04:48:14 getz: i've never heard of that before either 04:48:20 where is that documented 04:48:37 what did I miss 04:50:36 that doesn't work at all 04:54:13 https://drop.17es.net/-7j9b3edGP5/pasted-2024-08-23T045400.085Z.txt 08:44:34 my memory served me wrong :) 08:45:05 Im sure it worked on a machine for me, I guess the group already had permissions set up then 09:56:19 do you run some sort of fail2ban etc for SSH? I have ssh on a non-standard port, I get tons of connection attempts still 09:56:33 its on a server that has domains pointint to it, so fairly discoverable 09:56:42 I have root login disabled, and only key login for users 09:58:57 * Alver does not 10:00:53 * |cos| adds fail2ban on anything that makes logs annoying to read. on some protocols after the first failed attempt. 10:10:10 i apparently have 2265 banned IPs on my primary server. Useful stuff 10:10:27 I use sshguard, mainly due to the noise in the logs. But I have locked myself out a couple of times, so you have to make sure the blocklist gets cleared periodically or you have an alternative way in. 10:24:10 what about blacklistd? 10:26:39 https://imgur.com/a/UK0IyGi 10:29:33 I've been using sshguard on my FreeBSD servers and Mac workstations for years. If you accidentally lock yourself out, you have to wait for the timeout to restore your access. However, I also have the whitelist set up to prevent that. 10:30:47 Of course it helps to set up 2FA as well. sshguard is just a second layer. 10:35:31 how is that different than fail2ban? says it also uses logs 10:35:42 freebsd's blacklistd links directly into ssh, not reading a log 11:00:01 I use resident keys on yubikeys, I have several 11:00:15 also, I can log in via the serial web console of my vps hoster 11:39:11 I'm attempting to build a c++ application using cmake, however, it requires libtidy-dev. I have installed `tidy-html5`, which cmake seems to recognize, but then its missing a variable. The software doesn't officially support freeBSD, but I was able to build it before, I think the tidy dependency is new 11:39:24 there error is in the issue I created: https://github.com/Sude-/lgogdownloader/issues/281 11:39:37 I didn't find a libtidy in the ports 11:39:48 well, there is www/tidy-lib, but that I couldn't install from pkg 11:42:50 yourfate: what's the url for libtidy? 11:43:06 the port? https://www.freshports.org/www/tidy-html5 11:43:08 I think this should be it 11:43:25 no, the libtidy 11:43:36 https://www.html-tidy.org/developer/ 11:43:40 thanks 11:44:02 afaik that port is that. 11:44:11 it links there 11:45:03 I have libtidy in /usr/local/lib 11:45:07 from that port 11:46:44 adding `-DTIDY_LIBRARY=/usr/local/lib/libtidy5.so` to the cmake call fixed it. 11:48:18 yep, the port seems to avoid some conflict by renaming files: "To avoid conflict ATM - to be removed later" 14:03:40 Hello Everyone - is there a FreeBSD strategy ? I am interested in making easy to have FreeBSD as daily driver - that will include classic apps, but also local OpenSource AI, virtualization (similar to Virt-Manager) on a desktop that is as much possible BSD/MIT licensed - so far I see only two that meet this criteria - Lumina and Enlightenment - I have used them both - but it seem that FreeBSD lacks a coherent strategy to get new 14:03:40 generation of programmers, also make it suitable for businesses (other than Sony, Netflix and Apple)... 14:04:35 wdym a strategy? or "make it suitable for businesses" 14:05:15 FreeBSD just offers an operating system, you can use it, contribute it, fork it whatever 14:05:59 but there's no grand scheme for gaining new contributors 14:06:47 acu: how about using virt-manager if you want to use virt-manager? 