01:01:07 <[0x1eef]> It would be a whole lot better if it it managed a standard FreeBSD configuration IMO. Then you could choose to use the web UI, or the shell. Even let the web UI manage some things, and the shell other things. Instead it is built in such a way that it doesn't work like a standard install.
01:11:51 <[0x1eef]> alepzi: it's not transparent though. It doesn't use /etc/rc.conf. Neither does it use /etc/pf.conf. So I don't think you'd learn much about how FreeBSD works under the hood. You'd learn how pfSense is implemented at best.
01:21:49 <alepzi> well ya that's what i'm saying. no black boxes, just easy configs of a regular freebsd for the noob to get from 0 to web gui firewall in a jiffy. obviate shit like pfsense and netgate
01:27:26 <[0x1eef]> There's probably a market for that.
01:29:08 <Reinhilde> it's not reolly obviating it
01:29:12 <Reinhilde> jst another competitor
01:34:43 <alepzi> not if it's all open and has easy setup and links to hardware that's known to be compatible, ready to go. maybe that's what opensense is?
01:36:25 <[0x1eef]> You can buy routers with pfSense preinstalled and ready to go.
01:40:57 <Reinhilde> to my knowledge pfs also ship an iso
02:44:06 <alepzi> does freebsd-update -b basedir/ fetch install need to be run as root or smth? it fails with dir does not exist or is not writable: /var/db/freebsd-update
02:45:08 <alepzi> fwiw /var/db/freebsd-update is root:wheel and drwx----------
02:47:02 <ketas> a non-root update?
02:47:15 <alepzi> ya i'm setting up a jail dir
02:47:31 <alepzi> don't want to do anything to the host system
02:50:28 <ketas> can't run that inside jail?
02:50:45 <ketas> that would make no host changes at all
02:51:05 <alepzi> trying to make it to a scripted bsdinstall base
02:51:23 <alepzi> so when i install the host in a vm, its jails are already there and ready to go
02:51:56 <ketas> hmm
02:52:49 <ketas> well it has -d
02:53:21 <ketas> is that it?
02:55:00 <alepzi> that seems to run, but then it says at the end you must be root to run this
02:55:02 <alepzi> so not sure
02:55:14 <alepzi> it says 13.3 p1 is newest and doesn't need to be updated
02:55:24 <alepzi> is that latest?
03:04:18 <voy4g3r2> alepzi: latest release of 13 series?
03:04:35 <voy4g3r2> the answer is yes.
03:05:24 <cybercrypto> alepzi: you are running 13.3 and want to know if there recent patches available? I believe there is none. maybe you are looking for newer production releases? Please describe your objective.
03:06:46 <cybercrypto> check the rel engineering for details how the software releases are structured: https://www.freebsd.org/releng/
03:06:47 <VimDiesel> Title: Release Engineering Information | The FreeBSD Project
03:31:43 <V_PauAmma_V> This isn't true. There's 13.3-p1, for https://www.freebsd.org/security/advisories/FreeBSD-EN-24:06.wireguard.asc and https://www.freebsd.org/security/advisories/FreeBSD-EN-24:07.clang.asc.
03:36:09 <cybercrypto> V_PauAmma_V: I am confused by what you mean 'isnt true'. He said exactly 13.3 p1 is the newest. I understand this is correct statement. Please clarify if that is latest or any newer.
03:36:42 <cybercrypto> V_PauAmma_V: Is there a patch over 13.3-p1?
03:37:15 <kevans> shouldn't be, my wireguard EN just landed like, last week
03:37:51 <V_PauAmma_V> NO, you're right I just didn't read up after "recent patches" - which I think -p1 is, being 4 or 5 days old.
03:38:18 <V_PauAmma_V> My fault.
03:39:13 <V_PauAmma_V> s/after/past/
03:40:15 <cybercrypto> V_PauAmma_V: np, many thanks for the update!
04:28:45 <markmcb2> I'm kinda liking my "inception" setup as a work around to PR 278058 (I'd like no bug better, lol)
04:28:46 <VimDiesel> 278058 – Simultaneous use of Bhyve AND vnet on network PCI devices causes network failure https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278058
10:13:02 <Ltning> When going from freebsd13 to 14, we're seeing a ~10% drop in throughput on a simple nginx (tls) server benchmark. I have been warned that some kernel work might do this to us, since we use "wrapped" jails - an outer vnet+epair jail and an inner "classic" jail.
