01:37:44 jmnbtslsQE: making lots of progress getting a jail bin to bind to a low port without using fw forwarding 01:38:03 debdrvb gave link https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259149 that put me on the trail 01:38:05 Title: 259149 – mac_portacl not in affect when running VNET jail 01:39:45 i don't need to load the mac_portacl kernel mod, and i don't even need to set security.mac.portacl.port_high to 0, because portacl isn't used at all. all i had to set was net.inet.ip.portrange.reservedhigh=442 01:45:35 the jail host doesn't even need net.inet.ip.portrange.reservedhigh. only the jail needed it and it's working 01:46:23 i think why it wasn't working before is mac_portacl was enabled but the rules sysctl was set wrong so net.inet.ip.portrange.reservedhigh wasn't allowed to work 01:52:35 vnet stays winning 02:09:12 And the answer is, "ansible-config". 02:36:35 hello, has chromium (the browser) been removed from 14.0-RELEASE on amd64? I can't install the pkg, even though I see a port listed under www (and by jove I don't wanna have to compile that one) 02:36:51 is there ungoogled-chromium or smth? 02:37:04 not removed, no 02:37:06 nope, I also tried that one 02:37:12 probably just failed to build, or one of its dependencies 02:37:23 so what gives? pkg doesn't show it when I search for it etc 02:37:41 ah. So maybe a matter of wait and see 02:37:49 yeah 02:38:20 aight I see. Thanks everyone. 02:38:29 Hm, my how-to is maybe not a good one to follow. 02:39:11 kloinmpa: you can sift through here: https://pkg-status.freebsd.org/ if you have ipv6 or an ipv6 proxy and check out the ongoing build 02:39:22 (ipv4 front page, builders only accessible via ipv6) 02:40:32 ipv6 only, nice 02:40:46 and ppl say freebsd devs don't dogfood 02:40:55 thanks kevans, I'll have a look. Didn't know about that page. 02:41:33 iirc the cluster is all ipv6 primarily, the vast majority are dual ipv4+6 but some less critical things like builders lost their IPv4 to get allocated elsewhere 02:42:05 how hard is it to get ipv4 addresses now? 02:43:08 We haven't run out because of the ubiquity of NAT. 02:47:22 uh 02:49:05 is it normal for bins running in a jail to show up in the host's top? 02:51:09 yes 02:51:48 do admins like that? isn't it better to hide anything running in a jail from the host? 02:51:59 you can use -J to scope it down if you'd like 02:52:09 better in what way? 02:52:31 hiding them just gives you an incomplete view of what's consuming CPU on the system with little benefit to trade for it 02:53:02 ya i guess -J 0 works 02:53:38 (s/CPU/resources/) 02:55:29 alepzi: Hey, something occurred to me. You want to make sure - absolutely sure - that you've got good offline back-ups. You're talking about security knobs, and the biggest one of all is "I can come back from being nuked from orbit". 02:55:59 Especially since you're using ZFS, back-ups are very pleasant to do. 02:56:28 Also, you're doing a ton of good set-up work you'll want to have preserved regardless. 02:57:12 ya ty that's right. that's why i use scripted bsdinstall so all my configs are saved local 02:57:23 i never do manual setups 02:57:25 Good good. 02:57:38 i don't have zfs backups set up yet though but i will tyvm 02:57:42 I'm actually diving into Ansible here, with an eye towards cutting back on manual configs. 02:58:05 alepzi: I'd bump back-ups in priority given how critical they are. 02:58:32 ya and i run zfs everywhere so like you said zfs backups seem like a cinch 02:59:12 They become truly glorious when you consider things like backing up a few bytes of a giant database file thanks to snapshots capturing only what's changed. Even rsync can't compete with that. 02:59:41 ya that's nuts 02:59:46 and stored offsite all encrypted too 02:59:46 I mean, you still want to have explicitly quiesced systems for coherent back-ups, but it's still impressive and powerful. 