14:09:47 levitating: yes - it is obvious - I assume the average contributor for freebsd is 55... which is amazing, seasoned and dedicated people... but not having a strategy beyond core code ? That grand scheme needs a vision, I agree, that was my question... if someone can point me to strategic plan for freebsd 14:10:29 I am not sure I could point you to any "strategic plan" for any FOSS project 14:15:18 interesting... I would need to look at two immensely succesful projects nextcloud and huggingface... but there are others...but is a good point - I know Debian was totally irrelevant until Ubuntu came about... it is so pity that FreeBSD lost traction - PC-BSD freenas Trueos were some good solid attempts - but they died... that is why I am asking where is the mission and strategy of FreeBSD who is responsible to generate it... I am 14:15:19 sure there is a team... that is why I was asking here... 14:17:16 nextcloud and hugginface don't see nearly as much contributions as FreeBSD, you can't compare a cloud service with an entire operating system... 14:17:26 debian wasn't irrelevant before Ubuntu, not nearly 14:17:35 and FreeBSD never had traction 14:18:27 hm, seems like https://freebsdfoundation.org/blog/technology-roadmap/ didn't get updated for some years now 14:19:15 the website is broken for me, doesn't let me donate 14:22:53 nimaje: thanks, yeah that seem a cool starting point... I will contact few people from there, I am pretty sure they know more than most... 14:23:20 please don't bother the foundation people 14:25:34 levitating: what's broken? 14:25:45 you can donate with paypal 14:25:59 no the header menu above is stuck and covering the button 14:26:23 I do it evry year without problems 14:26:56 https://freebsdfoundation.org/donate/ 14:27:00 works for me 14:28:34 oh.. now I can even use credit card instead of paypal, that's even better 14:31:16 I am trying to see if I can have generative ai large language models running on freebsd (both doing inference on CPU or GPU) - I have some servers I can use temporary (including GPU).. but I have no time (so I can ask perhaps FreeBSd foundation to fund some Ai Master students - for some work that would just make FreeBSD as usable as FreeBSD in AI - both as local install or server based... 14:32:42 It is so difficult... no University is using FreeBSD on their Unix classes... 99% of computer students of hackers do not know FreeBSD exists and has amazing license and underlying engineering 14:33:46 acu: that's sad story, what univestity is that ? 14:34:35 I hired few people, and delivered FreeBSD based solutions... but it was not sustainable - we needed to spend 10% more time in early phases to deploy anything, and 10% more time to maintain and update them (compare to Debian or Ubuntu - or Redhat)... so I was forced to go back to linux... 14:35:18 mzar: do you know any University or College that uses FreeBSD in their Unix courses ? 14:35:46 yes, if the cost of labour has to be considered, FreeBSD is not the cheapest solution 14:35:52 acu: sure 14:36:16 acu: https://www.cl.cam.ac.uk/teaching/2223/AOS/ 14:37:29 hell my cs bachelor barely touched unix 14:37:37 and when it did it was on an RPi 14:38:03 Really they should let you perform your assignments in https://sdf.org :) 14:38:33 levitating: you mean like https://stevens.netmeister.org/631/ ;) 14:38:54 darmstadt where bcr works 14:38:55 sdf.org is suggested if you cant get your own install working 14:39:26 getz that's very cool 14:40:18 hrm, so my new USB DAC sounds great, bitperfect works, but i'm seeing mpd on song change that the start of the song has a partial second clipped off 14:40:30 wonder if there's a buffer or something needs to be expanded 14:41:02 the best is the students to run FreeBSD desktop as daily driver as they do with Ubuntu... than you become intimately familliar and confortable .... but there is also the JOB aspect - if you do any search on Indeed, Monster, Dice or alike and put FreeBSD it gives you 0 hits... so if there is no job...it makes it a bit difficult... its catch 22 - but that is why I am asking who is responsible for FreeBSD strategy beyond code 14:41:47 can't even really expect students to evne use ubuntu 14:41:54 acu: debian irrelevant until ubuntu? what? 14:42:08 I study at a decent university but few of our CS students use linux 14:43:01 i think the issue for both of those is: desktop 14:43:18 strategy 14:43:18 what? 14:43:23 debian blazed a trail and set standards across the linux world for ages before ubuntu came along 14:43:32 ubuntu made a spit and shiny desktop on modded debian 14:44:17 and yep, the desktop monopoly of windows products is a problem. we are literally crippling the next generation of programmers and admins 14:44:50 am back 14:44:56 laptop did a weird lil reboot 14:45:16 what was that about desktop? 