10:13:44 <Ltning> Are there any "glaringly obvious" things we should change in nginx config to reap benefits of 14 and perhaps offset this regression, before I start complaining to kernel devs? :)
10:59:08 <voy4g3r2> Ltning: maybe find out what the benchmak is using as an indicator of throughput? The use of a benchmark to determine performance is very specific to that benchmark and may not reflect reality.
11:00:18 <voy4g3r2> and from what i am reading, youa re doing a freebsd 13 -> freebsd 14 host which contains a jail that has another jail in it?
11:00:26 <voy4g3r2> are those jails still on 13 or they have been ugprade to 14?
11:21:44 <Ltning> The jails are 13, but I was warned that there are kernel things that are already suspects.
11:22:00 <Ltning> But not sure if userland being 13 should have any impact here?
11:22:19 <Ltning> Also well aware of the synthetic nature of benchmarks. That's both their weakness and their strength.
11:41:20 <xulfer> As opposed to them having a natural nature.  Man I can't even imagine such a thing.
11:53:23 <voy4g3r2> Ltning: that is possible, unless yyou have a specific situation. that will be a needle in a haystack situation
11:53:34 <voy4g3r2> is this machine in production? and being used to serve customers?
11:55:18 <voy4g3r2> i may be wrong in this approach but jumping from nginx all the way to the kernel being suspect, is a big leap.. in my head
11:56:22 <meena> if you need to build virtual machine images with the latest cloud-init, here's my repo: https://pkg.igalic.co/
11:56:24 <VimDiesel> Title: Repository for net/cloud-init
12:35:25 <Ltning> xulfer: It's called a manned botnet ;)
13:03:48 <Ltning> voy4g3r2: Our production machines are still on 13, we're testing 14 on comparable hardware to see what we can expect. The reason I "blame" the kernel is *very* specific remarks from kernel people after my talk at EuroBSDCon last year where I detailed our "wrapped jails" concept. Apparently some optimisations that might backfire in our scenario.
13:04:35 <Ltning> And since we - despite being warned - didn't manage to get our act together and test this before/during the -BETA phase, I hardly find it fair to complain about that right now. Hence my hoping someone knew low-hanging nginx-optimization-for-14-fruits. :)
13:05:56 <Ltning> On the positive side, nothing seems to *break*, and it's still only ~10%, so it's entirely serviceable. And I suspect other concurrency-related improvements in 14 can help offset even that, since we're running "a handful" of such wrapped jails on each host, and Java code (apache-tomcat) is also known to be significantly faster on 14.
14:53:24 <rwp> Ltning, If you were to run a benchmark program such as "iperf" to be a specific network I/O benchmark only (removing the rest of nginx) in both the old and the new do you see 10% as well?
14:54:07 <rwp> And regardless if the problem is throughput then using a throughput specific benchmark would be a useful way to make a reproducer for a benchmark problem report ticket.
14:59:33 <Ltning> rwp: Yes, that is on the list of tests to run.
15:00:29 <rwp> I could easily see that an I/O benchmark might be more than 10% by a significant amount if it avoids the rest of nginx.
15:00:53 <Ltning> On a not-related-at-all-note - seems like both electron28 and signal-desktop has disappeared (again). I cannot overstate how much I hate everything electron.
17:23:40 <rwp> Ltning, Almost all of the new-school rolling release rapid turn massive churn projects have routine instability problems.
17:44:56 <alepzi> i'm setting up a jail and part of the process is to retrieve base.txz and expand it. question, if i already have the freebsd git repo cloned, is there any way to use that and skip the fetch, expand, update step pls?
17:48:43 <Ltning> alepzi: man 8 jail -- "Setting up a Jail Directory Tree"; you build and install userland in a specific destination directory. Not how I would do it, but if you want to start from a cloned git repo (which is source code only), then that's one way of going about it.
17:50:46 <alepzi> it is possible!!
17:50:50 <alepzi> tyvm
17:50:58 <alepzi> btw why is that not how you'd do it?
