00:16:42 #zfs ppl think it's good to leave the mountpoint being created how it is so i think i'll stick with the working symlink method kevans 00:21:33 there's something weird about commit 58f0484fa251c266ede97b591b499fe3dd4f578e 00:21:54 why is it touching amd64 souces when amd64 definitely did not exist in 1994? is this the result of a repocopy? 00:34:32 can resolvconf -i use an interface group for interface? like epair or bridge or smth 00:56:14 is there any problem with resolvconf -a asdfasdf? like if it accepts invalid interfaces, why bother giving any interface at all? 01:14:33 alepzi: you wouldn't change the mountpoint, you would just temporarily mount it elsewhere 01:14:52 but yeah, whatever works 01:59:33 getting a syntax prob i can't figure out. sudo jexec -l testjail "ASSUME_ALWAYS_YES=YES pkg bootstrap -f | cat" says jexec: execvp: ...cat: no such file or dir 02:03:31 Remember what I said earlier? jexec won't set up pipes. (That said, I'm not sure why you need to pipe into cat.) 02:08:37 Also, why do you need ASSUME_ALWAYS_YES=YES instead of the -y option? 02:12:14 oh ya! /bin/sh -c 02:12:25 can't remember 02:14:04 i used to use -y can't remember why i changed 12:25:39 Hi, in a non-vnet jail I started a service that listen in port 2002. Now, when I do telnet 127.0.0.1 2002 it hangs, the same happens when I do telnet 192.168.100.207 2002 (192.168.100.207 is the IP I assigned to this jail in /etc/jail.conf). 12:26:17 to which IP should I point my telnet to check if its running? 12:34:58 solved. I had to add a rule to my host's /etc/pf.conf 13:09:12 wtf happened to mixer(8) 13:09:16 I fail hard at using it suddenly 13:34:42 question : why does this fail " poudriere ports -c -U ssh://git.FreeBSD.org/ports -D -m git+ssh -p 2024Q2" however if I remove the -U option then it all just works? 13:35:08 this makes no sense to me --> Cloning the ports tree...root⊙gfo: Permission denied (publickey). 13:48:01 that makes sense. 13:49:51 i'd suggest to go with https://git.freebsd.org/ports.git 13:49:52 Title: ports - FreeBSD ports tree 14:00:59 Hey there! I'm trying to set up a headless machine with FreeBSD, and one thing I've noticed is that I don't seem to be getting notified of system mail arriving to my users. When I log in, I don't get any "You have mail." or "You have no mail." messages that I get on Linux. I tried looking it up, and I see that the MAIL variable needs to be correctly configured for the shell to check for mail, 14:01:01 but I do have that 14:01:15 And mail is working, DMA is up and running and I'm able to send messages between users 14:19:46 which shell? 14:20:38 /bin/sh 14:21:12 I decided that at this point, it'll probably be easiest to pull the source tree and see what it's doing / supposed to do, downloading it right now 14:21:48 by default, both csh and sh sets up MAIL correctly. 14:22:03 if you don't see that variable, that might be because of your local modifications 14:22:10 I do see it 14:22:14 MAIL is set up correctly 14:22:22 I'm just not getting any notification messages when logging in 14:22:36 I should note that I log in via ssh and via the "su -" command 14:25:10 well, mail -e && echo "You have mail." in global cshrc and/or profile might do what you need 14:25:36 tcsh can check for mail, sh not 14:26:11 Oh, that's the missing piece of information, sh doesn't have this functionality... 14:26:35 Alrighty then, I'll probably put it into a conditional block in .shrc (only printing it if in interactive mode) 14:27:37 there is no mention of mail checking in sh manpage, while there is a mention in tcsh manpage 14:27:55 Yeah, though there is mention of the MAIL variable in the sh manpage 14:28:08 So I assumed sh used it 14:28:33 hm, you are probably right (i don't use sh) 14:31:51 There definitely is mail-checking functionality in sh, I'm looking at the code and I see the chkmail() function there, I'll try to figure out what's going on 14:32:16 maybe also atime/noatime mount? 