14:45:18 my laptop was last up 180 days :P 14:45:30 you have 180 day uptime? 14:45:32 stable machine 14:45:41 dude, i work on servers with years of uptime. 14:45:42 this laptop does weird stuff fromt time to time 14:46:02 those servers have to be patched while running, no downtime is ok 14:46:07 this uptime is irrelevant nowadays - any OS can stay on years... 14:46:10 I can believe that, but servers are made to be stable 14:46:19 I have donate a few bucks to FreeBSD Foundation, thanks for the reminder levitating 14:46:31 *donated 14:46:39 mzar you're welcome, and thank you for supporting one of my fav os's :) 14:47:19 I know, FreeBSD is like a woman you love all, but you marry someone else for convenience :) 14:47:35 I hate that 14:47:44 Demosthenex So is it running an old kernel by now or is there some way to patch/hotswap the kernel? 14:48:35 levitating: aix has fewer kernel CVE's, and IBM has made a new feature to allow you to live migrate running applications across hosts, basically moving processes and memory to a box where the updates live 14:48:39 this is not freebsd. 14:48:40 but I have no choice - I run 2 years almost 100% FreeBSD - desktop and servers (of course with few exceptions) but it was not sustainable, people started a "mutiny" against me forcing them to use FreeBSD 14:48:59 acu: why would what you use matter to them? 14:49:13 freebsd is the best free open source unix. 14:49:25 AIX is the best commercial unix. 14:49:29 i do both. 14:50:00 Cognitive overload... a lot of more work, and lack of future perspective... if they need to do Redhat or Ubuntu or Suse - so they can pay rent and tuition for their kids... 14:51:32 Everybody runs from AIX...even IBM Z servers are slowly switching to Linux 14:51:43 there are no experts 14:51:53 you need to know details 14:53:11 We needed someone to train others for IBM Z14 and Z15 - and few months later, we are still looking :) 14:59:39 is there a fairly well performaing way to have an encrypted folder / file system on SSHFS? 14:59:58 I'm renting a hetzner storage box, i'm using that as a storage extension to a hetzner VPS 15:00:06 but ideally I'd want the data to be encrypted at rest there 15:00:23 *well performing 15:00:31 the vps runs freebsd 14.1 15:35:50 Does anyone know if bhyve in FreeBSD 14.x (which runs as root of course) uses Capsicum to lock down the VMs it is running to help prevent escaping by default? 15:44:25 Ah nevermind, I was able to find my answer via a phrack issue: http://www.phrack.org/issues/70/11.html#article 15:44:44 acu: pfft. workloads that can run on windoze are moving to linux. small loads. IBM's still the backbone of every largest anything :P 15:45:05 I guess an interesting question I have is: Is there a sane and easy way to tell if a specific running process is making use of Capsicum? 15:45:15 linux is just the new windows, i can't even trust it to small workloads like i can freebsd. 15:45:31 and desktop computing platform != data center computing platform 15:46:06 commodity OS and HW don't belong in data centers, or you get the full windoze experience. ransomware, crowdstrike cascading outages. professional IT should expect more. 15:46:20 and yes, i just called every purchasing manager and developer pushing windows servers in production an idiot. 15:47:09 i have for 30 years, and only been proven right over time 15:51:34 Cyrus: ps has a capability mode bit for the state field 15:58:52 kevans: Ah nice, so it does. 'C'. Thank you. 16:14:21 what is the doas equivalent to `sudoedit`/`sudo -e`? 16:17:11 doas editorgoeshere? 