17:52:41 <Ltning> It'll take forever the first time, since it's building the whole system. If you do that, you want to add -j $(sysctl -n hw.ncpu) to the 'make world' step: "nice make -j $(sysctl -n hw.ncpu) world DESTDIR=$D"
17:53:27 <Ltning> ...or something like that. (sysctl -n hw.ncpu simply spits out the number of CPUs you have; that number can of course be specified directly instead, and depends on how much of your CPU you want to spend building :)
17:54:25 <Ltning> I'd rather download base.txz and expand it into some template-jail directory, and then "mount_nullfs -o ro <template>/<dir> <jail>/<dir>"
17:54:46 <alepzi> that's thin jail type tho right? i'm doing thick jail atm
17:55:00 <Ltning> Yea, so for thick, just blow up base.txz inside your jail
17:55:33 <Ltning> You'll still have to create some files, resolv.conf and whatnot (it's been a while since I did this manually)
17:55:37 <alepzi> ya, could, but i already have the git repo so i'd rather skip the networking
17:56:05 <Ltning> That's up to you :) Depends what's more expensive, cpu or network
17:56:10 <Ltning> A third option would be to use pkgbase
17:56:17 <Ltning> Would allow for (much!) easier jail upgrades down the road
17:56:23 <alepzi> how would that work?
17:56:25 <Ltning> But that would involve more network
17:56:50 <Ltning> Well you pkg install the base os packages into your jail (don't ask me exactly how), then later you can pkg upgrade the same way
17:57:25 <rwp> alepzi, Most people just untar /usr/freebsd-dist/base.txz which is all local, no networking, and about as fast as any tradeoff of having a bundled "thing" to untar.
17:57:52 <Ltning> Where did /usr/freebsd-dist come from? :D
17:58:03 <Ltning> Must be a *really* long time since I installed anything with bsdinstall ..
17:58:04 <rwp> freebsd-update keeps it updated
17:58:16 <Ltning> wat
17:58:25 <rwp> But it is just a base tar bundle that anyone can create themselves.
17:58:28 <alepzi> i don't have /usr/freebsd-dist
17:58:40 <rwp> And if I were doing this after a bunch of customization then I would tar up my own customized template.
17:59:25 <Ltning> Well, there you go alepzi -- there are as many ways of doing this as there are non-lurkers in this channel at the moment. At least. :D
17:59:38 <alepzi> very cool :)
18:00:03 <alepzi> i build my systems from the git repo to learn about how releases and stuff work
18:00:20 <alepzi> i never run freebsd-update because i guess it can't handle installs that aren't from a RELEASE
18:00:22 <alepzi> sadly
18:01:47 <Ltning> Yea, that's one of the (many) reasons I got my employer to throw a *lot* of money at pkgbase. It will make it *sooo* much easier to follow snapshot releases, for example.
18:03:25 <alepzi> tyvm for that. pkgbase looks like a great enhancement
18:03:30 <alepzi> pls keep pushing my dude
18:03:36 <Ltning> I am :D
18:03:42 <alepzi> <3
18:04:35 <alepzi> another reason i don't like the typical install path is update (possible security fixes) comes after an install. so a new box can be installed and temporarily vulnerable
18:04:36 <rwp> Yet another possible way is to keep a live dataset, snapshot it, then zfs send | recv it to your new jail dataset.  It's an alternative tar but the template is unpacked if you are routinely changing it.
18:04:53 <alepzi> but if i build from git repo after a pull, i always build and run the latest patch level from 0 moment
18:05:09 <alepzi> nice
18:05:12 <rwp> Or you could also avoid the tar and zfs send > file, compressed, and then send that captured zfs-send image to recv when creating a new dataset.
18:05:20 <Ltning> Tried to be sneaky about it. pkgbase has been "nearly there" for almost a decade (perhaps exaggerating a bit here..), so I thought if we can push it over the finish line, it'll stick around and people will use it -> people will finish it ;)
18:05:35 <alepzi> yes
18:05:50 <alepzi> can we make it the default starting with 15.x?
18:06:06 <Ltning> I do like the half-thin approach I normally use.. Since the base OS should never be touched, I mount all the binary directories from base into each jail, read-only, but have local /usr/local, /etc, /var, /home
18:06:46 <alepzi> immutable base is a really good idea for sec and keeping systems from clobber right?
18:06:54 <Ltning> Yeah, absoluteyl
18:07:00 <alepzi> fuck ya
18:07:00 <Ltning> absolutely*
18:07:43 <Ltning> bin lib libexec sbin usr/share usr/bin usr/include usr/lib usr/libdata usr/libexec usr/sbin -- those are the dirs you want to "nullfs ro" mount in the jail-specific fstab
18:08:21 <Ltning> I always keep a symlink around pointing to the "current" template dataset, and use that as mount source. Then I can create a new one when there's an upgrade, rewrite the symlink, and restart the jail.
18:08:35 <Ltning> For minor updates, just update the template in-place
18:08:54 <Ltning> If you want real fancy, you can use a zfs snapshot as the source mountpoint
18:09:22 <Ltning> (.../jails/template/.zfs/snapshots/<last-known-good>/...)