14:32:47 (i'm boiling from water as i don't use /bin/sh interactively) 14:33:51 Nope, i just checked, and I don't use noatime here 14:34:58 I remember having this same problem on a laptop that I installed FreeBSD on for evaluation purposes, and I did end up going with the route of an explicit check in .shrc, but that's a workaround 14:35:08 how much disk space do you need to build freebsd 14:36:19 Soni: If you don't have enough, you should be able to mount external storage on /usr/obj 14:37:06 Dooshki: for that, we need to know how much we need 14:41:36 at least we managed to get past llvm compile, hopefully that was the worst of it 14:41:56 (it took up 15GB of storage) 14:42:03 7.2G /src/obj/src/freebsd/src/lf 14:42:29 + 876MB for the src tree (full git checkout) 14:43:06 huh 14:43:13 how come your numbers are so low 14:44:16 checked another system and it's quite a bit larger: 17G /src/obj/src/freebsd/lf/main/amd64.amd64 14:44:20 no idea why the difference 14:44:45 arm64 is smaller though 11G /src/obj/src/freebsd/lf/main/arm64.aarch64 14:45:53 filesystem block size? 14:46:16 but if you're short on space, CVS checkouts take less space 14:46:30 usually at least 10-15G for a full objdir set 14:46:57 my entire build tree on that system is 60GB, that's including pkgbase repo and everything though 15:04:15 oh good buildworld completed, for a total of 12G 15:04:42 but df -h reports 16G 15:04:56 well anyway 15:19:14 otis: After poking at the code for a bit, I see that upon starting, the shell checks what the current size of the mailbox is and stores that for later reference. If it changes at any time, the user will be notified at the start of a command loop iteration (when a command finishes). And looking at tcsh's manpage, I see that it actually behaves similarly, and that is to prevent the message from 15:19:16 being doubled. It expects the login program to tell you if you have mail 15:19:36 So now, I have to figure out how to configure "the login program" to tell me if I have mail or not 15:20:34 Dooshki: according to login.conf(5) it should do that by default if you didn't specify nocheckmail 15:21:47 although i wonder if you log in via sshd, and it doesn't use login(1), perhaps that doesn't happen 15:23:40 I guess I'll just put `mail -e && echo "You have mail."` into my .shrc (with a check for the shell being interactive), it seems that that will take the role of what "the login program" is supposed to do, and since I'll probably only really log in via a real TTY probably once or twice per year, I don't think I'll mind the message being doubled 15:24:23 Thanks a lot for your time! 15:26:44 It is quite cool how you can go directly poke at the base system utilities by just browsing to /usr/src, with everything already being set up for you :D 15:26:59 (if you have the src component installed, that is) 15:33:44 that's weird, net/tayga doesn't come with an rc.d script 15:55:59 Also, anyone else experiencing weird delays in SSH when you aren't actively using it and then return to it? I had this happen on the laptop test run as well, that was connected via WiFi so I thought it was wireless powersaving, but now I'm experiencing it on a box that's hooked up via ethernet 15:56:49 Basically, SSH works perfectly fine, but if I leave the session and don't touch it in any way, and then return back in let's say 5-10 minutes, it's stuck at first, and it takes about a minute or so for it to get unstuck 15:57:06 *if I leave the session open 15:58:02 yep, that's normal 15:58:22 minute seems kinda long, 20 seconds is or so is what i've seen 15:59:27 Yeah, pehraps it's not a full minute 15:59:32 So I guess it's a feature? 16:02:56 that's not normal, i've never seen that here... it sounds like you might have some kind of firewall that's timing out the connection? 16:05:03 you might want to experimental with setting ClientAliveInterval on the server and see if that helps 16:05:08 (in sshd_config) 16:06:31 df -h says -394M avail? 