16:17:34 but that runs the editor as root 16:19:17 i see 16:19:34 i was hoping doas had something similar to sudoedit where it creates a temporary file for you to work on :/ 16:19:49 and how would that abort if the editor returns some non-zero exit code? 16:19:56 i had been using doas $EDITOR, but coming from a system with sudo, it felt odd 16:20:19 i'm guessing the temp file wouldn't be written 16:21:35 If you want the features of sudo then you must use sudo. 16:23:09 that is true 16:23:58 I found two shell scripts that try to be a sudoedit replacement using doas (but both don't abort on non-zero exit code of the editor, not sure what else they do diffrently to sudoedit), not sure how well they keep the rights on the files 16:26:37 i guess it wouldn't hurt to try making a shell script for this myself :) 16:29:55 There's doasedit. 16:30:55 i just found it too :O 16:33:30 oh, but that seems to lose original file permissions 16:36:35 yeah i'm a bit disappointed that doas doesn't do that by itself 16:36:57 although... 16:37:14 emacs + tramp + |doas:: 16:39:05 i've never seen anyone actually follow the directions that iirc are written right in the sudo manpage to mitigate the risk of unlogged sudo activity via shell escapes 16:39:35 i did once, and i had to write a cheatsheet for my fellow admins, teaching them how to use sudoedit 16:41:48 ... and sudo find, and sudo tee, because you can't sudo cd or > sudo. 16:43:50 actually -- https://github.com/jaredjennings/puppet-cmits-sudo/blob/master/sudo-boldface.tex 16:50:44 I'm using "doas" it's a openbsd replacement to avoid sudo 16:51:23 i'm in favor of using less code to do mostly the same thing 16:52:47 and i can appreciate that many openbsd users may not be subject to the same kind of audit requirements that caused sudo to grow so much 16:53:54 nimaje: another bug to file ;) 16:54:53 doas not implementing this probably has to do with minimalism as you've inferred, however, an offical implementation would probably be better than the shell scripts we've seen hacked together. 16:59:58 i am concerned, with reimplementations in general, that there may be wisdom lost. some of the constraints under which the original was made don't exist anymore, and don't need to be catered for. the original has hacks that paper over problems faced at layers of abstraction above or below it, and maybe those layers have real fixes now. 17:01:28 but some of the warts probably belong there, and an attempt to make a new smooth thing is doomed to relearn a painful old lesson 17:06:32 hm, does doas has some "caching" to avoid making you type the password over and over if you run a series of commands with evelated priveleges? the scripts I saw had nothing to deactivate something like that for the editor, so if doas has something like that a shell escape could run doas to run without a password from the unpreviliged editor 17:08:13 (no idea if sudoedit does something against that) 17:21:54 whaaaat 17:22:02 > doas - dedicated openbsd application subexecutor 17:22:06 that is totally a backronym 17:29:56 I'll just note that sudoedit runs the editor UNprivileged to avoid editor escape vulnerabilities. 17:31:16 sudo's overblown. just use ssh keys locked to localhost and specific commands. 17:32:25 good point Demosthenex 17:32:44 oh yeah, that doesn't need root privs to allow users to establish cross user jobs. 17:32:50 where sudo only root can edit sudoers 17:34:28 nimaje, http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doas/doas.c?rev=1.99&content-type=text/x-cvsweb-markup 17:34:44 in the authuser function, the persist flag is dealt with 17:35:20 it ... sets a VERAUTH ioctl on the tty for 5 minutes (hardcoded)? 17:36:09 hum, https://man.openbsd.org/tty.4#TIOCSETVERAUTH 17:36:41 There are really two basic modes people use. su/sudo/doas/ssh mode getting a full root shell with full access. sudo/doas mode with restricted privilege access. Using ssh for the first is easy but the latter is tedious. For the latter it's really easier to use sudo/doas than ssh by a lot. 17:37:56 And, third, "sudo su -" 17:38:18 That's just another way for the former case of full shell access. 