-cases, and we need to integrate them in a way that doesn't blow up our build times to infinity

That's a good summary

Rust has advantages, yes - but it's not free of undefined behaviour, and some of the biggest downsides to C which rusts attempts to fix, are also addressed by things like CHERI, which only run on FreeBSD (for now, there's nothing stopping anyone from adopting it for something else).

s/C which rusts/C and C++ which rust/

okay these are topics I need to learn

what is CHERI? What is greenfielding code?

Farooq: "greenfield" is writing new code from nothing; what we're dealing with is a 30+ year old code-base.

ah I get it

often called a "brownfield"

(might be derogatory, i don't know)

of course decisions in 30+ year old code base is nothing eassy

For example, let's say you do replace all of FreeBSD with rust - what happens with all the hand-optimized in-line assembly optimizations for things like memset(3), memmov(3), and other parts of the standard library? You're going to, at the very least, inline that same code in rust, and that means doing it in an unsafe manner (which rust considers undefined behaviour, I might add).

Our code in DeltaChat wasn't even 10 years old let alone 30

debdrup, yeah I see. Using inline assembly in Rust is unsafe

I can't say I'm too interested in other bits of code.

Fun fact: For my Genetic Programming research I thought Rust is the best option. Then I realized Lisp is

Farooq: we're working on updating to C17 +GNU extensions, so our move to C23 can smooth: reviews.freebsd.org/D44145 (this is a whole stack)

Title: ⚙ D44145 Disable C standards under C99 from kernel build

There's ~14 million or so lines of code in FreeBSD, that'd need to be rewritten, and by the time you're done you've surely introduced enough undefined behaviour to have run into at least one nasty failure case that rust won't protect you from.

debdrup, the thing is that, IMO, if you are gonna use all unsafe code in Rust, why use Rust anyway? unsafe code in C is much better than unsafe code in Rust to my knowledge

It's simply a non-starter.

Farooq: not really…

If you wanna talk about greenfielding code in FreeBSD, then you need to carefully consider the amount of uplift that comes in the form of toolchain modification.

like Rust compiler doesn't give you much of information when you write unsafe code in Rust and fail but C compiler does as far as I've seen

I never talked about greenfielding

It's the only alternative to rewriting everything.

TBH, I have no comment or opinion when it comes to an OS

unsafe code in Rust is, at least marked in with a keyword (most of the time, let's not talk about undefined behaviour lol) in C the everything is potentially unsafe. But, we have a lot of tooling to scan our code for these kind of things

anyway, Farooq, "the hype is real" means something else than "it's just hype"

I see but my point is that when your unsafe Rust code fails, there is little tooling to help you debug it

meena, yeah I misread that

I was kinda hyped too thinking Rust will do good for my GP research

There is a Persian proverb: "Anything is made for some specific purpose"

That is, you can't rule everything with just one language

Anyway, CHERI is cool

CHERI _is_ cool.

Title: Department of Computer Science and Technology: Capability Hardware Enhanced RISC Instructions (CHERI)

This? cheribsd.org

Title: CheriBSD

yup

CheriBSD is the fork of FreeBSD made to run on CHERI architectures.

hmm I see

Most of the people who work on it also have commit to FreeBSD, so we often get some improvements back

Even if they weren't committers, getting code upstreamed to minimize their own patchset is also just pragmatically the best reason to upstream.

debdrup: we actually have a CHERIfied linux, but CheriBSD is what has most of the interesting work

a lot more engineering was put into CheriBSD

there's also cheriot.org

Title: CHERIoT Platform | Welcome to the CHERIoT Platform, a hardware-software co-design project that provides game-changing security for embedded devices.

Huh, I wish I'd known about freshports.org/sysutils/archivemount earlier.

