whats the correct command to update freebsd 14.0

?

warsoul: freebsd-update is probably what you want

thanks markmcb

warsoul: if you are on the last recent version, you'll want to 'freebsd-update fetch' followed by a 'freebsd-update install' and a reboot -- check out this link for more information and to confirm what steps you need to take: docs.freebsd.org/en/books/handbook/cutting-edge

Title: Chapter 26. Updating and Upgrading FreeBSD | FreeBSD Documentation Portal

is there a simple way to "change" the uid/gid of shared folders over nfs to match the user on the client side? I have a simple use case that doesn't require the overhead of kerberos, but I also don't want to change that users id on the client to match the host

fluent-bit pkg has a bug? i enable it in rc.conf with fluent_bit_enable="YES", fluent_bit_group="fluentbit", fluent_bit_user="fluentbit". reboot server, sudo top shows fluent-bit running, but service fluent-bit status (rc.d/fluent-bit) says "fluent_bit is not running". fwiw /var/run/fluent_bit.pid exists -rwxr-xr-x fluentbit:fluentbit, not sure why

it's +x.

the bug was reported already bugs.freebsd.org/bugzilla/show_bug.cgi?id=269480 but i tried the diff and it didn't seem to fix the problem for me. any help is appreciated!

Title: 269480 – sysutils/fluent-bit: rc.d script should not use --daemon option when combined with daemon command

anyone know?

i'm too new to rc and daemon to figure it out

?

polyex: not sure about that package, but i've seen this bahavior when daemon options -p and -P aren't used correctly, maybe experiment with those

releng/14.1 just got branched for 14.1-BETA1

omfg yess

markmcb by "this behavior" talking about the weird +x part or service status not working?

tried everything i can think of, like -P and -p

still won't fucking work

anyone can help pls?

polyex: missed your question, please state again ^_^

fluent-bit pkg has a bug? i enable it in rc.conf with fluent_bit_enable="YES", fluent_bit_group="fluentbit", fluent_bit_user="fluentbit". reboot server, sudo top shows fluent-bit running, but service fluent-bit status (rc.d/fluent-bit) says "fluent_bit is not running". fwiw /var/run/fluent_bit.pid exists -rwxr-xr-x fluentbit:fluentbit, not sure why

it's +x.

the bug was reported already bugs.freebsd.org/bugzilla/show_bug.cgi?id=269480 but i tried the diff and it didn't seem to fix the problem for me. any help is appreciated!

Title: 269480 – sysutils/fluent-bit: rc.d script should not use --daemon option when combined with daemon command

tyvm

polyex: how does your rc.d script look now? it seems you could just remoev the --daemon from the end of the command_args

ya tried. didn't fix anything

also tried -P instead of -p

polyex: what does it say when you enable verbose: service -v fluent_bit restart

well restart won't work because it can't find the existing instance so i have to manually kill -9 it then start it. want me to do that?

polyex: well that's up to you but you might find something useful

just says fluent-bit is located in /usr/local/etc/rc.d \n Starting fluent_bit

ok just got it kinda working

get this...

the problem seems to stem from having daemon on in the fluent-bit.conf

seems it needs daemon off?

interesting bug of the day: pf(4) 'match all scrub (reassemble tcp)' breaks TCP connections to Amazon

ya the default rc.d doesn't even need to be changed

lol

polyex: lol good job solving it *highfive*

ty for helping

nowi just need to figure out how to configure fluent bit to actually work lol

anyone use fluent bit before?

polyex: a long time ago, i think it was quite straightforward

i want to output to an opentelemetry endpoint over network

polyex: just basic fowarding of java logs methinks

polyex: ok no clue there unfortunately

just saw in the fluent bit log, error permission denied, cannot open /var/log/mylogfile.log

from the input:tail plugin

the log file is 600 i guess that's why

ya there it's outputting over net now

it logs error tho, that http status 404 route not found

hmm

Two things, firstly whats with the FreeBSD mailing list sprawling... there is so many of them

which one is the main one?

secondly lw what mailing list did you say I should post my query about hardware RF switch?

Hi all.

