it would be helpful if we could even figure out how to mount the drive in the VM...

kinda hard to copy it or shrink it if we can't even mount it

mjp, Reading man zfs-remove it says "Top-level vdevs can only be removed if the primary pool storage does not contain a top-level raidz vdev, ..." which limits the useful ability of that recipe. I mean working on mirrors is great and mirrors are very common. But not working with raidz vdevs is limiting because large arrays are always raidz vdevs. Though again probably it's unusual to want to do this with large arrays.

Soni, You can't boot the VM?

rwp: we can boot the VM but that doesn't help us

we don't know how to attach the filesystem we're trying to shrink

If you can boot the VM then I would boot the VM and rsync the data over to any other storage location. Then rebuild the file system. Then copy it back. That's most reliable.

You said VM so I might assume it is at a cloud host, because if in the local office things would be easier to backup onto a local disk. At a VM hosting company one could temporarily rent out a little bit of storage space for anything that was there. Then release it after the backup-restore cycle had completed.

And if it were me I would definitely feel less stressed if I had a full backup before doing the operation. Just in case something goes wrong. You make your own luck.

this is a qemu VM running locally

on a linux host

look we can't read UFS on linux

hence why this requires a VM

Ah! For me that would make things much easier since I would then just rsync the data over to my desktop where I have a lot of space, or over to my NAS where I have even more space! But I assume you don't have such luxury. :-(

but we can't figure out how to make the UFS filesystem visible to the VM

people may knock it but my office365 cloud space was a LIFE SAVER when my synology died

so basically we're stuck at "nothing can read UFS"

bsd reads ufs ^.^ (sorry for trolling, I'm done)

Install FreeBSD on a new VM and use it to mount the block storage space of the other VM?

mount -t ufs not available?

Since I have given my thoughts and brainstorms I am going to back out wishing you Good Luck at solving this problem. Real life is calling me afk right now. Good Luck!

mount -t ufs <device> <where you want to mount it>?

qemu-system-x86_64: -blockdev driver=raw,node-name=ext,read-only=on,file.driver=file,file.filename=/dev/sdc: 'file' driver requires '/dev/sdc' to be a regular file

this is the linux BS we're struggling with

so the qemu is operational? but you can nto just mount the ufs inside the qemu

i know this is unhelpful right now, but this is why i vehemently oppose "remove X because X is old and probably has problems". like, show us the problems or hush. linux deprecated ufs because it's "old and broken" but it's not broken, the original author is still maintaining it and adding new features even.

we are having problems right now with other people deprecating stuff because it's "old and broken" that is actually just very stable.

soni, did you try nomadbsd?

it's like a livecd of freebsd with a desktop

anyway, we think our question (how do you shrink) is answered (you don't)

unless anyone wants to help us with qemu on linux

okay, sorry

maybe if we knew why you wanted to shrink it we could try to help you find an alternative solution to your problem

we can just move the files

in theory

if we can figure out how to get this thing to work

is there any freebsd tool that something like ubuntu's needrestart?

implying we know what needrestart is

after updates it tells you which process need to be restarted and can automate that

markmcb: checkrestart

And just assume you have to restart during most freebsd-update's

Not always true but a safe thing assume if it'

's outside of soemthing that isn't core

skered, thanks

I'm beginning to think that the description for file descriptors should have the keywords "standard streams" because wikipedia and others are calling them that now. Is this reasonable? I'm having trouble smithing a document description to that effect.

I also kind feel like the wikipedia article is what needs to be fixed, and not our manpage.

file descriptors to be honest make me think it is ALWAYS a file.. and one could say STDOUT is a file, along with anything else.. but you could just in theory pipe it to a terminal

i like the standards streams concept but you know.. manual pages :)

i probaqbly should of did this jellyfin ports install with a ports manager.. the amount of entries required by the user is crazy

currently we have "fd, stdin, stdout, stderr – file descriptor files"

I suppose you could say the Unix definition of a file also includes things that aren't in the filesystem

and sometimes i do not trust wikipedia but that is just me

never trust wikipedia. I started editing wikipedia when i was 8 years old.