Title: FreshPorts -- sysutils/archivemount: Mount archives with FUSE

wow cool

can you write files back to it into the archive? or just readonly

I only just learned about it, so *shrug*

if you got a typical web app with nginx reverse proxy to a node.js app working good, what's the first step to converting it to being jailed? i was thinking that i add another ip to the host, then expand base into a jail dir, then start moving pieces of the working app into the jail from the host. that more or less right?

oh thick jail btw

Hello! Question about zfs mirrors, this is probably splitting hairs, but I have one ssd and one nvme, which would be best to use as the backing drive that becomes the mirror? I guess it might not matter.

alepzi: you want to setup a jail, confirm it is operational with an ip address, then install the packages for nginx and node

once that is complete, then you "mgirate" the working code to the respectively loications within the jail

ok ty

there any way to do ahead of time config of a jail just like we can do with a scripted bsdinstall?

so i basically have an archive that i extract and bam, the jail is all configured already

or smth

anyone got any partitions that look like this, canonical/cloud-init #5122 ?

Title: feat(freebsd): support freebsd find part by gptid and ufsid by jinkkkang · Pull Request #5122 · canonical/cloud-init · GitHub

alepzi: yes.

fyi odysee.com/@AlphaNerd:8/the-xz-backdoor-almost-compromised-every:0

Title: The XZ Backdoor Almost Compromised Every Linux System

does the BSD effected by XZ Backdoor ?

No.

I guess not, My bsd xz versions is 5.4.1 / 5.2.5

lts thanks for reply

freebsd completely tosses out the upstream build system anyways

and tests

you could question the validity of the source as well given that Jia touched it, but Lasse is busy churning through that and we'll know more in the coming weeks

until then, probably best to avoid too much speculation :)

yah, but that was a scary backdoor

beastwick: One SATA/AHCI and one NVMe, you mean?

I'd recommend trying to match interface speeds and specifications, because AHCI and NMVe are fundamentally quite different both in terms of number of queues and the size of them.

nerozero: "The XZ Backdoor Almost Compromised Every Linux System" That's very optimistic

hello meena

That was the name of the video, but the backdoor was nasty, yeah

If it's in a video, it's probably not a very accurate summary.

Imagine how much time will that took to find out in a closed source code

also true

considering how he diagnosed it, about the same amount of time if it was trying to accomplish the same thing

Any ops around?

he didn't exactly have source to the exploit, yet he still debugged his way into figuring out what it was doing

debdrup thanks

mane: instead of asking for people, just ask the question and people who know can answer.

debdrup, maybe he need to game an OP here :)

kevans: yeah, that's the advantage of a systematic approach to rootcausing symptoms

Well I run a smalls fundraiser and I was wondering can I tell about it here and link my blog post about it

qq, so I created the mirror, I see some message that I should update the boot loader code. The drives are UEFI, when I try any variation of gpart bootcode I am getting operation not permitted, as root.

Small*

mane: if one person does it, more people will do it - it sets a precedence that's hard to get rid of.

So I take it as no

Can I at least pm you the link?

beastwick: with UEFI, you'll wanna replace /boot/loader.efi on the EFI in \EFI\BOOT\BOOTX86.EFI

debdrup do I use gpart bootcode for that?

just cp it

beastwick: no, you copy the file over, it should be mounted as /boot/efi on modern systems, I believe.

there's a second copy at \efi\freebsd\loader.efi if you've installed a recent syste

It'd be nice if gpart bootcode could do it, but I don't know of anyone working on that.

oh interesting, is there a reason why this doesn't happen automatically?

it's complicated

You don't wanna touch bootcode in an automated way, because what if something breaks?

agreed

we don't know that it's safe to blow away what's there. in the case of the freebsd vendored namespace we can, but \efi\boot is more complex

okay, I do not see /efi/boot or /EFI/BOOT/BOOTX86.EFI

Presuming you don't upgrade the root filesystem, the worst case that can happen with an out-of-date bootloader, is that it doesn't render quite properly - but it'll still boot just fine.

beastwick: then mount it via mount_msdosfs(5)

mane: if it's FreeBSD related: yes. if not, #freebsd-social

you're notably looking at /boot/efi/<those paths>, not at the root of your system

meena: ok so I got permission for FreeBSD-social

ok, I get it, but I am still having an issue, I try as root mount -t msdosfs /dev/ada0p1 /mnt but I am getting operation not permitted

Curiouser and curiouser, said Alice.