16:07:12 anyway we don't think we'll succeed in compiling the kernel 16:18:17 it finished with -517M 16:24:09 cutting it a bit close 16:24:35 lw: i've espically seen it when the laptop comes out of sleep, but manages not to lose the tcp connection 16:24:52 rtprio: ah maybe then, i don't use sleep/hibernation on any of my systems 16:25:26 but in normal use i can leave ssh connections idle for days and they respond instantly when i go back to them (or maybe in 2-3 seconds if my shell got swapped out or something) 16:26:07 that's only on ones that are a prompt, if tmux is open, of course they get reset 16:30:56 In this case, the hardware in question is a RockPro64, and I'm not doing any explicit power management on it, other than running fand to control the case fan of the NAS case 16:34:59 I do have a pf-based firewall on it, but I've had this behavior before I've set up pf as well. So it might be my network router doing something funky 16:49:10 (though I should note that none of my Linux machines behave like this) 16:52:33 there any practical problems having a "-" in a jail name? 16:52:59 never seen any, i have lots of jails with - in the name 16:53:05 ty!! 17:18:19 wish jexec -l had completion 17:27:22 anybody running fbsd on their fw13 AMD? it seems like there was some movement on this a few years ago but can't find much now 17:27:29 fw13 = framework 13, sorry 17:27:59 if i have 2 dir trees, is there a unix util i can use to overlay 1 dir over the other, so that the overlay dir's files will be added to (overwriting when needed) first dir 17:28:19 weirdly I can find more info about openbsd on it than freebsd 17:29:05 alepzi: i think you're looking for unionfs(5), but beware the comment in the manpage, which basically says it's broken, don't use it 17:29:47 how does scripted bsdinstall work then? it expands additional distribution.txz we give it over the base file structure. i want something like that 17:30:17 doesn't bsdinstall just mount the system to be installed at /mnt (or something) and extract all the dist files there? 17:30:57 dunno but what does it do to extract the extra distribution over the base file structure? just untars it? 17:31:01 is untar additive? 17:31:17 tar doesn't delete existing files unless the archive you're extracting containts the same files 17:31:37 bsdinstall does something like: tar zxvf /usr/freebsd-dist/base.tzx -C /mnt; tar zxvf /usr/freebsd-dist/kernel.txz -C /mnt; ... 17:31:47 since base.txz and kernel.txz don't contain the files, all the files end up in /mnt 17:31:53 ah so i guess that's how. well if you already have the files in a separate dir, then i gotta tar it up then untar it to get tar's behavior? seems shitty 17:32:08 there's also rsync 17:32:16 you can do that with tar, rsync or pax, or perhaps even cp 17:32:17 rsync might be the ticket 17:32:19 rsync -va src_dir/ end_dir/ 17:32:42 "cp -a /my/new/files/ /mnt" might be what you're looking for 17:32:49 is src_dir the dir you overlay to end_dir? 17:32:49 (although rsync also works fine if it's installed) 17:33:17 i'll read man cp and try cp -a first maybe 17:33:33 alepzi: It's the directory with the files that you want to move over into the second directory, overwriting existing ones if they exist 17:33:45 ty 17:34:07 this isn't an "overlay" though, it's just copying files from one place to another place 17:34:18 alepzi: it's not up to a binary to provide completes, it's up to the shell to make them easy to construct - that's one of the reasons i stick with tcsh 17:34:21 rsync is mostly used for synchronizing directories across the network, it works seamlessly with ssh, but it can be used locally as well. Though in that case, "cp" could be more efficient 17:35:20 debdrup: how would you add jail name completion to jexec -l ? 17:35:24 i normally use rsync even locally, but if this is on the context of bsdinstall, cp might be more available 17:35:26 in the shell i mean 17:35:47 true (re: cp being more available) 17:36:02 I normally use rsync because... swiss army chainsaw that never turned away a possible option. But cp is in base and available when ports are not. 17:38:03 if i got a /usr/local/jails/testjail/ can i just copy files from the host right into the jail's file structure? 