you said never, i said sometimes

it is on the list of source for verification just not the sole source of truth, that is all

in freebsd, experts review my PRs. in wikipedia, there's just a bot that oftentimes reverts important details

I was also half-joking. i read wikipedia everyday.

but, i have tried to fix incorrect information on there and had a bot revert it.

i just think of the The Newsroom episode where they tried to updated wikipedia due to an error.

honestly if an impassioned child is writing textbooks, that's probably pretty good quality vs someone who is mad at their wife on the way to work that they view as "getting their hours in".

markmcb, Look at the output of "freebsd-version -kr" and if they are different then you need to reboot.

I'm extremely concerned about the proposed WYSIWYG editor for the handbook.

The FreeBSD Handbook is one of the finest tutorials in all of computer science. It's written like the best textbooks I've saved up money for.

Archwiki is a very, very high quality resource which is a completely different type of thing with a completely different level of professionalism which is completely out of place in the handbook.

can anyone clarify what to do ebout cpu frequency and intel speed shift. now that latter is enabled, i have set epp to 100 to have maximum powersave, i seeing that cpu frequency is at 800MHz ( as expected ). when epp is that at 0, then it goes all up to 2000MHz. However, this cpu base frequency is 1800Mhz with turbo-boost up to 4000MHz.

Title: Intel Core i78550U Processor 8M Cache up to 4.00 GHz Product Specifications

question is - i want to run poudriere build at max possible freq to speed things up, and then go back to maximum powersave

where is to set that and how?

termbin.com/i0rq < -- dev.cpu sysctl

termbin.com/s6pp relevant part for hwpstate

How are you controlling the cpu frequency? powerdxx?? One could restart "powerdxx -a max" for the build and then restart it again with defaults afterward.

powerdxx is obsolete with intel speedshift

i.e not working properly

as well as powerd

Well... I have older systems and I need powerdxx on my system. powerd does not work at all on my Intel E3-1240 cpu.

so, then, maybe someone else can help

hopefully

rwp: Ah, that's too bad. I thought the idea was for powerdxx to be deprecated as powerd caught back up.

for a new laptop should i install 14.0 now or 14.1 beta

or wait for final 14.1?

nomia: you can always install 14.0 and upgrade once 14.1 is out

rwp, thanks but i was more looking for something that focused on packages and the services they provide, e.g., if i have 10 servers running service xyz, and an update to the package is pushed, i'd like to be able to say "if xyz gets an update, restart the related service"

o/

o/

dstolfa: ok thx

i was just wondering if i should wait

/dev/vtbd2p2 899G 24G 803G 3% /mnt/oldinst

yeah... can we shrink this?

it is ufs

*sigh* where are we gonna shove 24G...

24G in freebsd is how much again?

okay that is powers of two

oh good we were wrong - we only need 1.2G

nomia: 14.1 seems to have some good things coming up, so it'll probably be worth an upgrade but the upgrade boils down to freebsd-update upgrade -r 14.1-RELEASE and running through the process

i've never had a freebsd-update break honestly

is it expected that ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases is not served over https?

Title: Index of /pub/FreeBSD-Archive/old-releases/

skered, rwp, checkrestart(1) and 20 lines of shell script does what I was looking for. I can whitelist a few services and if they show up in the checkrestart output I restart the service. Great for things like tailscale with frequent updates and installed on most of my instances. Thanks for the help!

Is there a CLI util for taking crc hashes of files similar in function to md5 or sha* ?

Hey. I have set PasswordAuthentication to no in sshd_config, but password based authentication is still allowed. Will UsePAM=no do what I want?

Internet tutorials mention ChallengeResponseAuthentication. It isn't present in the config file, so I assume that this information is outdated.

CrtxReavr, When you say CLI you mean command line interface, right? But md5, sha512, md5sum, sha512sum, and others are all command line interface programs, right?

And those are all in base too. No ports needed.

meator, Did you restart sshd after making changes to sshd_config? "service sshd restart"

rwp, yes. . . but I'm looking for something that does crc. . . or crc32c actually.

rwp: I restarted both the (virtual) computer and sshd.