And gpart show lists ada0p1 as a EFI partition on a GPT disk?

40 1953525088 ada0 GPT (932G)

40 532480 1 efi (260M)

beastwick: does mount_msdosfs give the same error?

meena: sorry i lost internet, still here?

And what does file -s /dev/ada0p1 report?

I have a vague memory of this happening before, but I can't for the life of me remember what the solution ended up being.

/dev/ada0p1: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "BSD4.4 ", sectors/cluster 32, root entries 512, sectors/FAT 65, sectors/track 63, heads 16, sectors 532480 (volumes > 32 MB), serial number 0x7fe50820, unlabeled, FAT (16 bit)

Yea, that's as it should be.

anyone know why the encrypted swap on my host isn't working? termbin.com/c4yx is my host's ZFS config in bsdinstall installerconfig

alepzi: all i said was: yes, you can do that

so like i make my own installer with a installerconfig in it and all of my customizations for the jail, then jail bsdinstall it into place or?

mind giving me the overview?

debdrup my fstab for the efi partition (ada0p1) looks like /dev/gpt/efiboot0 /boot/efi

that is confusing me, what is /dev/gpt/efiboot0

It's a GPT id

Check with mount(8) if it's aready mounted, that'd explain it.

ok, so it is mounted /dev/gpt/efiboot0 on /boot/efi

Well, GPT label, not ID.

so I can just copy the aforementioned file to /boot/efi/...

/boot/loader.efi -> /boot/efi/efi/freebsd/loader.efi

You'll probably also wanna replace the other file, unless that's a different boot loader (like rEFInd)

bootx64.efi?

beastwick: IF you use /boot/efi/efi/freebsd/loader.efi you'll need a boot variable to go with it.

is that what bootx64.efi is?

beastwick: bootx64.efi is fallback naming, which would mean /boot/efi/efi/boot/bootx64.efi

And for that would wouln't need a boot variable, assuming your bios is usable, which some aren't.

beastwick: To see boot variables, say: efibootmgr

(or efibootmgr -v)

beastwick: I have examples of both sorts - freebsd/loader.efi and boot/bootx64.efi - in wiki.freebsd.org/MasonLoringBliss/ZFSandGELIbyHAND

Title: MasonLoringBliss/ZFSandGELIbyHAND - FreeBSD Wiki

thanks

mason: i'm using zfs and geli together and encrypted swap isn't working. mind looking at my tiny config to see if there's an obvious prob?

alepzi: How are you marking it in your fstab? That should be all that matters.

alepzi: I shy away from swap on a zvol, so what I do here is to have a standalone partition (or gmirror) for it, and have geli encrypt it ephemerally.

termbin.com/c4yx is the installerconfig portion, then fstab is termbin.com/pc5v

alepzi: Also an example of that in the linked page, but to save you wading, in a mirror for example: /dev/mirror/swap.eli none swap sw 0 0

i just let bsdinstall set it up for me tbh

alepzi: looks right - what do you see when you say "swapon -a

?

swapon: /dev/nvd0p3.eli: Invalid parameters, then another line for nvd1p3 saying the same

13.3 fwiw

Half a sec, firing up my laptop to check the naming.

tyvm

alepzi: Ah, right, so it's /dev/nda0p2.eli here - can you look in your /dev and maybe share ls /dev/n* ?

sec

I'm curious what the difference is here. Looking.

alepzi: For instance, here: bpa.st/OHIQ

Title: View paste OHIQ

okay, boot loader updated and reboot worked as I am here again chatting

Oh, I'm on 14. That might be the difference.

thanks mason

beastwick: good good

hehe

alepzi: It shouldn't be necessary to change what the installer gave you, but I'd be inclined to try /dev/nda0p3.eli instead of /dev/nvd0p3.eli in your fstab, just to see if it matters. This split between nd and nvd is new to me.

I guess nda devices take direct NVMe commands, and nvd presents disk devices that happen to be backed by NVMe.