18:09:46 <alepzi> mm nice
18:10:08 <Ltning> (or symlink to that, so you can "upgrade" by pointing to a different snapshot and restarting the jail)
19:20:33 <dch> Ltning: I recall comments about being able to boot freebsd from a snapshot being made at eurobsdcon
19:20:42 * dch waves from Vienna
19:23:43 <alepzi> o/
19:30:57 <dch> Ltning: in practice, have you have any issues with various packages leaking out of /usr/local/* etc?
19:31:04 <dch> for your half-thin jails
19:58:47 <Ltning> dch: That's *extremely* rare.
19:59:18 <Ltning> I can't think of an example right now.
19:59:24 <dch> Ltning: thats kinda what I expected in practice...
19:59:41 <Ltning> I mean if that were to happen I'd promptly raise a bug
20:00:19 <Ltning> Well.. that's a lie. There are some packages that mess around in /etc and /var, but at least it doesn't prevent the fed-but-not-full jails
20:04:57 <alepzi> extracting base.txz into a jail dir was 540M. but then building world into the jail dir from the freebsd git repo was 1.5G
20:05:34 <alepzi> so how can i make my own base.txz from the git repo? so i save 1G per thick jail
20:07:00 <meena> alepzi: what are you trying to get rid of?
20:07:12 <alepzi> 1GB
20:07:43 <Ltning> Building world builds all the stuff that is in the other distfiles, too
20:07:56 <Ltning> Or rather, 'make distribution' does
20:08:10 <Ltning> You might find /usr/src in the destination, I don't know ..
20:08:20 <Ltning> Certainly lots of docs and such that wouldn't be in base.txz
20:12:13 <alepzi> meena: the normal freebsd install process is insecure, so i build my systems from the git repo with a fresh pull off of the x.y branch. trying to get a process for setting up jails the same way. instead of downloading base.txz and expanding then freebsd-update fetch install, i wanna build the base.txz from the git repo
20:12:30 <meena> alepzi: if the normal process is insecure, we need to fix it
20:12:59 <Ltning> With pkgbase I presume it would not be.
20:13:01 <alepzi> that would involve releasing a .iso for every patch level
20:13:15 <Ltning> No more so than fetching an iso or sources from git
20:13:53 <meena> alepzi: more people more hardware
20:14:23 <alepzi> ya so that isn't something i can solve. so my workaround is building my own systems from the git repo
20:14:40 <SponiX> So it should be like a Debian netinstall process. Where it pulls down all the latest packages within the install process. So you have an up to date (by Debian Standards) system right out of the box?
20:15:19 <alepzi> i guess but what if i have 100 boxes, that's tons of network. or if i'm working offline
20:15:29 <alepzi> i just really like being able to build my own images from the git repo
20:15:39 <Ltning> Then that's what you should be doing
20:15:48 <alepzi> well ya i am
20:15:56 <SponiX> fair enough
20:16:06 <alepzi> but now i wanna figure out how to build base.txz from the git repo, so i can set up jails from that
20:16:16 <Ltning> But the nice thing with pkg is that you can run it through e.g. a caching proxy, which is what we sometimes do even with freebsd-update when we need to upgrade a lot of boxes and don't want to wait (and wait and wait)
20:16:21 <meena> alepzi: did you read the handbook?
20:16:44 <alepzi> there's a page on it!?
20:16:54 <Ltning> And for packages, we have a shared pkg cache on the host and share it with all the jails (also nullfs, but read-write)
20:17:02 <meena> https://docs.freebsd.org/en/books/handbook/cutting-edge/#makeworld
20:17:03 <VimDiesel> Title: Chapter 26. Updating and Upgrading FreeBSD | FreeBSD Documentation Portal
20:17:11 <meena> alepzi: if we don't have documentation on it, that's a bug
20:18:58 <voy4g3r2> that document, that meena mentioned is solid.. i use it to build current every so many days
20:20:07 <alepzi> which section says how to build base.txz from repo?
20:20:40 <voy4g3r2> make world does that
20:21:30 <alepzi> you sure? i just did a make world DESTDIR=... and searching in that dir for base.txz it's not there
20:21:32 <meena> voy4g3r2: i think they mean: which make target, exactly, produces base.txz, specifically
20:21:42 <alepzi> ya
20:22:48 <meena> do i really have to go read Makefile.inc1?
20:23:04 <alepzi> did i do something wrong?