To test this out, I moved my client's ~/.ssh to ~/.ssh~ and then tried to connect. This means that my client ssh shouldn't have access to my keys, so the server should deny me. But I was prompted for a password and I was accepted upon entering it.

CrtxReavr, Oh! Sorry. We talk about checksums so often when we mean secure hashing and such that I just took crc to be colloquial speech. My bad.

I don't know of any crc tools off the top of my head. They must exist though.

There's devel/crc32s, but that's a libary.

meator, I will try a local test with PasswordAuthentication=no and test it on FreeBSD as I know that works elsewhere.

I learned what I thought was an interesting technique the other day. I figured out that I could set sshd options in the /etc/rc.conf file. I know that is obvious. But I found it handy for some jail use.

I can set this for example: /jails/ikiwiki1/etc/rc.conf:sshd_flags="$sshd_flags -oPermitRootLogin=yes -oAcceptEnv='LANG LC_*'"

I modify the jail's /etc/rc.conf anyway. Found it convenient to put the custom flags I wanted for that jail there and it consolidates some of my configuration.

Hmm. I am not much of a FreeBSD expert, I use it only on a VM to test portability of my program. FreeBSD is pretty good for that, this is the second time I have found a conformance/correctness bug in my program thanks to it. I honestly don't know why it works on Linux, it should have failed there too, but only FreeBSD showed a more strict, but still conformant behavior.

sshd_config says that "Note that passwords may also be accepted via KbdInteractiveAuthentication."

meator, I confirm that if I leave PAM configured that turning off PasswordAuthentication=no is insufficient and I still get a password prompt.

But if I disable PAM then it turns off passwords too. sshd_flags="$sshd_flags -oPasswordAuthentication=no -oUsePAM=no"

What are the implications of disabling PAM?

However avoiding PAM would also avoid other authentication methods such as 2-factor which is usually configured through PAM and one-time-auth tokens and every other authentication method we think about.

I am not sure what other things are happening in the /etc/pam.d/* files. Probably doing environment variables such as LANG, LC_*, probably umask, and possibly process limits (ulimit -a), but honestly I am not sure and would need to inspect through it and try things.

If you are wishing to use ONLY ssh keys for login I think turning PAM off is probably okay and you would not notice any issues.

For another site I maintain, it is a software forge site with ssh+git access for members doing only git commands and nothing else, I disable PAM due to other reasons and everything is okay there on that high use site.

Ah, I lost one of my keys by fiddling with .ssh too much. Thankfully nothing important.

rwp: Thanks for your answers!

What is your specific goal at this moment in the pursuit of disabling passwords?

security

I have SSH keys.

I use ssh keys too. But I also only ever use strong passwords. I am confident of the security of pI9lOPtmukafzOsV and no one is going to brute force through a password such as those.

My password is 1234

I use and recommend "pkg install pwgen" and create passwords using "pwgen -s 16 4" and then arbitrarily pick one of the generated set to use. Having a password such as one of those is safe as math.

So I was quite concerned about leaving password based auth open.

My password is more memorable.

I often will give a login to a friend on my personal machine. I ask for their ssh key and install it. I only ever rarely give them an actual password. They won't ever need it. And then I set their login account to have a disabled password.

Perhaps better is to audit accounts and ensure that accounts that do not need a password have their password field disabled. In FreeBSD '*' disables the password, as no hashed character will ever match the single star character, but allows the account to be active and other authentication methods such as ssh keys allow access.

I will routinely use vipw to just edit files but the pw -w no command can create user accounts without a password easily: pw useradd -n user37 -c 'User Thirtyseven' -N -m -w no

In those cases, I normally just let it set a random password, which I don't give them.

That's secure. But then later after I have forgotten I see that a password is set and I don't remember if it is one they have control over or not. If I see '*' there then I know that the account does not have an active password. It's a memory hint to me later, self-documenting.

It's an opportune time for me to complain that I wish FreeBSD did not use a compiled binary database for account data and wished it used the traditional plain text files instead. For the less than ~50 typical accounts on an typical system there is no performance reason to need it. Anyone with a thousand accounts is already using a database anyway.

rwp, it's not compiled, per se. . . but it's faster than a flat text file.