02:59:55 so you can use dumb storage from 3rd parties 02:59:58 not need to trust 03:00:02 Take care if you're using native encryption. I'm still on GELI everywhere here. 03:00:13 is GELI native encryption? 03:00:31 GELI is FreeBSD's block storage encryption, as opposed to ZFS's new built-in encryption. 03:00:57 think zfs native encryption is still immature? 03:00:58 ZFS's built-in encryption is what would let you store remotely on an untrusted host. But it's rife with issues so far. 03:01:13 that's so sad. zfs has a good rep, why ruin it? 03:01:16 It's the primary source of data loss bugs in ZFS these last few years, as I understand it. 03:01:27 alepzi: Incomplete design, insufficient follow-through. 03:01:41 Not everyone gets bitten, but your back-ups are *not* where you want to be bitten. 03:01:49 that's a serious problem no? 03:01:51 Yes. 03:02:08 is it like, the original zfs geniuses left so now new stuff is added in a hacky shitty way? 03:02:26 The downside is that you have to be able to trust where you're sending your back-ups if you're sending to something that encrypts at rest using GELI or LUKS or whatever. 03:02:39 alepzi: If you ask PMT for some backstory, he's the best source of data nowadays. 03:02:49 ok ty 03:04:57 alepzi: This might be old now so it's best to ask, but https://gist.github.com/rincebrain/622ee4991732774037ff44c6768085ab#encryption 03:04:59 Title: Random ZFS notes WIP.md · GitHub 03:05:14 Ah, you're asking him. Better still. 03:08:56 alepzi: Anyway, best that you know now as you're still defining architecture. 03:10:11 tyvm 03:16:23 got 2 jails configured now! 03:16:27 nice 03:16:36 really liking this tech 03:17:09 alepzi: I'd still give some thought to golden masters and using ZFS to duplicate them. Might be faster than individual, unique installs. Copy the golden master, customize rc.conf so it has a unique identity, etc. 03:18:32 ya i'm gonna figure all that stuff out this week. last week i just barely got stuff working now i gotta clean it up 03:18:44 Random thing I whipped up to save time here: https://bpa.st/JQ3A 03:18:45 Title: View paste JQ3A 03:19:08 If I were slicker I'd automate running freebsd-update against the base before taking the snapshot. 03:19:12 oh nice ty 03:19:20 But you can do things like this. 03:43:56 Aftering updating my laptop now reboots inself instantly after X tries to start 03:44:02 Any way to fix? 03:44:09 I'm still able to boot into single user mode 03:46:52 sfox: Reboots, or X restarts and flaps? 03:47:30 sfox: Might be worth disabling X and snagging a copy of /var/log/Xorg.0.log to see what it reports, assuming it gets a chance to write before exploding. 03:48:00 sfox: Good place to ask: efnet, #freebsd-xorg 03:57:01 mason: the computer goes back to edk2. no trace of crash in /var/log/messages or anything 03:57:11 the last thing in the log before it crashes is 03:57:27 Apr 14 22:50:29 lappy kernel: VT: Replacing driver "efifb" with new "fb". 03:57:47 only way I can get back in is with singleuser mode or using an older bootenv 03:57:54 sfox: Nothing interesting in /var/log/Xorg.0.log ? 03:58:03 looking 03:58:36 unfortunately no. it's been replaced with the current version 03:58:49 sfox: I'd definitely ask in that efnet channel. They will probably home right in on why it's blowing up with the efifb -> fb swap, and they'll have better questions. 03:59:00 ok 03:59:06 can you invite me? 03:59:23 nvm 03:59:25 sfox: It's on the efnet network. 03:59:26 different network 03:59:30 And is open to the world. 03:59:33 yeah 03:59:35 what's the url for efnet? 04:00:47 sfox: There are a few: http://www.efnet.org/ 04:00:48 Title: EFnet - The Original IRC Network 04:01:03 They seem to have a webchat too if you don't want to add anything to your client. 