17:38:17 And now, I have to figure out what kind of networking model to use for my server... I wonder how VNET jails interact with the main system's firewall, if they respect it or bypass it since they have their own network stack 17:38:29 alepzi, Yes. 17:38:31 yes, although there are security concerns with doing that, mainly that a malicious root user in the jail might create bad symlinks or something 17:38:38 yay!! 17:38:54 hmm 17:38:56 And I guess when I do create a jail with its own IP address, it will be visible on the LAN under that address? Or will it only be visible to the FreeBSD system? Do I have to set up NAT for it? 17:39:05 ya good point lw. better option? 17:39:05 Dooshki: jail has its own IP stack including its own instance of firewall. on the host, it just appears as traffic on the epair interface 17:39:27 Dooshki: if you want VNET jail to have external network connection, either use bridge(4), or configure the host to route packets to/from the jail 17:40:27 alepzi: 'tar cf - -C /some/dir . | jlogin myjail tar xf - -C /other/dir' although to be honest i usually don't bother with this 17:40:50 alepzi, lw's point is a good one. During provisioning of a jail there are no processes in the jail, not yet, so no malicious agents. But if you are routinely updating files in the jail after it has been containing a malicious agent then one needs to worry about all of the normal social engineering attacks trying to trick root into unsafe and exploitable behavior. 17:40:51 er, jexec, not jlogin (that's a local script i have) 17:41:47 lw: Thanks! You have no idea just how much time you've saved me :) (I know what direction to look into now when setting it up) 17:41:49 lw ah so you still use host root to shit files directly into jail file structure, but then you expand them into place from within jail. really smart! 17:42:29 * Dooshki 's setting up jails for the first time, thinks it's appropriate for a public-facing web server 17:42:46 Dooshki: i'm setting up jails for first time now too 17:42:58 i just got over the networking and fw stuff thx to rwp and lw and kevans 17:42:59 I just copy directly into the jail path without using jexec here. But the advantage of jexec will use the configured jail path, in case that is need to be transportable between different systems. 17:43:08 Dooshki: one thing to watch out for, if your host firewall is set to drop packets by default, jail will also drop packets by default, so you need at least 'allow ip from any to any' firewall in the jail in that case 17:43:28 alepzi: from my .tcshrc: complete jexec 'p@1@`jls -N | awk \{\ print\ \$1\ \} | grep -v JID`@' 17:43:29 (ipfw drops by default, pf accepts by default unless you explicitly configure it to drop) 17:43:58 debdrup: wow that's amazing 17:44:02 (I've configured pf to drop by default; I found its configuration files a bit easier to work with than ipfw) 17:44:16 i wonder how hard the completion would look for bash 17:44:49 im using pf too but i wanna try ipfw some day since it's the native freebsd firewall 17:44:57 don't bother, ipfw is awful 17:45:05 that's sad 17:45:14 what does negative available space mean? 17:45:21 lol 17:45:26 Soni: It's space that's been reserved for the root user 17:45:31 lw: all firewalls should have a drop as the last rule; the main difference between pf and ipfw is that the latter will first-match-exit by default, whereas pf needs the 'quick' keyword to behave like this 17:45:35 Soni: is that a UFS filesystem? UFS reservers some % of disk space for root user, if you use that space, it'll show as negative available space 17:45:49 ah, and how much is reserved? 