Is FreeBSD (or any BSD or derivate for tht matter) susceptible to what Linux got with xz-utils? i.e. is there a more centralized checking of the code base that will prevent untrusted external sources comitting unchecked code?

the person built up trust in the project before commiting the act, so... it normal social engineering that anyone is susceptible to

deadrom: I asked about this back in March. Here's the discussion thread on fediverse floss.social/@subpop/112181350769874172

Title: subpop: "Genuinely curious, and not able to research much …" - FLOSS.social

The link doesn't go anywhere

wait, does in chromium, not in vivaldi. nvm

o_O

deadrom: It can happen to any OS, yes. It didn't affect FreeBSD, however

llua: the bit that worries me here and is what I've been getting gtom the Linux crowd as well is that it seems to be seen as ... normal that this type of thing happens. Yes, true, social engineering happened before, but at that scale, with such effort, and right into a central application as crucial as ssh? If blackhat X wants to gain access to a specific system, spies out its particular attributes etc, that's one thing, but infiltrating

the lock maker in general to by abble to open any house using their locks has a new quality to me.

zwr: well, it cannot happen lie this exaclty to any OS if the OS isn't open, one of the prerequisites here being that the attacker could build its scheme on the availability of the src code and play the helpful hand. Not possible to approach like that on say Solaris, or that, um, OS from that Redmond company.

Solaris has package management. Updating a program people use to introduce malware can be done without package management, in fact it's easier because there won't be anybody to veto your changes

deadrom, testing and code review by someone other than the committer are the only ways to stop this sort of code infiltration. This is how FOSS teams are supposed to work. Someone noticed an odd thing with the code, the code was reviewed, the bad code was discovered and fixed. The process worked.

unixman_home: that's not entirely true: someone noticed their openssh server took unusually long to respond and drew too much CPU. That caused them to investigate further. It was a rather close call. The code got into the testing repos exactly because nobody else looked into the code. Apart form the attackers. One overworked guy was maintaining xz-utils. that's what I'm all about, no FOSS distributor tells you they have such mechanisms as

a simple extra pair of eyes checkes.

zwr: if you install any package from anywhere you only have to blame yourself.

unixman_home: ultimately you suggest the thing that need to happen: all code needs to be checked by at least on additional trustworthy party.

Is there a usergroup I can add myself to so that I can execute zzz?

I would like to be able to invoke zzz from a keybind

i mean, you could have a doas rule that allows your user to execute just your specific command w/out password

polarian: i have been chgrp

ing zzz to operator for years with no problems

a ka naj shqiptar te gjall

the "source" command is missing even though I installed python. Am I missing a packages I'm unaware of?

entikan: "source" is a shell command

entikan: Try "." instead of "source".

ah there we go

thanks, mason

entikan: If you were using Bash, you'd have "source".

But it's the same thing, so I just use "." everywhere.

makes sense. Shows what I know thinking it was a python thing :)

FWIW entikan, when i'm creating a venv, i'm creating another user, installing bash, and using bash for that user, and then source bin/activate works

hey

scoobybejesus: I was tempted to install bash but after looking into it want to try it the bsd way first :P You wouldn't happen to know how to symlink directories in the site-packages?

since I updated some ports (in particular amavisd-new), it crashs when it tries to check an ED25519 DKIM signature with signal 6...

here is the output I got from amavisd: pastebin.com/d4GfJ6Qz

Title: /usr/local/sbin/amavisd[19629]: (19629-04) get_body_digest: reading mail body fr - Pastebin.com

you can just ln -s whatever you want, but ideally you don't need to. you generally just want to the python inside the venv to be called so that its got a proper path... i think

unfortunately I don't find any similar bug on the internet.. I don't understand since my ports are up to date

and I don't know how to debug that..

scoobybejesus: idk... it feels wrong writing doas in a script

and although I currently use nopass, it will not work if there is nopass because the command is forked into the background by the wm

concussious: chgrp'ing what exactly?

zzz is a command...

if you don't have any idea (and I think so since you don't develop these tools..) maybe you could tell me what you use in order to add protection to an smtp server to add antivirus and spam protection in 2024 (without using amavisd)

for a small smtp server

ClamAV... but nothing stops spam entirely. Firewalling whole countries and AS' helps, if you can

Its a little redundant as some spam will still get through, and when you start putting more barriers in the way you risk spamming legitimate emails

if you are a small smtp server you should be fine with just enforcing DMARC, and validating spf and DKIM

thanks

and what do you think about rspamd ? I just discovered it

rspamd is commonly used... but afaik it doesn't support IPv6 (and the developer refuses to admit IPv6 even exists)

really? where does he come from?!

in fact if rspamd is used locally as a milter we don't care about IPv6 no?