04:06:57 i managed to connect it was just extremely slow 04:07:34 A regular client might be faster and less painful then. I stay connected to the network. It's useful. 04:07:41 There's a fair amount of FreeBSD stuff there. 04:07:57 sfox: https://wiki.freebsd.org/IRC/Channels 04:07:58 Title: IRC/Channels - FreeBSD Wiki 04:11:59 sfox: I think folks there might tend towards European hours, so have patience and good luck. 04:12:17 Hitting the sack here. 04:15:15 i'm not sure why but it's working again now 04:15:19 i removed drm-kmod 04:24:05 freebsd does a lot of weird stuff to my computer 04:24:16 for example resume doesn't work all of he time 04:24:25 it only suspends my laptop when I open the lid not close it 04:24:49 and some of the time when it turns back on the power light will still be flashing like it's suspended despite it being on 05:02:08 why wouldn't the pflog service start in a jail? pf is enabled. i try service pflog start and it says Starting pflog. but then service pflog status says it's not running. nothing goes in the jail's console log either 05:14:55 alepzi: is /dev/bpf unhidden in the jail? is it a vnet jail? 05:15:27 (anything in syslog?) 05:18:20 jail's syslog different than jail's console log? 05:18:51 btw /dev/bpf doesn't show up in the jail 05:19:12 is there an allow. for that? 05:20:34 this is where you end up having to dive through the land of devfs rules 05:20:55 i'm using devfs 5. i guess that doesn't enable /dev/bpf? 05:20:58 see jail(8)'s devfs_ruleset, devfs.conf(5) 05:21:09 you have to explicitly unhide 05:21:14 ah ok 05:21:37 should i modify how ruleset 5 is configured or make a new one like 6? 05:21:46 preferably make a new one 05:22:25 5 is a good starting point for vnet jails, you might not want them all to be able to do bpf 05:27:55 ok i'll copy all of 5 in /etc/defaults into a new one then add the bpf line to it, ty!! 05:32:45 you don't necessarily need to copy, fwiw 05:32:56 you could just "add include $devfsrules_jail_vnet" then unhide bpf 06:25:49 is there a way to call /bin/sh and pass the command to execute on the command line or perhaps use echo "commands" | /bin/sh 06:30:45 crb__: isnt it /bin/sh -c ? 06:31:06 the echo seems to be working, but I'll go look at -c now 06:31:50 my sh on my linux box seems to have no options at all :-/ 06:32:42 comrad that's actually where I really need it as I want to excuse /compat/linux/bin/sh and give it a string of commands to run echo ""| /compat/linux/bin/sh seem to work ok 06:33:35 yup that works here as well: echo "df" | /usr/bin/sh 10:01:43 lw: you could reply to https://lists.freebsd.org/archives/freebsd-hackers/2024-April/003155.html and mention that not only have you used /rescue recently, you have a couple changes to it, and link them? ;) 10:01:45 Title: Re: Question regarding crunchgen(1) binaries 10:04:09 debdrup: i saw that but i found the OP a bit odd and didn't think the thread would go anywhere useful -- i'm sure no one is going to remove rescue or crunchgen any time soon 10:05:06 fair enough 10:05:20 (also i just nagged imp to commit a bunch of PRs, should probably wait a bit until i do that again :-) 10:14:19 create a new branch, make a minor package change, wait an hour for a complete buildworld before i can test it... there has to be a better way to do this 10:16:33 maybe i should make one branch, commit all changes there and submit them as a single PR 11:57:51 jexec -l testjail /bin/sh -c "echo -n '$6$7asdf...' | pw useradd -n user -G wheel -s bash -m -H 0" <--- why does strip $ from the pass hash? 11:58:37 because you used "" for the outer quotes, so your interactive shell interprets the $ 11:59:05 # /bin/sh -c "echo $PWD" 11:59:06 /root 11:59:27 do i escape the $ with \ or is there a better way? like nested single quotes? 