17:45:50 ipfw is a perfectly fine firewall 17:46:02 debdrup: i'm not talking about rules but about the default - absent any configuration, ipfw drops by default, pf accepts by default 17:46:14 but isn't that good? 17:46:15 debdrup: ipfw can't do IPv6 fragment reassembly, in 2024, that's a joke 17:46:20 ahh 17:46:28 ufs reserves 8% of the filesystem for the root user 17:47:45 lw: https://cgit.freebsd.org/doc/commit/?id=eb2e411915187 17:47:47 One thing that's kinda nice about ipfw is that it's more user-friendly in certain circumstances, it has direct integration into /etc/rc.conf where you can specify the type of your setup and parameters for the firewall... But if you need anything custom, you'll have to either write your own script to call ipfw or modify the existing one and have to potentially deal with updates overriding 17:47:49 it(citation needed) 17:47:50 errr, wrong link 17:48:01 https://cgit.freebsd.org/src/commit/?id=eb2e411915187 there's the right one 17:48:03 Title: src - FreeBSD source tree 17:48:08 ah alright, thanks 17:48:11 * Dooshki had set it up on that test laptop, but just didn't feel like doing that now 17:48:14 debdrup: that only does IPv4 17:48:18 Soni, You can print the minfree with "tunefs -p /" 17:48:34 debdrup: there's been an open PR on bugzilla for like 10 years to add IPv6 reassembly 17:48:58 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=170604 17:49:01 Title: 170604 – [ipfw] ipv6 reass broken 17:49:04 12 years 17:49:14 lw: what about the code makes it ipv4-only? 17:49:41 debdrup: they're separate code paths, the ipv6 code needs to call the kernel's ipv6-specific defragger... as to why no one has implemented it, i don't know 17:49:56 pf has done it for ages so clearly it can be done 17:50:20 puffy is just more passionate about networking, it seems 17:51:01 https://reviews.freebsd.org/D10533 17:51:02 Title: ⚙ D10533 Add IPv6 support to ipfw reass action 17:51:03 iirc there was some disagreement about whether IPv6 routers "should" reassemble fragments, because unlike in IPv4, they're not allowed to fragment packets 17:51:12 but a firewall clearly *must* be able to defrag packets to be useful 17:52:11 ya you don't wanna rely on well-formed stuff even from a router you control 17:52:17 it's still an external device 17:52:18 lw: if a router fragments IPv6 packets, its not behaving according to the RFC 17:52:27 debdrup: i agree, that's what i just said :-) 17:52:41 so by all rights, throwing out those packets is more correct behaviour 17:52:41 but the protocol only says they can't fragment them, not that they can't defragment them, as far as i know 17:52:55 a firewall that drops all fragmented packets is not very useful 17:53:04 works fine 17:53:06 there are (sadly) still legitimate uses for fragments even in ipv6 17:53:11 like UDP 17:53:27 i've been using ipfw and ipv6 for quite a while now 17:53:41 well, ipfw for 20 years, ipv6 not quite that long :( 17:53:45 well if it's out of rfc i can see dropping it by default 17:54:09 it's not outside of RFC, the RFC says IPv6 routers can't *fragment* packets, it doesn't say they can't *defragment* them 17:54:34 IPv4 routers fragmenting packets was terrible and it's good that's not allowed anymore 17:54:48 lw: if it says that routers can't fragment them, any router that does is not behaving like it should, so those packets should be dropped. 17:54:50 lemme ask this, is it within rfc for a machine to ever receive a fragmented ipv6 packet? 17:55:08 alepzi: for ipv4 yes, for ipv6 it's debatable 17:55:17 debdrup: this isn't about routers -- imagine you have two end hosts (nodes) communicating with each other using fragmented packets -- ipfw cannot handle that 17:55:19 debdrup: debate is? 17:55:35 alepzi: yes, because if it wasn't, fragmented IPv6 packets wouldn't existing to begin with 17:55:37 lw is it within rfc for anything ever to fragment ipv6 packets? 