17:39:02 yes, it's true. i just wanted to kvetch about it. 17:39:42 yeah, we don't have the tty-associated auth bits 17:39:56 also i was thinking about the meme with the three dragons who are supposed to be menacing, but the third is super derpy 17:39:59 that'd be cool, but I can't help but feel there's a better abstraction somewhere that could be more generally useful 17:40:07 ^ 17:40:57 https://github.com/nholstein/OpenDoas appears not to have persist at all? 17:41:26 probably not, I don't think they support persist if you can't do it 'securely' 17:41:35 ... oo, that is not the one that is in freshports 17:42:23 https://github.com/slicer69/doas/blob/23818b138e47e84c0f480203c179bd7e916c6eb4/doas.c#L225 17:42:56 I think in my ideal world, we support something like Linux's keyrings and have one that can be attached to the tty as well as the session and user 17:42:57 and from the man page, "Works on OpenBSD only, persist is not available on Linux or FreeBSD." 17:43:21 so you can do things like this or random key blobs for... other purposes 17:44:07 I also respect that sudo has reacted to many years of people using it and complaining about edge cases and solving them. I know people complain about the extra code of those solutions but that's only because the edge case did not affect them personally yet. As soon as it does they will want that mitigation included in their favored minimal utility tool too. 17:44:31 yes, that, exactly. 17:46:29 some people will not ever want ldap support or terminal recording. but maybe there are things that sudo refuses to do, and spends lines of code checking for and preventing, that any clean reimplementation will have forgotten 17:47:26 honestly i've read more about doas in the past half hour than in the past six months 17:48:00 Is there a newer gpu-firmware-kmod with the firmware files supported by drm-61-kmod? 17:48:11 I got a framework 16 and was hoping the gpu (navi 33) would work 17:48:19 i've installed it here and there, and it has done what it said on the tin, but i didn't look into any more detail than that 17:48:22 Here is an example I ran into some time back. "su -" does not leave the user with a /dev/tty owned by root. This caused me problems. I don't remember the details now. But something was unhappy and did not work correctly that way. "sudo -i" allocates a new pty with expected permissions. It avoids the pitfall. 17:49:12 "doas bash" has the same problem as "su -" has. It does not have the mitigation for the problem. 17:50:25 rwp: su/sudo/doas/ssh for full access, sudo/doas/ssh for restricted. 17:50:40 rwp: these sudo changes came after doas became a thing, no? I believe that healthy competition pushed listening to sudo users feedback in some way, too. I know a few Linux users who replaced sudo with doas. 17:51:28 Demosthenex, Using ssh for restricted access is tedious. Possible yes. But much more tedious than with either sudo or doas. 17:52:04 regis, I don't really know the timeline of doas development. But sudo has been around since what feels like forever. 17:53:26 I also feel that a lot of people's complaints about sudo being bloated is that sudo uses PAM which enables all of the users who use OATH and tokens and other access methods. That's called bloat by people who don't use those access methods. 17:53:48 rwp: "The doas command first appeared in OpenBSD 5.8" (Released Oct 18, 2015). I however don't know when this reaction to sudo users complaints you're mentioning took place :) 17:56:04 I live in Colorado and CU Boulder is not that far away. Therefore when CU Boulder was making sudo enhancements in the mid 1990s the culture was to use it. I first used sudo on HP-UX while working for HP in those years. 17:56:25 https://flak.tedunangst.com/post/doas - 20 Jul 2015 - "There were some concerns that sudo was too big, running too much code in a privileged process" 17:57:09 On the surface therefore it seems that sudo was developed into a very similar form to what it is today about 20 years before doas. 17:57:44 https://www.sudo.ws/about/history/ - CU-Boulder implementation ~1986 17:57:49 That's not a bad thing for doas. Having a good working example to learn from first and then make a rewrite can be very helpful. I use tmux for example and it benefited from having screen already in heavy use for years. 