Re "compiled" might not be the totally accurate description but whatever word describes reading the plain text files and producing the binary indexed db(3) files.

I like the little things that set us apart from linux.

Linux? This sets FreeBSD apart from Unix! And that's where it needs serious discussion before doing. :-/

Well, sets BSD apart from SysV.

System V uses plain text files just like Unix v7. FreeBSD is, as far as I know, unique in using a db(3) database for accounts instead of plain text files.

I must retract that as I look and OpenBSD also uses pwd_mkdb to create db(3) account databases too.

And so does NetBSD too. It's the entire family on this side of things.

So that mutation must have occurred pretty early in the fork.

4.3BSD-Net/2

ish

4.3BSD-Net/2 is the common ancestor of all of the current *BSD family.

The NetBSD folks have a good historical diagram: netbsd.org/about/history.html

Title: The History of the NetBSD Project

Title: [csrg] Index of /usr.sbin/pwd_mkdb

I don't have a freebsd vm on hand to check, where can I find the default value for the vm.overcommit sysctl in source code?

So before the 3 BSDs existed.

V_PauAmma_V, Seeing that history is really making me feel my age now.

uuuuu, I have a grep running but this popped out first: cgit.freebsd.org/src/tree/share/man/man7/tuning.7#n193

Title: tuning.7 « man7 « man « share - src - FreeBSD source tree

uuuuu, see sys/vm/swap_pager.c for your version of FreeBSD in cgit.freebsd.org/src.

Title: src - FreeBSD source tree

uuuuu, Result of the grep: termbin.com/mius

freebsd can't mount exfat usb drives?

nomia, How are you attempting to mount one?

mount -t msdosfs /dev/da0s1 /mnt

msdosfs != exfat

Try this: mount -v -t exfat /dev/da0s1 /mnt

invalid fstype

Hmm...

What does "file -s /dev/da0s1" say for you? I am wondering if you actually have a valid exfat file system.

You need fuse and fusefs-exfat, IIRC.

Title: How to mount exFAT formatted SD memory card on FreeBSD

Ah! I have "pkg install fusefs-exfat" on my system. That's why it works for me. Thanks V_PauAmma_V for that!

then i have to reboot

nomia, Why do you need to reboot?

idk

(: that page says so

That reboot at that page is just to test that everything loads okay at boot time.

k

In case one made an edit mistake in /boot/loader.conf file. You don't actually need to reboot now.

rwp, tangentially, see fstyp(8).

And as far as I know the fuse module is loaded on demand by some method because it works for me and I don't have that in my /boot/loader.conf file.

V_PauAmma_V, Cool! I did not know about that command.

And keeping with history there is no 'e' on the end of it. (shakes my head)

e was in short supply then.

They were used up elsewhere.

nomia, I read "man mount.exfat-fuse" and it makes no mention of needing to load a module. I think I have never needed to do it manually. So pretty sure it must be loaded automatically when needed. I do not have the module listed in my /boot/loader.conf file and think that micski.dk article might be overstepping what is actually needed at that point.

I note that fusefs.ko is part of base. Though the mount.exfat-fuse is a port the fusefs module is in the OS base.

I would need to sort through my bag of unlabeled USB sticks in order to test this theory today though. And at the moment I am being called away from the keyboard.

When it is all working for you it would be great if you mentioned here if anything more was needed to make that work for you. TTYL!

no luck

still says invalid fstype

nomia: whereis mount.exfat mount.exfat-fuse

mount.exfat -o ro /dev/da0s1 /mnt

that worked

not mount -t

the command naming isnt compatibe with mount

it expects mount_$fstype

i made the symlink in /usr/local/bin

It installs as /usr/local/bin/mount.exfat?

Um. . . /usr/local/ is ports/packages managed. . . *YOU* should not be creating symlinks in it.

k

does pkg offer a machine-readable output format? specifically want it for for pkg query, version and audit.

Doesn't look like it. . . not unless you write your own.