Someone will correct me if I'm wrong.

nda is newer 1 i think

ya, in my boot loader i have hw.nvme.use_nvd=0

note that one set are symlinks and probably don't get resolved for this purpose

alepzi: Any difference if you try nda? Why it'd matter isn't coming to me. I'd think the one you've got already, nvd, would be utterly unexceptional.

if you have nda enabled then nvd are just symlinks to the new ones for a compatibility shim

kevans: =gasp= didn't realize thios

so if i change the etc/fstab entries to just swap nvd to nda and then save file and swapon -a?

yeah, try that

k sec

kevans: Any notion of what his "invalid argument" might be then, in this case? If they point to the same thing, that should be okay.

should i be afraid?

alepzi: no

mason: geom itself doesn't know about this kind of linking, that's at the devfs level

alepzi: Failure mode here is "oops, still no swap"

so it helps with some userland tooling, but not necessarily some that might just take the basename and pass it on

omg it worked

kevans: Might be bugworthy then, as he got the nvd entries straight from the (13.3) installer.

"adding ... as swap device"

weird thing is sudo top shows swap size as 2048 but if you look at my bsdinstall installerconfig for it, i selected 1GB

alepzi: You should be safe making that be a permanent change for both in your fstab. It's what the 14.0 installer does out of the box.

alepzi: You've added two swap devices, each 1G

So 2G is right.

oh i thought it would just use 1GB across the mirror of 2 drives

alepzi: Critical point: it did not create a mirror.

ah interesting

alepzi: If you want a mirror, "swapoff -a" and make them into a mirror, and then use something like /dev/mirror/swap.eli as I had in my example.

Again, my cheat sheet has examples of how to do it.

i'll just leave it as is

tyvm

if you want any help figuring out the bug just ask

alepzi: Only issue leaving it as-is is, if you lose a disk, you're probably going to crash as you just ripped out some swap unceremoniously.

oh, shit

If it's a mirror, it'll survive losing one of the underlying block devices.

do you know how i "make them into a mirror"?

alepzi: You can use wiki.freebsd.org/MasonLoringBliss/ZFSandGELIbyHAND as an example. It says: gmirror label -v swap gpt/swap0 gpt/swap1

Title: MasonLoringBliss/ZFSandGELIbyHAND - FreeBSD Wiki

alepzi: But if you don't have gpt labels - not sure if you do or not - you can use the bare device names too. I prefer labels in all cases. You can look here: ls /dev/gpt/

alepzi: You might need geom_mirror_load="YES" in your loader.conf.

in /dev/gpt/ i have basic%20data%20partition, efi%20system%20partition, microsoft%20reserved%20partition, efiboot0, efiboot1, gptboot0, gptboot1

alepzi: So you'd want to label your swap partitions. Alternately, just use the two bare device names if you prefer.

ok... and btw this is fixed in 14? maybe i'll just reinstall once 14.1 hits and keep swap off till then. i'm still pretty new

alepzi: We're not entirely sure what's wrong, so it's hard to say it's fixed. That said, I see nda out of the box in 14.

alepzi: Triple-check this before doing it, but I believe you could use: gmirror label -v swap /dev/nda0p3 /dev/nda1p3

and then change your fstab accordingly

ty guys

what bug are we talking about, precisely?

kevans: The installer gave him nvd for his two swap partitions, and swapon is balking, saying "invalid argument"

right, but that's just a cosmetic issue

termbin.com/c4yx is my bsdinstall installerconfig entries

Sort of. It's leading to error messages and swap not being activated.

Feels more bug than cosmetic.

I guess there's more systems to install?

i have a boot loader entry that says hw.nvme.use_nvd=0

Oh, I didn't register the installerconfig stuff. I've not used that. I'd tend to guess specifying nvd there is insisting on it for everything including swap.

we can't really do anything about that if you're installing from an installer image that's booted without nda enabled

alepzi: I suspect from that that there's a SWAP mirror setting somewhere.

you'd need to boot the installer with nda enabled (default in 14.x) and use nda0/nda1 instead

oh my installerconfig options aren't enough?

Where are these installerconfig variables documented?