18:00:15 With sudo having been developed on BSD systems I have never understood people thinking that it was a linux tool. 18:03:43 rwp: its 2 lines of script. it also works on systems without sudo 18:04:35 No data to back up this statement but I think thad doas gained a lot of users after sudo's CVE-2021-3156. And it wasn't a tool coming from some noname GitHub account, but from trustworthy OpenBSD team, so it secured adoption in corporate environments, not just on private workstations. 18:07:23 good point regis 18:16:02 regis: i agree completely. doas came about because sudo is too big. complex things are hard to secure. 18:16:14 i just suggest SSH because... you use it anyway 18:17:58 ssh is proven to work solution, the same is su(1) 18:18:45 so how can i prevent my USB audio from clipping the start of songs. 18:19:46 Demosthenex, For ssh I assumed we were talking about either command="command" in the authorized_keys file or ForceCommand configuration. No? 18:21:36 rwp: from="127.0.0.1",command="" ssh-rsa ......... 18:21:41 Working with ssh's authorized_keys file command= works and so does ForceCommand but I think limiting to something more than backup only is very tedious. I wrote a helper utility for me. 18:22:14 Demosthenex, So... How do you use it to limit access to something like rsync for backup only? What you showed only limits access from the localhost. 18:22:16 always always lock the host from ip if it's an unencrypted key disk 18:22:32 rwp: from="backupserver",command="rsync ..." ssh-rsa ......... 18:22:56 s/disk/on disk/ 18:23:16 So that's one command. Add twenty more commands that are all needed acquired over time and that's where I say trying to make that mechanism work is very tedious. Better to use something more like sudo or doas in that case. 18:23:51 Certainly using ssh for a full root shell access is no problem. That's the first case I categorized above. 18:24:55 rwp: itemizing commands is the nature of security, not the fault of ssh 18:25:01 It's the latter case of trying to limit access where I think using ssh's command= access is tedious. I wrote a helper utility to address this for the case I needed. Basically bolting on an external solution to it. 18:25:15 rbash 18:25:47 I wasn't faulting ssh for it. 18:26:08 i'd trust a restricted shell over an extra wrapper 18:26:26 It is very difficult to set up a restricted shell in a secure way. Many people have tried. And when I find myself in one I can usually cut them one and escape in seconds. 18:26:32 if you have their path set to the only binaries they can run, and restrict (no user env), its better 18:27:06 my argument is that i don't trust myself to have a hole in my shell script, vs the many experts working on restricted shell 18:27:12 I have escaped from many a restricted shell when people have tried to limit me using one. Just saying... They are hard to get right. 18:27:38 they are. don't give people interpreters ;] 18:27:48 Of course that was back at $JOB and the people setting them up were not necessarily experienced doing so. 18:28:08 i still escape on ibm hmc's often 18:28:49 Having exhausted the topic of using ssh for limiting actions let's return to complaining about su/sudo/doas instead. :-) 18:29:35 Are there versions of vi and ed that lock "!"? 18:30:16 I recall there being a restricted mode for vi. 18:30:34 rwp: i'm not saying you're wrong ;] please continue 18:31:26 I am probably remembering a restricted vi incorrectly. Or maybe it was a local hack by someone. But definitely if vi is allowed then it's an escape path. 18:32:35 Sidebar: I see that ee is in FreeBSD base. ee was written by Hugh Mahon. I used to work near-ish Hugh. He worked in the next building over. 18:33:36 Demosthenex, I think people often configure ssh incoming limited by authorized_keys command= and from= and such to limit backup and for other limited things. It's pretty easy to set up one thing for one user. 18:33:59 rwp: i do it all the time for complicated backups. 18:34:38 in particular, i have keys which trigger db freeze/thaw, mount/unmount, and flashcopies 18:34:41 And I think people often use ssh to jump to a full root shell. That's a good use. And emacs tramp has ssh for a root level access it can use from the selection of protocols too. 18:35:34 Demosthenex, So it sounds like you have a map of multiple keys with different keys doing different access? Is that what I might gleam from that comment? 