Though, it's ouput is pretty simple & consistent, so it shouldn't be hard.

scoobybejesus, text.is/4YMJ

Title: services_to_restart( &x22;authelia&x22; &x22;phpfpm&x22; &x22;nginx&x22; &x22;syncthing&x22; &x22;tailscaled&x22; &x22;zrepl&x22; ) - text.is

side note, not sure if it's just be, but bsd.to appears to be down

It would be useful if pkg had a runtime option for json output.

Title: View paste F7DQ

cool thanks!

What I am trying to do is disable overcommit and set global memory limits for the following outcomes: 1. Processes will get error if they try to allocate more than a set limit 2. oom does not activate and does not activate to kill processes that did not cause the allocation failure (eg. kill biggest process mode) and 3. system is not grounded to a halt because of thrashing.

I am looking for something similar to vm.overcommit_memory=2 vm.overcommit_ratio=99 on linux.

forums.FreeBSD.org/threads/how-to-m…ail-in-a-sane-way.83582/post-550016 (whole thread is worth a read though) suggests that even with vm.overcommit=7 oom killer will still activate if programs memory used is passed swap limit (I have no idea why because earlier in the thread (forums.FreeBSD.org/threads/how-to-m…ail-in-a-sane-way.83582/post-549905)

the user tried malloc with the with large size with sysctl set and it failed (or at least without them noticing anything being killed). So if this is the case, is there another way? vm.overcommit = 7 in combination with protect command is not good enough here unless protect -di 1 (init) stops all existing and new processes from being

killed by oom when existing swap space is exhausted (assuming oom isn't triggered by something other than exhausted swap space and/or protect(1) accounts for the other scenarios that may trigger oom). I see limits(1) may help, but does hw.physmem act on physical ram in addition to swap as I want programs to use some swap?

Title: How to make "impossible" memory allocations fail in a sane way? | Page 3 | The FreeBSD Forums

pkg: sqlite error while executing COMMIT TRANSACTION in file pkgdb.c:1157: database is locked

can somebody advise me on bhyve(-vm)? i have a win10 vm that's slow as hell. i assigned 4 cores with 2 threads each as well as 8g memory to it. i already moved it from an .img file to a dedicated (platter) disk partition, but it's still unreasonably slow, even for windows.

i did the move from .img file to disk by just dd'ing the contents of the .img to /dev/adaXpY and i have a hunch that this might be the cause, but i'm not sure and i can't find any information about the different disk types going more into depth than man bhyve…

phryk: did you install virtio drivers? fedorapeople.org/groups/virt/virtio…archive-virtio/virtio-win-0.1.240-1

Title: Index of /groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.240-1Fedora People

in case that's important: sectorsize is 512 and type is ms-basic-data

jauntyd: i'm not using virtio, i'm currently using ahci-hd as disk type. is that so much worse performance-wise?

phryk: yes. This is an issue that affects all platforms and libvirt backends

uuuuu: i don't quite follow… if it's an issue for libvirt backends, doesn't that mean virtio is also affected?

mhh. i guess i'll just nuke one of my nvme partitions and set up a fresh win10 vm on that…

phryk: I was referring to disk performance being slow if not using virtio device for vm (added via virsh/virt-manager) and virtio drivers not installed on guest. When not using virtio device and drivers issue can be experienced with kvm backends on linux (I am not 100% on if xen is affected) for example

uuuuu: thanks for the clarification. i'm not using virt-manager or virsh, tho – but bhyve-vm. that technically supports virtio, but i think i'll try the nvme route first as it's explicitly pointed out for good performance in the bhyve-vm wiki.

in /etc/syslog.conf it has the includes after !*. ! inverts and * is a program or hostname, so does that mean it's saying the includes don't implicitly apply to any program or host?

man.freebsd.org/cgi/man.cgi?syslog.conf(5) # Reset program name filtering

!*

Title: syslog.conf(5)

but later it says ! inverts the logic. so there's 2 contexts for ! and they mean kinda the opposite lol

what's the style for multiple selectors in syslog.conf? most severe to the left, least specific on the left?

if i use kern.*;*.warn /var/log/messages then logger -p kern.info foo, foo never shows up in messages

See "IMPLEMENTATION NOTES" in syyslog.conf(5).

s/syy/sy/

V_PauAmma_V ya i read that but what's it matter to me?

you saying my logger msg is being rewritten?