"lmao"

i wish bsdinstall had an option to output the installerconfig of a manual config

Ah, in bsdinstall(8)

alepzi: There's a ZFSBOOT_SWAP_MIRROR setting you might want, aside from the nvd/nda thing.

wow good catch

I'd want to try as well to see if it yields a working system: export ZFSBOOT_DISKS="nda0 nda1"

i thought ZFSBOOT_VDEV_TYPE="mirror" was enough to make it a mirror for everything, including swap, but i guess not

alepzi: You're getting separate partitions for swap, because swap-on-a-zvol is potentially explosive.

why?

i just want to replicate what i can do in bsdinstall gui manually, by selecting mirror, encrypted swap, etc

alepzi: I don't remember all the arguments, but it adds memory pressure when you need to swap, which is just when you don't want more memory pressure.

oh ya my disks are set in ZFSBOOT_DISKS to nvd, the older interface, even tho i turn that off in boot loader. you're right i should try nvd variants of them

But the installer definitely gives you plain partitions, nothing to do with ZFS for swap.

nda*

er ya

TIL - thank you both

ok i'm gonna change those devices to nda and add the swap mirror setting, then reinstall and see if that works

zfsboot_swap_mirror="yes"?

er no " "

iirc i did try zfsboot_disks nda but it couldn't find the drives

that sound right maybe?

it was either 13.2 or 13.3

I've never tried the scripted install features, but now I want to. Seems really useful.

it's so cool to sit back and watch the dominos fall

13.3 default for hw.nvme.use_nvd is still 1 btw

i think 14 is when that's switched to 0, anyone can haz verify for me pls?

I noted that a while ago, yes

ah sorry, ty

is /usr/local/jails the best place to put jails? that's what the handbook uses but it also says ppl put them in other places like /usr/jails and /jails

alepzi: I use /var/jail - up to you.

what's the rationale for /var/jail over the others?

why?

meena hates the follow up questions lol

alepzi: because I like languages, and find language isolates especially fascinating

So i have a dedicated zpool for jails that's mounted under /isolates

i only know isolates from weed world

wow a dedicated zpool, cool, why?

Title: website/howto/jails.md at main - pkgbase/website - Codeberg.org

because it's easier to transfer from one machine to the next when i get a new virtual Maschine

what makes it easier?

I have it on an extra, external storage, which i then just attach to the new machine, and import the pool

ahh

good to see you using ipv6

I have had it for a couple years now, and have moved it from many different VMs (usually rather than doing an upgrade, i just get a fresh machine) and have also moved from amd64 to aarch64

alepzi: my server does. where I live i don't get IPv6, so, personally, im not using it :(

sad

maybe in another 20 years we'll be able to just single stack ipv6

that's the most succinct way to describe rural Ireland's infrastructure, yes

hehe

anyone here have ufsid or gptid and can give some feedback here? canonical/cloud-init #5122

Title: feat(freebsd): support freebsd find part by gptid and ufsid by jinkkkang · Pull Request #5122 · canonical/cloud-init · GitHub

Hi, is there a way to "convert" a FreeBSD 13.2 VM to a Jail?. I have this VM in DigitalOcean and would like to convert to a Jail in my home server.

martinrame, It is easier to create a jail than a VM because a jail does not need any bootcode installed.

Simply copy the files from your droplet to your home system into a directory tree. Then use it as the basis of your jail.

99.44% of everything is covered by just that. But the remaining things are adjusting networking for the change from a droplet VM to your local server jail networking.

rwp, yes!, it looks as easy as you mention. Let's try that.

At that point you will need to make adjustments to your hosting /etc/rc.conf, hosting /etc/jail.conf, and the jail's /etc/rc.conf file. I would use a vnet jail by default. But it depends upon what you want.

I know the devil is in the details there but if you get stuck ask questions and many of us can help you through it.

Also remember that a jail should be the same version or older version than the hosting kernel. Due to newer code possibly (likely) using newer syscalls not supported by older kernels. So whatever version of VM OS that you have you will want to run that version or newer version hosting the jail of it.

I thought it was 13.2 but it's 12.2, no problem.