17:55:41 from a security standpoint, it's easier to drop all ipv6 fragments because it means something is either not behaving properly or trying to attack you 17:55:54 fragmenting is perfectly fine in IPv4, the only change in IPv6 is that *routers* cannot take a single packet and fragment it into multiple packets 17:56:06 s/fine in IPv4/fine in IPv6/ 17:56:08 robustness principle for networking no longer applies in a world of constant threats 17:56:09 the source endpoint can fragment ipv6 17:56:14 jgh: yes exactly 17:56:23 routers cannot fragmant packets, nodes can 17:56:44 anyway, imma go back to 54 hours of trivia 17:56:47 ok so it's possible in the spec for a machine to receive fragmented ipv6, so ipfw should support reassembling ipv6 no? 17:56:55 alepzi: yes, and yes 17:56:59 debdrup, Regarding your awk above, NR is the awk variable for number of records aka line number. You can avoid the grep -v by telling awk to skip the first line the header line. jls -N | awk 'NR!=1{print$1}' 17:57:32 imma just link https://reviews.freebsd.org/D10533 again, though, because i feel like it was lost in the conversation 17:57:33 Title: ⚙ D10533 Add IPv6 support to ipfw reass action 17:57:43 if you want ipv6 reassembly, go test 17:57:46 i was just looking at that but it's 7 years old :-/ 17:57:51 so what? 17:57:56 maybe i'll merge it into my local branch and see how it works 17:58:11 debdrup: so it's that old and no one merged it? that doesn't bode well for ipfw being maintained :-) 17:58:23 nice 17:58:37 ya help test and review the patch so it can get pushed in 17:58:39 lw: or maybe it means nobody uses ipv6 reassembly 17:58:52 rwp: yeah, you're right 17:59:06 write a vnet testcase that on 1 side sends fragmented ipv6 then on other side receives and reassembles and shit 17:59:28 whether i bother with this depends on whether i can get tayga+pf working for NAT64 17:59:35 I don't use tcsh so that completion was a foreign language to me. But I saw the awk... 17:59:42 why use nat in ipv6? 17:59:46 nat64 is the only thing that ipfw does that freebsd pf doesn't do (although openbsd pf does do it which annoys me) 17:59:58 alepzi: NAT64 is a transition mechanism, it allows IPv6-only hosts to access IPv4 hosts 18:00:27 lw: why not both? 18:00:28 oh like onboarding a 4to6 bridge 18:00:32 that's cool 18:00:32 it's part of 464XLAT / SIIT but it's also useful on its own, it lets you gradually phase IPv4 out of your network 18:00:35 debdrup: both what? 18:01:04 lw: pf and ipfw both doing what they should do 18:01:22 debdrup: i tried that and it doesn't work, pf drops all the NAT64 return traffic because it isn't aware of the connection state 18:01:41 i was trying to get ipfw NAT64 to run before pf does its filtering but i couldn't see a way to do that 18:02:10 how can we make /usr/src (3.3G) smaller? 18:02:21 Soni: did you clone it from a git checkout? 18:02:27 yes 18:02:35 Soni: delete it and rerun the clone with --depth=1 18:02:45 that will avoid pulling in the history, so you only get current files 18:02:58 --single-branch too 18:03:00 yeah except we want history 18:03:15 hmm can we run git gc --aggressive on this... 18:03:18 --single-branch -b releng/13.3 18:03:40 soni you get ipv4 fully disabled yet? 18:03:50 i'll bet debdrup knows if it's possible 18:03:59 please don't hilight me at random 18:04:11 maybe i should put NAT64 in a vnet jail that only runs ipfw, i guess that would work 18:04:12 sorry 18:04:12 alepzi: "not even close" (did manage to update to 14.0-RELEASE tho) 18:04:43 then i have to maintain an entire jail just to run a single firewall rule though... 18:04:47 there's a shitload of stuff i don't know; if i know the answer to something and i see it, i'll answer 18:05:12 lw it's more than a fw rule, it's a whole 4to6 bridge which is huge 18:05:18 i know there's at least one freebsd developer who uses ipv6-only 18:05:22 and good to have isolated away from pure ipv6 sweetness 18:05:31 NICE 18:05:33 but we do know how to turn off ipv4, we just need to deal with... this, for now 18:05:42 soni how? 18:05:55 alepzi: by rebuilding the kernel 18:06:08 is there just 1 easy bool to flip off? 18:06:17 net_ipv4_enable=false or smth? 18:06:25 alepzi: it is just a single firewall rule. it's the exactly same kernel code just with a different vnet identifier 18:06:46 think big picture my man 18:06:51 bit silly to install an entire copy of userland just for that. but it might be the least worst option 18:07:10 evaluate reass in ipv6 patch then. we need you! 18:07:22 the time for ipv6 is now 18:07:40 when messing with libc, do you need to rebuild everything? 