12:00:19 nested single quotes are very awkward in /bin/sh, but you could just do echo -n '$6$...' | jexec testjail pw useradd ... (if i understand right what you're trying to do) 12:00:35 no i need jexec to run it 12:00:48 my command has jexec in it, i just moved it after the pipe 12:00:48 ah 12:00:54 ya sorry missed that 12:00:54 echo command doesn't need to run in jail 12:12:36 works! 12:19:19 lw can we also do: env ASSUME_ALWAYS_YES=YES pkg install foo < /dev/null | jexec -l testjail cat ?? 12:20:27 i'm not sure what you're trying to do there, did you mean sh instead of cat? 12:21:04 env ASSUME_ALWAYS_YES=YES pkg install foo < /dev/null | cat is the original command. i guess the cat clears trailing output or smth? 12:22:15 ah that's probably to prevent it from doing something it does when stdout is a tty (coloured output maybe? dunno). but no, you'd need to use sh -c '...' for that one since you need the entire pipeline to run in the jail. although i suppose you could do jexec pkg ... | cat, so cat runs on the host 12:35:40 tyvm 14:16:31 <[diablo]> Good afternoon #freebsd .. guys I need to source an rsync binary for FreeBSD 11 ... does anyone know where I could get one please? 14:16:46 "pkg install rsync"? 14:17:01 <[diablo]> hi lw ... sadly its to run on a Dell PowerScale ... 14:17:28 <[diablo]> can't install via that.. just need the binary. They removed rsync from PowerScale apparently quite recently 14:18:10 <[diablo]> plus it has no internet access.. 14:42:07 [diablo] I don't know why rsync was removed from Dell Powerscale, but if it was removed, it was for a reason. It seems that rsync was deprecated: https://www.dell.com/community/en/conversations/isilon/rsync-removed/647f9e0df4ccf8a8de297074. rsync uses basesystem shared libraries such as libc and libcrypto. So possibly the latest versions of rsync can no longer be installed on FreeBSD 11 due to incompatibility of base system libraries. And to 14:42:07 prevent rsync from being deprecated, they chose to remove it. 14:42:33 <[diablo]> hi devnull 14:42:51 <[diablo]> so, I've just grabbed a 11.0 ISO, installed it in Proxmox, built rsync from ports... 14:43:28 <[diablo]> have the binary.... now toying with the idea of bringing over to the powerscale.. Problem is we've 35TB+ of small. files to get off a RH GFS2 cluster, and quick 15:02:39 <[diablo]> copied it over, works 15:49:10 what is the 'size' argument to uma_zcreate()? 15:49:20 uma(9) is rather vague about this 15:50:57 the size of object to be allocated from the zone 15:51:09 ah, this is a fixed-size allocator, ok 15:51:18 yeah 15:52:38 and you can just uma_zdestroy() the entire zone when you're done, no need to free/cleanup anything? 15:53:11 you still have to free anything that was allocated from it prior to destroying it 15:53:20 ah 16:15:32 ok, along with counter(9) this is actually quite a bit nicer than netbsd's percpu stuff 16:26:32 #fsf 16:26:42 Oops. 17:34:32 what is going to happen with removal of 32-bit platform and ARMv7? i understand part of the justification for removing 32-bit is that it simplifies a lot of primitive operations if you can assume (e.g.) 64-bit atomics, but plenty of new ARMv7 devices are still shipping today 17:37:12 New at what rate? 17:38:00 i don't know specific production rates but if you look at Marvell for example, they have plenty of networking-related SoCs you can still buy... not sure about Qualcomm or others 17:42:58 i assume this is why ARMv7 was specifically exempted from the 32-bit removal, but if you still have one 32-bit platform left, you're not really getting any of the benefits of removing 32-bit? 17:44:49 iirc the long-term goal is still to remove armv7, too 17:44:58 it's just that it was granted a temporary reprieve due to complaints 17:45:04 It seems there ARMv8+ that's still 32-bit 17:45:17 we don't support armv8+ as 32-bit, though 17:46:47 ah 18:06:14 only COMPAT32 18:18:36 right, but COMPAT32 on an aarch64 kernel still isn't armv8+ 18:18:42 strictly 18:44:29 how do I get sudo crontab -e to use my sepecified $EDITOR? 