18:35:57 yes, different users, different hardcoded commands 18:36:43 That's certainly going to be okay from a security perspective. No complaints. 18:37:20 the rule is simple: a more production/priv system/user may have open remote control of a nonprod/nonpriv user. 18:37:38 but a nonprod/nonpriv can only have locked commands into prod 18:38:17 Ah, there's a restricted ed, but no restricted vi that I can see. 18:41:11 Ah... red, of course. How could we have forgotten? :-) 18:47:59 regis, Regarding your comment "it wasn't a tool coming from some noname GitHub account" ... "from trustworthy OpenBSD team". But OpenBSD is the home of sudo too. sudo is not coming from a noname either. It's coming from a very reputable source. 18:49:15 Also though OpenBSD says they are the secure system they have had their own big problems at times too. They created their own SMTP daemon and then it had a remote code execution flaw in it that was just as large as any from anywhere. (I forget the detail now. I'll search for it.) 18:49:45 https://blog.qualys.com/vulnerabilities-threat-research/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247 18:50:57 How could such a huge vulnerability hole have come from such a reputable source such as OpenBSD? (Read with sarcasm.) Because anyone and any group can make a mistake. What matters is how they react to the mistake. 19:08:14 because they didn't write it in rust 19:09:16 * rwp wants to not poke the bear but it's hard because I want to poke the bear 19:09:45 i'm certain that's not the reason 19:10:29 In case people haven't been following the mailing list discussion in real time I will leave this LWN summary of it here. FreeBSD considers Rust in the base system: https://lwn.net/SubscriberLink/985210/f3c3beb9ef9c550e/ 19:11:23 sudo is not from openbsd, just the maintainer is also on the openbsd project 19:13:40 rwp, pishposh, it's been "a heck of a long time" since then ;) 19:14:02 Hmm... It's a fine line. Miller is an OpenBSD developer. The home of sudo is on OpenBSD and it is ported to other systems. Leaving the question as to whether OpenBSD considers sudo part of OpenBSD or not I do not know. 19:14:22 er, wait, is smtpd "in the default install"... hm 19:14:37 considering they use 'doas' now i would be surprised if they consider it part of the project 19:15:58 OpenSMTPD is definitely part of OpenBSD. I clearly remember Theo de Raadt talking about it as being part of OpenBSD. 19:16:57 i am quoting the slogan seen on openbsd.com for humorous effect, "Only two remote holes in the default install for a heck of a long time" iirc 19:17:38 jaredj: for extremely large values of two 19:18:10 I booted up my OpenBSD 6.8 system and it has /usr/sbin/smtpd /usr/bin/doas but /usr/local/bin/sudo 19:18:32 oho hohoho oops! 19:18:38 jaredj: iirc 'in the default install' only includes things that are turned on by default, so the surface area is much lower than 'is it included' 19:18:48 "Only two remote holes in the default install, **in** a heck of a long time" 19:19:40 having two remote holes "**for** a heck of a long time" was a misquotation. i regret the error, etc 19:20:10 kevans: yeyeah, sure, that's what gave me doubts that my initial quote applied 19:20:18 'for' is funnier to think about 19:20:25 :D 19:35:45 oo so here's a question. what does "overlay mount" properly mean in the context of ZFS? 19:36:06 in the zfsprops man page it seems to be about whether you can mount something somewhere even if that somewhere is in use 19:37:10 basically whether zfs will allow you to shadow another mount 19:37:25 it's not an overlayfs type overlay, the lower contents are just hidden and zfs mounted on top 19:37:28 i expected it to mean that if i have filesystem a mounted on /x, a has overlay=on, and i mount b on /x, i see a's files, and b's files 19:37:29 (afaict) 19:37:40 it does not, apparently, do that 19:37:51 and also of course i want a to be read-only, and all the writes to go to b 19:38:22 so if overlay=off, b will be prevented from being mounted on /x when a is already mounted there 19:38:57 and if overlay=on, the mount will be