20:23:11 <meena> no
20:23:22 <meena> 21:17 <meena> alepzi: if we don't have documentation on it, that's a bug
20:24:12 <alepzi> here's my user feedback: every artifact that users directly interact with, like release .iso/.img/etc, or base.txz (setting up jails) should have step by step guide to build it myself from source. just MY opinion
20:24:36 <Ltning> alepzi: No argument from me.
20:24:43 <voy4g3r2> alepzi: a good opportunity, as you are doing this, to write it down and share :)
20:25:15 <meena> according to release(7) it's make packagesystem
20:25:20 <alepzi> but i'm writing it down here as i encounter roadblocks no? not being argumentative just trying to understand the advice
20:25:24 <meena> i didn't have to read that terrible, terrible file
20:26:13 <voy4g3r2> alepzi: none of that taken, just saying, i also like to browse thsi: https://wiki.freebsd.org/
20:26:14 <VimDiesel> Title: FrontPage - FreeBSD Wiki
20:26:20 <voy4g3r2> https://wiki.freebsd.org/Jails
20:26:21 <VimDiesel> Title: Jails - FreeBSD Wiki
20:26:25 <voy4g3r2> this has some cool info, i have used myself
20:27:42 <Ltning> alepzi: But as I said before, the trouble and the charm is that there are many ways to achieve what on the surface sounds like a simple thing (creating a jail), and you're already far along in being specific about *your* needs, so there may or may not be a prescription-based way of achieving that.
20:28:42 <voy4g3r2> speaking of building, time to upgrade current bhyve image.. i get to do a round of man pages updates :)
20:28:43 <Ltning> It's among the reasons why I do agree we need better jail management tools in base, but I'm not going to be the one to say what they should do and how because they are unlikely to suit my needs anyway. Does not mean they shouldn't exist, as long as they don't remove the flexibility I've enjoyed for 20+ years.
20:29:12 <voy4g3r2> jail management tools are great, once you understand how things are setup
20:36:23 <alepzi> meena: so to make the base.txz i run sudo make -C release packagesystem from source/ ?
20:36:51 <meena> alepzi: honestly, no idea. I've been on the PkgBase train since… 2019?
20:36:56 <meena> long time
20:37:33 <meena> 2021
20:37:41 <meena> time has no meaning
20:38:58 <alepzi> well i tried it but it immediately said packagesystem is up to date *shrug*
20:39:11 <meena> alepzi: did you build world first?
20:39:25 <meena> i'm pretty, and sure, you need to build world before you can build release
20:39:56 <Ltning> They built 'distribution' and 'release', apparently?
20:41:06 <alepzi> ill try sudo make buildworld, then sudo make -C release packagesystem
20:43:34 <alepzi> looks like i gotta cd to release from within source/ to run the 2nd command
20:43:38 <alepzi> ill try that
21:00:52 <alepzi> didn't work
21:01:05 <alepzi> sudo make -C release packagesystem shit out packagesystem is up to date
21:02:17 <alepzi> oh base.txz is in /usr/obj/..../amd64.amd64/release/
21:02:39 <alepzi> so maybe buildworld creates it already. i'm gonna clean and rebuild and see
21:28:47 <markmcb> is something like nfs the best way to share host storage with a bhyve guest?
21:29:43 <markmcb> afaik you can't pass sata drives directly to a guest
21:32:48 <alepzi> ok make buildworld buildkernel doesn't make base.txz. but sudo make -C release packagesystem DOES
21:33:18 <alepzi> meena: ^
21:35:53 <alepzi> ok so now i know how to go from git repo/source to base.txz that i can then expand into a jail's dir and NOT need to freebsd-update fetch install
21:36:06 <alepzi> tyvm
21:43:36 <meena> alepzi: cool
21:43:45 <meena> what options do you have set?
21:43:58 <lw> markmcb: for a Linux guest, use 9pfs.  for a FreeBSD guest, NFS is probably the best way.  you can passthrough an entire SATA (or SAS) controller or an individual NVMe drive, but not an individual SATA drive
21:44:42 <alepzi> none i don't think? the exact commands i ran meena were: (from freebsd-src/ the source dir) sudo make -j24 KERNCONF=GENERIC buildworld buildkernel; sudo make -C release packagesystem
21:45:19 <meena> so how do you expect to get a smaller base?
21:45:31 <meena> i guess that's a next step
21:45:45 <alepzi> well base.txz is only 205MB so that's the same as if i network fetched it. that's fine for me
21:46:14 <alepzi> what i didn't want was what man 8 jail recommended, make world; make distribution, which made the jail dir 1.5G instead of 500mb
21:48:38 <markmcb> lw: thanks