18:45:09 my normal user and root both have EDITOR and VISUAL set correctly, but sudo (for security reasons?) doesn't use them? 18:45:19 adonis: use 'sudo -E', but i believe this can be blocked by sudoers(5) config 18:45:33 (not 100% sure about that) 18:46:07 lw: thanks!, yup worked 18:57:08 adonis, Instead of using a user-specific crontab for root, I always use separate /etc/cron.d/taskfile for system level cronjobs. One file per task. It's nice to keep things that way because then to remove the task specific crontab the entire file can simply be removed. And the organization of it is nice to see what is happening easily. 18:57:54 rwp: ok, yea that does sound nice 19:04:10 Note that the /etc/cron* crontabs have a field for the user to run the task in the field before the command line. The user-specific crontabs are run as the user and so do not have that field. It's a very minor difference but one that sometimes snags people. 19:05:06 in freebsd 16.0 you'll be able to used rc.d timers for that! (wait... is it still April 1 or am i too late) 19:05:37 You are a day late and a dollar short! 19:28:30 hi guys, is anyone using microphone in chromium? 19:36:45 nevermind: camera/mic works on firefox/google meet on 14.0R 19:40:15 adonis: if you don't want to type 'sudo -E' every time, also look at sudoers(5) and in particular the env_check/env_keep options -- however be aware that allowing EDITOR/VISUAL can open security holes if you're using very fine-grained sudoers rules 19:40:32 e.g. 'env EDITOR=/bin/sh sudo -u someuser crontab -e'... 20:09:02 poll: does anyone here use RIP/RIPng? 20:11:59 might not be a bad idea to cross-post that one to -net@ 20:13:11 bit late now :D no one replied to my last mail to net@ anyway, it seems pretty quiet 20:13:47 bah 20:15:44 i do wonder if freebsd could do with fewer lists tbh 20:15:55 like -stable / -current / -hackers could easily be a single list 20:18:32 it's not like 2002 when people actually used freebsd (ooh harsh) 20:22:24 what was different in 2002? 20:22:42 sfox: Linux was awful back then and FreeBSD did everything better 20:22:54 now Linux ate the entire Unix market, including BSD 20:23:30 i mean in absolute terms there's probably more freebsd users now than there were then, but market share is definitely smaller 20:23:39 it seems ti be returning that way 20:23:55 I converted from Linux 20:24:13 already switched my servers over 20:24:30 right now just putting up with the suffering from doing it on my laptop 20:24:58 I'm sure this issues i'm having are fixable, they just take longer 20:25:12 but the help i do get when i get it is higher quality 20:26:17 at age 28, growing up with both, linux is plug and play, but freebsd is actually elegant. 20:27:08 i quit trying to understand both when the clear-linux devs told me that they depreciated manpages. takes all types of brains, but you gotta get in where you fit in 20:27:44 \ 20:29:09 if i could just get my wacom drawing tablet to work and suspend/resume working i'd be happy enough 20:30:32 suspend resume required acpi_ibm_load="YES" in loader.conf for me. 20:31:23 my wacom device strangely works with no configuration in vt(4) 20:31:49 only in vt4? 