I think it only matters if you try using blacklists

ok

wait the IPv6 stuff can't find a source on... I must have got it confused with something else

it is just seasier to setup ssh on a jail than trying to remember jexec -u root <jailname>

is it? surely that is more attack surface area... why setup a jail if you expose another ssh instance you got to protect?

Also... I found that setting the brightness with xrandr (or xorg in any other way) seems to just make the pixels darker... instead of actually dimming the backlight... dimming the backlight works well if you use backlight(8) but there isn't any conf for it... what would be the best way to issue "backlight 50" on startup?

I have seen some posts on making it a rc service... but there must be a better way?

polarian: that is possible but i am looking at this as ease and this is a homelab

plus you do not allow password prompt logins, you have to have a valid cert. so minimizes that

voy4g3r2: well if its within a homelab, and isn't exposed to WAN... then maybe it isn't a big deal...

you could just alias jexec -u root no?

make an alias for it

yes, that is an option also

i do not want to be in jail as root but as a user i created for services i have running so it would be jexec -u root <jail>; su <user>; do work

now i just ssh <user>@<jail>

:)

whatever floats your boat...

yeah, it was just like.. why they heck am i doing all these extra steps

security sometimes requires extra steps :P

ssh may actually be more secure than jexec - freebsd.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc

ssh is unbroken

imho unbroken is the highest level in security

famous last words

polarian: chgrp operator /usr/sbin/zzz

then, a user in the operator group is allowed to operate the zzz command

oh...

which, to me, is consistent with the meaning of the operator group

I think this is similar to giving the user doas permissions

no, doas is adding an extra layer on top

doing it the way i suggested is using raw unix

so, from a security standpoint, doas and sudo are unbroken, but they're an extra attack surface, extra complexity, resource usage, etc

concussious: yes... but doas elevates you to root

while operator only gives you access to operator group'd permissions

so operator i would assume is better

precisely! my way doesn't elevate you. it simply lets the operator... operate sleep mode

but anyways I found I don't need to do this... I found the function key to do it instead :)

no keybind needed

oooh tell me more

concussious: I already use doas... sooooo

either one works

concussious: E6430 F1 key

lol

huh, thanks for sharing, but mine doesn't do that

there's definitely different ways of doing everything

any ideas on my other issue...

executing the backlight command on boot?

backlight is new since freebsd 13, actually this is my first time seeing it

thank you

lol

ive never figured out, after all this time, how to bind backlight and volume adjustment to keys

well its the only thing which worked

I have tried on and off for weeks

but I have been having a really bad headache for weeks...

and its from the brightness being at max... literally burning my eyes

50% seems to be a more comfortable brightness... plus saves quite a bit of power too \o/

concussious: I have function keys for volume on my E6430, they work out of the box

the mute button doesn't...

you could put the brightness command in your .login

and the brightness up and down keys do not work either

concussious: amazing idea, thanks!

putting it in .login is certainly not the best way to do it though

but i don't know a better way

hey... its a quick and easy solution

polarian: quick and easy solutions all around

lol

for console keybinding, i have used this: man.freebsd.org/cgi/man.cgi?kbdcontrol

Title: kbdcontrol

when in a gui.. i have used this: vhernando.github.io/xbindkeys-grab-keys-X

Title: xbindkeys: how to bind keys to commands (X window) - Vicente Hernando

i just use csh's bindkey

interestingly, "which bindkey" shows nothing

but "which which" says "which: shell built-in command."

after unaliasing which, i alias which to /usr/bin/which because it supports -a

anyone have fluentbit log collector running and outputting with opentelemetry?