I'm guessing it is.

that kinda makes testing tough geez

how does syslogd know if a kern message is coming from the kernel or from the logger bin?

why do you think, it does know?:)

Different socket for kernel log messages, IIRC.

V_PauAmma_V that a security thing so ppl with shell access can't simulate kernel messages?

That just keeps you from shooting yourself in the foot unless you really want to. See -k in syslogd(8).

i read it

what's the danger in not having that?

I think it's less danger as such than POLA.

POLA?

Principle Of Least Astonishment.

shooting myself in the foot if... syslog messages are faked to be from kern?

in what scenario would that happen

I can't answer that question as asked, as people are ever-inventive in designing footshooters.

to avoid problems with multiple selectors being interpreted in weird ways, any problem with just putting 1 selector per line?

like kern.* /var/log/mylog, \n security.* /var/log/mylog...

That won't prevent the "mail.crit,*.err" example from acting as described.

so how do we learn how multiple selectors combine? because the manpage itself says it's not intuitive

The manual page doesn't make that crystal clear. So I guess trial and error based on the examples it provides?

(Which is arguably not ideal.)

ya that's terrible. is there any way i can do it 1 selector action combo at a time to keep it simple?

freebsdwiki.net/index.php/Syslog heh install syslog-ng, or perhaps check the oreilly FreeBSD® Unleashed book.

Title: Syslog - FreeBSDwiki

It is possible to create (or spoof) an event from the console using the logger command.

termbin.com/h3j5 is the logic i want

heh think freebsd handbook had that example already

I don't know what will happen if several lines refer to the same file.

you did check the handbook?

ya

termbin.com/t5u4 old old 20 years old...probably not valid anymore

What is the policy when it comes to ports... can anyone whos read the handbook submit port patches?

or should you leave that to the maintainer?

what if the maintainer hasn't replied in months? and the new update is pretty important?

*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/message

portmgr@, maybe?

rennj, that's a single line. :-)

polarian, is that a Bugzilla report?

V_PauAmma_V: no... because I was unsure if it qualified

I tried to reach them privately first

I talk to upstream a lot... so I was unsure if there was a reason they were holding back releases

no response... so I am wondering what options are there...

I assume bugzilla report is the first thing to do? but should you make reports for outdated packages? coming from Linux that is strictly prohibite d

I'd open a PR (with a patch for the version upgrade if you can, but not required). Worst that can happen is "nothing", which is the same as currently.

oki thanks for advice

did you even try single line then # Reset program name filtering !*

next single line, rest the filtering

next single line, rest the filtering

Title: The FreeBSD Diary -- syslog.conf - putting stuff where you want it

Title: System Monitoring — Remote Logging with Syslog | pfSense Documentation

!*

+*

reset the filters

dont have to do the remote logserver part

any benefit to having daemons syslog to their own facility like local0 or is that pointless?

im curious if it solved your problems?

i just put all the selectors on 1 line

heh.

i use to do very very complex syslog/bsm auditing to remote dvd robot ...thank god it was solaris.

audits/logs burned to readonly dvd's

try hacking the logs on readonly/closed session dvd

udp not going to do

syslog remote box using udp...nah...

and i had oracle db processing that crap behind the scenes no less..madness.

like doing cisco netflow logs..tracking

500 sparc 5's workstations..collecting their logs...

back in the 70MHz days.. and 500MB/1GB scsi drive if lucky...

way before google

dvd rom robot was 2002 tech. after google..not sparc5 mid 1990 tech..

same deal bsm audits/remote syslog server

if you didn't use udp syslog for shipping because it wasn't reliable, what'd you use?

what

make[4]: don't know how to make .o. Stop

make[4]: stopped in /src/freebsd/src/stable/14/sys/modules/dpdk_lpm4

well fbsd stunnel/tls it

solaris had billion dollar company behind it

$ buys features