20:32:15 yes, I never got it working in x, but I haven't really made it a serious study 20:33:42 the other thing that just magically works outside my understanding in vt(4) is ytfzf 20:34:32 i didn't know tablets work outside of x 20:35:15 i have acpi_ibm loaded 20:35:21 it seem doesn't work 20:35:37 the laptop only resumes when the lid opens not closes which is backwards 20:35:50 and when it resumes it starts up like a coldboot 20:36:05 while the power led still flashes despite screens and fans on 20:36:08 it's really weird 20:36:49 okay, well, I never got it that far. my suspend works with "zzz", one of the cutest bsd traditions 20:37:09 when I shut the laptop it just dims the screen and keeps running, which is what i want. 20:37:55 it doesn't care about opening or closing, it resumes from suspend when I hit the power button 20:40:11 is zzz different? 20:40:32 see zzz(8) 20:40:41 doesn seem so 20:49:38 kevans: i caved and asked net@ as well, you're very persuasive 20:50:20 tbh I'm not sure that 'too many' lists is necessarily as much of a problem as the kind of people likely to audit these lists 20:50:32 how do you mean 20:50:42 this proposal will almost certainly draw out people 20:50:51 ah yeah 20:50:59 the trolls who live in the bike shed 20:51:11 you're more likely to get any kind of feedback with something remotely incendiary 20:56:16 that's ok though, i only need to convince imp to commit it :D 20:56:41 he is always like "ask arch@ this" "ask arch@ that" well now i asked arch@, he never said i needed to listen to the replies :-d 20:57:02 (i was pleased to learn about git-filter though) 20:57:41 silence is also a good thingg 20:57:54 then you can slap a "No objection from: -arch@" on it 21:01:23 i've been seeing this message a lot from pkg recently, not really sure what to make of it: Cannot solve problem using SAT solver, trying another plan 21:04:00 Hi!. In a Linux Jail recently created (debian), when I ping 1.1.1.1 or an internal address, like 192.168.100.111 it doesn't do anything, just return without error. In jail.con I allow raw_sockets and sysvipc, also configured an ip4.addr (also apt update works, also curl, so network is working). 21:07:13 Um. . .. "just return without error?" 21:08:10 CrtxReavr: yes, just returns 21:09:05 autoboot_delay doesn't affect jail startup time right? :> 21:09:57 correct 21:10:01 autoboot_delay is purely a loader mechanism 21:10:16 in a properly running system, the ping command should return the ICMP response or unknown host, but in this case it doesn't do anything. 21:10:50 so a jail doesn't have loader, bootup, kernel start. does a jail startup ONLY run rc and then... it's running? 21:11:12 correct, and it doesn't even need to run rc necessarily 21:11:31 it's like a literal virtualized OS right in the kernel API 21:11:36 the bare minimum you need for a jail is to will it into existence, you can run whatever you want inside it 21:11:37 technically it doesn't need to run *anything* just to exist 21:11:50 you could start an empty jail with persist and then just jexec into it when you want to use it 21:11:53 like a virtual OS instance context handle 21:12:25 (in fact i think this is more or less what poudriere does) 21:12:39 so like all the subsystems of an OS that can be virtualized, do get virtualized by jail. very cool 21:12:57 does anyone run puppet inside a jail? or would that be a dumb idea? 21:13:03 freebsd_host.init(jailname); 21:13:14 mmm, from root ping works as expected, but not from a user... 21:13:15 rtprio: i've never tried it but i used to run puppet inside Solaris Zones all the time, i don't see why it wouldn't work fine in a jail 21:13:33 freebsd is the best OS to ever exist 21:14:00 rtprio: just brace yourself for the cpu/memory usage of like 10 jails running the puppet client, i guess... 