12 running on either 13 or 14 is certainly no problem!

rwp, yes, that's the case

just make sure you have COMPAT_FREEBSD12 if you use a custom kernel (that's already in GENERIC)

What services are you wanting to run? Is this going to be a vnet jail with it's own IP address? Or is this going to be a non-vnet jail sharing networking with the host?

rwp, well, in fact the only service running there is ssh. It's a machine accessed by my co-developers to build FreeBSD executables or our apps. They mostly develop on Linux and Mac, the push to a repo then log in to this machine, pull the code, compile and deploy.

martinrame, Sounds good. Are you wishing to continue that ssh access? If so then a vnet jail with its own IP stack and address would be indicated. But setup often more confusing. Alternatively you share the network with the host and run sshd on a specific non-22 port to avoid conflict with your host sshd.

Running sshd on a non-22 port is the simpler option.

rwp, yes, I'm creating it with VNET. In the server we have other VNET jails, so I'm copying the config and installing from scratch. BTW, now I'm looking for info on how to install a 12.2 jail on a 14 system.

rwp: wouldn't a more common non-vnet configuration be to assign an IP alias to the jail, so each sshd has its own IP address?

lw, I thought that in that configuration sshd binding to *:22 on the host still attached to all of those addresses? No?

rwp: it does by default, you need to set ListenAddress in sshd_config

(for non-vnet jails you basically have to set the equivalent of that option for every network listener on the host... which is one reason i prefer vnet jails, less hassle)

lw: I don't know. Having an internal IP and port 22 looks like an easier way, just install, then add the IP:PORT forwading to /etc/pf.conf and that's it.

Agreed. Can modify both sshd's in both host and jail guest and bind all of them to the specific address. Yes. That will work.

(for vnet jails I just like that they look like full stack hosts with a standard configuration for programs running in the jail)

martinrame, I am confused about your need to install a fresh 12.2 jail if you were planning on copying the existing 12.2 VM droplet. If you are creating a new jail then why not create something newer?

But regarding installing 12.x AFAIK the only currently distributed versions is 12.4R and older versions are already gone.

rwp, because there are some compilers that maybe won't run on newer FreeBSD versions.

To install exactly 12.2 now one would need to build it from git source tag. AFAIK. Though if you can get a base.tar for 12.2 then that is all you need. Just untar it and you have 12.2 for the jail.

Right specifically at this point in the discussion I am talking specifically about the difference between 12.2 and 12.4.

Do you have a /usr/freebsd-dist/base.txz available from your 12.2 system? If so then use it for the jail base for your 12.2 jail.

rwp: mmm, no, I don't have it.

Is 12.4R close enough?

rwp: yes

ISO images are here download.freebsd.org/ftp/releases/ISO-IMAGES/12.4

Title: Index of /ftp/releases/ISO-IMAGES/12.4/

I don't remember how to force installing that version

Anyone have the base.txz URL path for 12.x handy? I would need to dig it out.

rwp: BSDINSTALL_DISTSITE=download.freebsd.org/ftp/releases/ISO-IMAGES/12.4 (maybe that)

Title: Index of /ftp/releases/ISO-IMAGES/12.4/

martinrame, Isn't that the same path I just posted? :-)

rwp: yes, I was trying to figure out the param to specify a different base version.

AFAIK the previous versions are now End-Of-Life and no longer available from the main repositories for download.

Ah! Here are 12.2 ISO images. (Still looking for base.txz images) ftp-archive.freebsd.org/pub/FreeBSD…rchive/old-releases/ISO-IMAGES/12.2

Title: Index of /pub/FreeBSD-Archive/old-releases/ISO-IMAGES/12.2/

rwp: great!

You're crusty.

Opps - wrong channel, sorry :)

Bahhumbug, Perhaps wrong channel but not wrong! :-)

martinrame, Got it. ftp-archive.freebsd.org/pub/FreeBSD…ive/old-releases/arm64/12.2-RELEASE includes base.txz for that exact version.

Title: Index of /pub/FreeBSD-Archive/old-releases/arm64/12.2-RELEASE/

rwp: great!, thank you very much!