allowed, but b will shadow a 19:39:03 right, you want something more like unionfs(4) 19:40:14 maybe that is how they do it. i thought somebody was making container images ... OCI, is it? ... available using ZFS means 19:40:45 AllanJude has talked about wanting to do a zfs-native overlayfs type thing, but I don't think that's been made a reality yet 19:41:06 mmm. maybe that's it 19:58:05 https://vanlug.ca/2024/05/05/oci-containers-for-freebsd/ mm i think this was the latest i saw about it, and i forgot whatever it said. rewatching the talk 22:38:48 hi there. i had opensmtpd running on 13.2, but when i upgraded to 13.3 (including packages), it's stopped working. i'm pretty sure because /etc/mail/mailer.conf now references sendmail. uninstalling and reinstalling the opensmtpd package does not fix mailer.conf, though the install script in the package purports to do so. the handbook says take up ports issues with the maintainer; are ports and 22:38:54 packages sufficiently synonymous that i should bring this up with the port maintainer? (i couldn't find any guidance in the handbook on what to do about problems with packages) 22:40:24 Hello all 22:40:39 thorongil: yes, everything package does is defined in the port, so if package scripts misbehave you can contact port maintainer 22:41:14 yuripv: thanks! 22:41:46 thorongil: though I thinking using bugzilla (with a proper problem description) would be better than contacting maintainer directly 22:41:53 I think, too 22:42:59 In a service script, how can I force a process to run in the background - specifically a server on a port? Thanks 22:43:15 I've tried /usr/sbin/daemon /usr/local/bin/python3 /opt/uredis/uredis-server.pyz --daemon 22:43:20 but it doesn't work :/ 22:43:49 doesn't work how? 22:44:54 yuripv: understood 22:47:45 https://pastebin.com/M9AN5GMz - It will print the message but not actually start the server 22:51:58 thorongil, Does "pkg info -D opensmtpd" say that you need to install a /usr/local/etc/mail/mailer.conf file with the opensmtpd configuration? The postfix package does for when installing postfix. 22:52:33 samjiman, please use dpaste.org just to cut down the spam 22:52:42 thorongil, https://paste.debian.net/plain/1327363 is what the postfix package description instructions say. 22:53:47 @daemon: Okay: https://dpaste.org/BEZwi 22:53:55 ;) 22:54:01 And here is my /usr/local/etc/mail/mailer.conf file customized for postfix, which is probably identical for opensmtpd too. https://paste.debian.net/plain/1327364 22:54:14 samjiman, if you run that command from the console does it work? 22:54:49 with service uredis onestart it works, but it won't put the process into the background - I have to kill it 22:54:59 which isn't what I want 22:55:47 https://dpaste.org/rytGu 22:56:45 Do I maybe need it to run after user log in? 22:57:12 I don't understand why you need the daemon(8) if it seems to have the --daemon option? 22:57:40 or may be don't specify the option? 22:57:41 The --daemon flag is just to make it daemon safe - it isn't actually a daemon 22:57:47 oh ok, sorry 22:57:50 I've got it working with systemd 22:58:02 No need to apologize, that is ambigious 22:58:04 /usr/sbin/daemon should make it background 22:59:11 I wonder if its something to with how Python runs ports 22:59:15 I'm not sure 22:59:25 I should maybe look at the service file for nginx 23:00:51 mhmm its more likely the python script is hooking stin 23:00:54 stdin 23:01:11 Ah it is :) 23:01:15 Thanks 23:01:23 Can I just redirect stdin then? 23:01:28 to like /dev/null? 23:02:22 Wait, I mean i'm writing to stdout 23:02:28 Not stdin 23:21:45 Got it to work: /usr/sbin/daemon -P /var/run/${name}.pid /usr/local/bin/python3 /opt/uredis/uredis-server.pyz --daemon > /dev/null 23:22:08 Thanks for the help 23:56:47 kevans, wohohoho, https://github.com/oci-playground/freebsd-podman-testing 23:57:18 > and also come and find us on the OCI Slack 23:57:22 bah! humbug. 23:58:51 rwp: sorry, was afk. no, the package message for opensmtpd does not mention tweaking /etc/mail/mailer.conf. and the install script (seen in pkg info -R opensmtpd) clearly contains code that is intended to fix mailer.conf.