21:14:21 they're already in VMs. and splay is on 21:16:35 you know i was complaining about the size of FreeBSD-utilities earlier but... 21:16:37 [3/5] Fetching FreeBSD-kernel-lf-15.snap20240415210320.pkg: 100% 42 MiB 43.8MB/s 00:01 21:16:37 [4/5] Fetching FreeBSD-kernel-generic-15.snap20240415210320.pkg: 100% 49 MiB 51.1MB/s 00:01 21:16:37 [5/5] Fetching FreeBSD-utilities-15.snap20240415210320.pkg: 100% 10 MiB 10.0MB/s 00:01 21:17:13 i'm pretty sure it does get a bit bigger with all the libraries it depends on though 21:17:48 and gems 21:17:50 yep 21:18:03 oh that's not puppet related 21:18:07 just base packages 21:19:54 seems like a base jail for me (sshd running, pf/pflog..) takes 50mb ram, and add a basic web server running 100mb ram 21:19:57 that's pretty good 21:20:10 50MB sounds like a lot, how did you calculate that? 21:20:24 unbound, sshd etc 21:20:31 just looked at the RES of sudo top 21:20:57 for me sshd has about 10MB RSS, syslogd is 800kB, cron is 700kB 21:21:07 unbound is pretty big though, 49MB 21:22:15 alepzi: this is funny - I'm where you were yesterday, puzzling over the fact that security.mac.portacl.rules can't exist for each jail independently, despite vtnet. 21:22:28 850MB for a 13.3 jail in disk 21:22:34 lol 21:22:38 i can help 21:23:00 alepzi: I read the discussion of port twisting inside the jail, and I'll probably go that way. 21:24:05 I don't like the idea of changing the global defaults on the host for something only one jail needs, or related, allowing one UID that exists in one jail to do something and having that UID now privileged across the whole system. 21:24:16 mason: VNET is awful technical debt, not sure more things want to be added :-( 21:24:35 although i do agree portacl should work in jail somehow 21:24:50 lw: I'll accept that. Was just surprised. As I do more in jails and less in LXC the differences are starting to pop out a bit more. 21:25:09 yeah, linux namespacing is a lot more developed than freebsd 21:25:23 i find freebsd equally useful in practice but i wish it was... better 21:25:29 mason: no it's easier. just get rid of portacl 21:25:31 i'd really like to go back and virtualize time 21:25:51 kevans: ntpd in every jail? 21:25:53 kevans: We could shard ourselves. Very productive. 21:25:58 mason: don't even need to set anything in the host. on the jail set net.inet.ip.portrange.reservedhigh to 0 or the lowest you need 21:26:00 that's it 21:26:33 lw: not ntpd, no; I just want to be able to operate jails on some offset from the host on occasion 21:26:43 alepzi: Oh, I thought the idea was that there weren't separate sysctls in jails. 21:26:50 i've had to look at the actual implementation of vnet recently and it's really not pretty... seems like the idea was to require the least amount of changes to src to implement it 21:26:54 for this oid there is, it's vnet specific 21:27:05 alepzi: Nifty. Thanks. You just saved me some pain. 21:27:07 but mac portacl is host only, no jail, and it's global 21:27:10 ya np 21:27:12 kevans: i'm really curious what your use-case is? 21:27:30 kevans: you could always create a custom timezone :-) 21:27:47 lw: originally it was freebsd-update's build server; it does two builds a number of years apart to suss out changes strictly due to time changes 21:27:56 huh that's weird 21:28:04 I really didn't want it screwing with my system clock 21:28:19 kevans: this will be easier once 9p lands and you can create a vmm from a jail 21:28:47 if that ever happens... the review seems a bit stalled 21:33:55 even if i set a jail's root as locked, pw lock root, from the host i sudo jexec testjail to get shell 21:33:57 as root 21:34:21 pw usermod -n root -w no, same, jexec gave me shell 21:34:22 jexec does not care about PAM or passwd unless you use 'jexec login -f root' or something 21:34:34 it just becomes the uid then enters the jail, jail cannot stop that happening 21:35:00 so superuser on host gives superuser on all jails 21:35:13 correct, this is unavoidable as host root has full control over the entire system 21:35:22 you could perhaps partially mitigate this with securelevel if you really care, but... 21:36:17 (i am pretty dubious about securelevel as a security migitation in general, it's not 1992 anymore) 21:37:31 Would securelevel interact with this somehow? 