Is your droplet running zfs? If so then if it were me I would zfs send the zroot/ROOT/default dataset from there to your local system and have an exact copy of the file system and recv it for the jail.

rwp: yes!

Also even though I said to zfs send zroot/ROOT/default but first take a snapshot and then send the snapshot. I realized that was a confusing instruction otherwise.

finally I'm in. Ty alepzi for the support. Hi everyone

yw

Hello mixef. Thank you alepzi for helping out there! :-)

o/

hi, very new to IRC. Alepzi stood by and took me through joining.

very helpful and very welcoming

plus got to know each other a little

Excellent! Welcome. It's good to review the topic for new channels that you join to get the information specific to that channel. Type in "/topic" and Enter and it should display to you. (We will not see that you did that.) It's in the top line of almost all IRC clients but usually too long to fit.

next step is date night at a little italian place i know and a beach walk

fingers crossed

will do, my next question was about to be what is the first step now im here s ty

That's a pretty open ended question. And it depends very much upon where you are starting from and very much upon where you want to go.

You just missed a somewhat involved discussion about setting up a legacy version of FreeBSD 12 as a jail converting a VM from a DigitalOcean droplet. And before that there was a discussion of kittens. So discussion varies.

I'll note that there is #freebsd-social for random off topic discussion, kittens, and other things.

ah i see, I mentioned to alepzi that i foudn this channel by searching through the servers on various channels to find servers that focussed on chat with the highest number of users. I now realise that i neglected to understand the channel name. My knowledge of BSD is lesser than my knowledge of IRC but would like to stick around if you'll have me?

You can stick around but know that the rule is 1) See one. 2) Do one. 3) Teach one. If you stay then after you learn something you must teach something.

Perhaps this is your chance to learn something about BSD? ;)

Well i will be learning a lot for sure. I have xperience of unix-based systems and appreciate all efforts at providing open-source platforms. I'm also keen to understand linux from a vulnerability perspective, particularly in the embedded/operational technology space but its a steep learning curve for me right now so ty for having me

Also a good rule from the amateur radio side of things is that it is not required to talk. It's good to listen first for a while and see what is normal on a newly joined IRC channel from the regulars. And then you know what you are stepping into. I as a boisterous extrovert am often violating that rule. And therefore I talk too much.

Understood, i came here with the wrong intentions but now eager to listen in, so ty for allowing me to remain.

rwp: well, with HAMs, you're basically forced to receive before you can transmit, unless you want to pay some pretty heavy fines for transmitting without a license in a licensed frequency band.

If you type in "/who" and Enter you will see a very long list of users and bots who have joined the channel. Only a smaller number of those are brave enough to type in something.

It's always interesting when you get to talk to someone who doesn't know that, and then suddenly goes _very_ quiet.. ;)

I'n my former life using radio, me were always told we should communicate based of the the assumption that every second if transmission costs an extortinate amound of money. So i will remain quiet now :D

I didn't really get active on ham radio until I already had my novice license. And then I had to acquire a radio. So there was no delay between those for me.

rwp: yeah, a lot has changed with (web)sdr, in that respect.

mixef, (which I am "highligthing your nick" by addressing it to show that I am looking at you) I really did not mean to drive you off. You are most welcome here. I am just one of the many users in the community with no authority of any sort here. I just want to help you get the most out of the system. Let me encourage you to be an active participant. We have more lurkers than any channel needs.

Even if you don't have an internet connection, RTLSDR goes a long way.

rwp: not talking about me, are you? ;)

much appreciate rwp, already learnt a lot tonight and thanks for being so welcoming

from the wording in 17.3.4 of jail page of handbook it says files in /etc/jail.conf.d/ have to be included in /etc/jail.conf, then it shows the wildcard include line. why's that required? we don't need a similar include line in /etc/rc.conf for files in /etc/rc.conf.d/ to be picked up

alepzi, Because the underlying code was written by different people with different ideas? I don't know. I just know they are different. And that jail.conf.d/* has some restrictions that have confused me over time. Some things apparently must be in jail.conf and other things are allowed to be in a jail.conf.d/* file. I don't grok it myself yet.

nod, ty

rwp: i think people are aware of the inconsistencies and working on fixing them

nice!