18:08:00 that patch is both large and old which means it's probably not going to apply cleanly, and then i still have to deal with ipfw weirdness like not being able to add ::/128 to a table 18:08:32 i think my preferred solution would be to port nat64 from openbsd pf to freebsd 18:12:28 although in the mean time i think i'll try to work out why tayga isn't working, because it seems like it should do, the packets are just getting lost somewhere 18:15:00 i'd use pf nat64 if you ported it in 18:20:57 the problem is openbsd has diverged significantly from freebsd pf since it was imported, the syntax is completely different now 18:25:27 we're screwed 18:34:16 oh, i remember my other complaint about ipfw: it doesn't do state tracking for related icmp packets. both pf and linux iptables do that 18:39:07 lw: Are there any plans to sync FreeBSD's pf with OpenBSD's pf? 18:39:27 Mechami: as far as i'm aware this will never happen 18:39:38 Why is that? 18:39:40 the code in freebsd has diverged too much to make it practical, it's basically a hard fork now 18:40:12 we might do better to look at integrating NetBSD's npf, which looks quite interesting, although it doesn't do nat64 18:45:29 why do you want nat64 in ipfw? 18:49:05 if i answer that question are you going to give me another hour-long debate about "platd"? 18:51:28 actually, we would give you that either way 18:52:43 but we mean, you mentioned tayga earlier 19:15:36 so specifically we'd like to ask why ipfw over tayga 19:43:46 hey where'd security.bsd.allow_destructive_dtrace go? 20:15:57 in /boot/loader.conf or in /etc/sysctl.conf 20:16:18 no the sysctl is gone 20:16:23 sysctl security.bsd 20:16:55 Well then 20:24:27 ya wtf 20:28:34 Did you load the dtrace module? 20:31:53 V_PauAmma_V: it would show up in kldstat right? 20:32:21 It should, if loaded. 20:32:39 k so i don't think it's loaded. i guess that's why sysctl doesn't show? 20:33:17 That would be my guess. 20:39:00 ty 20:43:26 what's the normal way to do local dns resolution in a jail? use the host's unbound instance, run its own, or? 20:49:24 that really depends on what your needs aree 20:49:39 what do you mean the MIB space security.bsd is gone? 20:50:40 alepzi: each jail gets its own unbound instance, you run a caching recursive resolver at the edge of your network 20:51:23 that box can also run a reverse http proxy, so that you can cache freebsd-update files 21:01:30 debdrup: so you run unbound in each jail, why not just point /etc/resolv.conf at a dns server ip? or maybe i'm not understanding 21:02:30 what happens if the gateway goes down, do you remember all your IPs on your network? 21:02:40 i don't see my jail running unbound. top only says top, cron, syslogd. and i can resolve domains because i put nameserver in /etc/resolv.conf 21:03:02 ah i guess that makes sense 21:03:34 so that's like 15M for each jail in ram just for dns 21:03:45 counterpoint: memory is cheap 21:04:17 what about making jails use the host's unbound by pointing resolv.conf at its ip? thinking is if host is down, jail is down too? 21:05:37 how much memory does your system have, and how much can it have if you max it out? 21:05:52 i'm guessing there's going to be places where you can optimize things a lot more 21:06:01 ya im just wondering 21:06:10 jails can't have their own kernel modules loaded right? 21:07:06 right. 21:07:16 can jails have their own sysctl settings? 21:07:39 no. the can have their own network stack and firewall rules. 21:07:47 and rc 21:08:39 and jails don't have a bootup process right? so anything in /boot that base expands there is just wasted space right? 21:20:28 For the counterpoint I point /etc/resolv.conf in my jails to the host and run one caching nameserver on the host for all of the jails. 