21:37:44 well you could set the entire jail schg 21:37:54 i'm not actually suggesting this would be useful :-P 21:38:13 lw: Immutability wouldn't stop execution though, unless I'm missing something. 21:38:27 mason: no, but it would limit what you could do - i did say 'partially mitigate'... 21:38:31 kk 21:38:42 of course you could stop the jail and start a new one, so 21:38:46 Alright, yeah, schg and then the securelevel doesn't allow for that to be modified. 21:41:29 bsdcat(1) is weird 21:41:46 you'd think it's like 'the BSD version of cat' but actually it's an archive decompression utility (like gzip -dc) 21:42:30 you mean zcat on linux? 21:42:35 yeah, like zcat 21:42:43 weird 21:42:53 did you know vim can operate directly on compressed text and gpg encrypted text? 21:43:08 damn that's slick 21:43:26 it's really nice especially when searching logfiles 21:43:47 * kevans has been contemplating a tac(1) implementation in our cat(1) recently 21:43:50 lw consider replacing your uses of gzip with lzip 21:44:02 imagine using vim when vi is in base. (actually i use vim a lot but i'm sure i don't use half its functionality... i only know it can browse directories because i keep doing that by accident) 21:44:12 https://www.nongnu.org/lzip/ 21:44:13 Title: Lzip - LZMA lossless data compressor 21:44:18 sfox: i don't use gzip, but yes, i already looking at switching from xz to lzip for my archival storage 21:44:19 it's a much better archive format 21:44:59 mostly because of that article the lzip author wrote about xz 21:46:33 well i tested it and the file sizes are only slightly bigger 21:46:42 but compression and decompression is much faster 21:47:01 tooling feels a little less kludgly too and tarlz is nice 21:50:12 so if a jail only needs to bind to port 80 no lower should net.inet.ip.portrange.reservedhigh be 0 or 79? 21:50:55 alepzi: if you're not running anything on lower port (22, 53, ...) it doesn't really matter 21:51:28 ya im just wondering what other admins do 21:51:58 omg why does usr.sbin/bsdconfig have so many Makefiles 21:52:13 it's okay to put more than one file in a directory guys 21:58:40 does a jail need /etc/ttys at all? 21:59:18 no, but jails also don't run init, so /etc/ttys is completely ignored 21:59:59 but /etc/login.conf is used right? like if a user ssh into jail 22:00:27 yes 22:13:39 Sigh. The FreeBSD-packaged gitea web installation is yelling about a missing pg_hba entry, despite my saying "here, use this database over on this other system" 22:14:08 isn't there a gitea fork? 22:14:09 Oh, I wonder if there are client packages missing. 22:14:13 alepzi: Forgejo 22:14:19 ya maybe try that? 22:14:35 with a crap name like that it HAS to be good 22:14:36 Well. I could. But maybe this is missing client bits. 22:14:39 hah 22:15:48 watching a jail's console log from host while starting it is cool. is that how freebsd devs iterate faster? 22:16:31 i've never had a need to reboot the system to test something that wasn't a kernel (which can't be tested in a jail)... maybe useful if you're testing rc.d changes 22:17:33 bhyve is basically equally as boot to boot if you need that though 22:19:29 ah ya 22:24:59 I've really been digging bhyve for testing as of late 22:29:08 kevans: do you have a quick way to create/boot a bhyve vm from a src tree? i'd find that pretty handy 22:29:56 how do you see it working lw? 22:30:16 make buildworld; make buildkernel; boot_bhyve_vm; login: root 22:41:05 how does jail_parallel_start="YES" conflict with jail_list and jail_reverse_stop="YES"? 22:41:19 like you can't have parallel and reverse set to YES at the same time right? 22:43:57 or parallel means with other OS subsystems and not between jails