That's great! I have just gotten into the habit of only using the jail.conf file itself to avoid the issue. But I welcome improvement in using individual files. That would be nice.

freebsd is the best OS to ever exist and it's only getting better !!

so is the pfsense thing real or not ? netgate.com/blog/pfsense-software-e…tegic-migration-to-the-linux-kernel

Title: pfSense® Software Embraces Change: A Strategic Migration to the Linux Kernel

April 1st.

Regardless of the April 1st publish date of that we think it is real because it is consistent with other news from them. And also TrueNAS also is doing the same thing.

They should have waited a day to post it and that would have avoided people wondering about the date of it.

Yeah I'm not sure. There's nothing funny in it. A Linux kernel with a FreeBSD userland sounds weird though. Plus how will they have pf on Linux ? Migrate to iptables?

Read through this thread for some further context: reddit.com/r/freebsd/comments/1bhvt2e/comment/kvukh2k

Don't be too distracted by the headline being about TrueNAS because the comment discussion is about pfsense.

Yeah could be real. I happened to buy a pfsense router a week or so ago, and I don't really like it. I'd prefer to run a stock version of FreeBSD and that's what I eventually plan to do.

if anyone needs the freshest net/cloud-init and net/cloud-init-devel packages, I build for 14.0 aarch64 & amd64, and publish here: pkg.igalic.co

Title: Index of /

Also, after reading that comment, I wouldn't want to use any of their products. Total jerk.

*freshest, as soon as rust is built on my tiny aarch64 vm, that's also hosting this IRC session

rust hype

[0x1eef]: imagine a freebsd userland with a mach kernel

:))

one day, when I have the time… I'm going to sit down and figure out what we can do to our ports system to not have to rebuild rust every time curl does a (minor) release. Also, how to build npm packages, and I'm not sure which of those two is going to be harder xkcd.com/1425

Title: xkcd: Tasks

I'd be surprised if netgate moves pfsense to linux. First off, the name would have to change. They already have a firewall product for enterprises built on linux, afaik, so if anything they would likely outright drop pfsense.

They've thrown a lot of money and manpower at freebsd over the years, even in recent times - and on things that I would classify as somewhat long-term investments

Then again, their blog post is depressingly corporate

So .. I dunno. Keeing the freebsd userland makes absolutely no sense, though. There's nothing in it that would be meaningful to keep and doing so would not unlock any of the potential they're claiming without a metric ton of additional work and kludges

That comment tells you a lot, I didn't see anything positive in there - it sounds like someone who has given up and would prefer to use Linux.

what is pfSense anyway? is it just a web interface for functionality that already exists (pf, dhcpd, routing...?) or does it provide new things?

I mean yeah, the post makes no sense

pfSense is a web interface

why would it matter if it's FreeBSD userland

if it's meant as a joke, it's not funny and wildly confusing

Yeah - it's nothing you couldn't do yourself. And in the process, they change fundamental parts of how a FreeBSD system works. You're not suppose to use rc.conf. pf.conf is not used either. So it's like their own weird version of FreeBSD that is only useful with their web UI.

this blew my mind. I zfs send|zfs receive (as rwp mentioned) the zroot/ROOT/default dataset from a VM on DigitalOcean to my PC and created a jail out of it, and it worked!

martinrame, Of course! :-)

lmao best OS ever

rwp: now I'm sending the zroot/usr/home (8gb)

if you want to get eve fancier you can tunnel through ssh and all that fun stuff

meena: what does rust currently rebuild every time curl does a release whatsoever?

alepzi: yea!

lw: imo it's more community minded if instead of 1 blessed vendor the focus is a wiki page that links to known compatible hardware and preset freebsd configs that give you a turn key <insert networking device> whether that's fw, router, whatever

imo that's the real power is taking freebsd tech and starting to make it easy to get transparent wraps on it for common templates

so it's easy to see "oh just these few commands and config files to make it a fw", another that includes web gui