21:21:05 I normally run a caching nameserver on every bare metal host. 21:23:26 alepzi, I think (not verified but I think) that is correct that nothing from /boot is needed in a jail but it is only 5.1MB on my system so not much savings and more work to avoid it. 21:24:57 Jails are typically configured to run through the /etc/rc and /etc/rc.shutdown process and that is after the /boot part of the process (on bare metal) but I would claim /etc/rc is still part of the "bootup" process. Just debating word semantics of "bootup" here. 21:33:44 alepzi: certain sysctl settings, such as certain network-related ones, can be set per-jail 21:35:12 how can we know which ones are per jail and which aren't jmnbtslsQE? 21:35:26 ty rwp 21:35:48 not sure 21:36:01 two notable ones are: net.inet.ip.forwarding, net.inet.ip.fw.one_pass 21:36:23 what about security.mac.portacl.rules? 21:36:36 i haven't tried it 21:38:28 let's find out! 21:42:11 does everyone love bastille or use something else for jails? 21:42:47 i'm just learning raw jails but after that i'll probably look for a manager 21:43:14 i run my own scripts using either nullfs basejail or cloning depending on the jail 21:44:52 i use /etc/jail.conf.d/ 21:45:37 oh, and zfs clone from a snapshot 21:46:50 debdrup: are those a pain to update? 21:47:47 rtprio: not really 21:48:49 what's in your snapshot that you clone from? 21:49:09 buildworld DESTDIR=/jails/template ? 21:58:17 zfs+send image using poudriere-image(8) 21:58:39 no, sorry - zsnapshot 21:58:57 poudriere-image; i'm gonna have to look that one up 21:59:26 poudriere is the tool that the project builds packages, and it can also be used to build release images, and other things 21:59:45 wow 22:12:32 like yuck. x11 forarding disabled by default in 14. 22:15:05 like yuck? what are we, two? 22:16:09 Like yes. 22:17:58 yep, too bad. cannot possibly change sshd config so you can never forward x again 22:18:07 what the hell, man 22:23:36 why's that bad? 22:26:37 Because it was default on forever. 22:27:02 And following upstream sounds like it just changed... no 20 years ago? 22:27:03 what's it do? 22:27:37 alepzi: Allows you to run/tunnel X11 over the ssh conenction to your local X11 server. 22:31:01 is that to take away the feature in anticipation of moving ppl over to wayland that doesn't have the feature iirc? 22:32:49 I dunno what wayland has that's the same I think it's waypipe but it's all half baked last I read 22:33:34 I meaning use X11 forwarding for clipboard semi-syncing. 22:38:18 alepzi: i doubt it; probably just to secure something that most people don't use 22:38:57 like removing telnet? 22:41:08 telnetd it's not removed, but turned off by default, yes 22:41:17 make nc telnet-compatible with a flag and install it as a script that runs nc using that flag 22:54:22 bah 22:58:42 k so a jail can't set the security.mac.portacl.rules sysctl wtf? how am i supposed to let the caddy user listen on a port under the default port high limit? 23:42:25 lw 23:51:11 alepzi: if you can't get it to work, i'd recommend using NAT inside the jail 23:51:39 so that the desired port is available from outside the jail but inside the jail it's a high port 23:52:19 i want jails to be able to be more independent from the host system and admin work 23:52:32 is there no way to let a jail's bin bind to a low port? 23:52:49 ...without specific host configuration for each and every case 23:52:59 not sure. but i'm talking about NAT inside the jail (jail configuration) 23:54:18 if i can't find anything else i'll check that out ty. hope i can find a better way tho 23:54:41 seems like a shortcoming of jails that even vtnet jail can't have a bin bind to a low port by default 23:54:47 am i wrong? 23:55:36 i don't think so: as far as i know, at least in theory, root and non-root are separated within a jail just as they are in a non-jail 23:56:44 eh i think you might be too deep in the rabbit hole. think about it as a user, selling freebsd to linux ppl, "ya best container tech ever. also: bins can't bind to low ports lmao"