of you make it posible to download a self-signed root cert the browsers and mail applicastions should let you install it in the cert store,. I did that for my IMAP when on-site

use a droid slab to read IMAP mail stored at home

since then "letsencrypt" happened so I should take the time to update it to use letsencrypt

i use LE for my internal sites too

In case of Linux the ACPI "power button" press is captured by button driver and if there is an ACPI signals listener like acpid or systemd-logind, then the system acts accordingly, e.g initiates a shutdown. How does this work on FreeBSD? I mean what daemon is (usually) used to handle ACPI signals?

mrtnt: devd(8)

mzar: ok, thanks. I'll look into this.

hello everyone, anybody using pkgsrc on top of freebsd here?

Not me.

hello

any idea for this: gist.github.com/silenius/867e1bea986bec511d5b640ac31e7601 ? (NFS issue)

from what I can read in the manpage -mask should be supported... ?

(this is on a 13.2-RELEASE)

i agree that the manpage seems to say that your config is correct. i would try using an equals sign. if that doesn't work, using /24 instead of the mask

also when I'm modifying /etc/exports on the NFS server is it enough to reload mountd ?

yeah

for some reasons it doesn't seems to work

you tried using mask=, and then using /24

let me try

mage: look for the exports(5), check examples

s/for/at/

looks like he's consulted the manpage

mzar: I did

I'm getting "nfsv4 no file handle: usually means the file system is not exported on the NFSv4 server"

although I reloaded mountd on the NFS server

mage: have you tried something like `-network=10.209.1.0/24` ?

this is with: chimay.prod.lan:/ipt /jails/ipt/filer/ipt nfs nfsv4,rw,bg,late 0 0

for this FS I have a single /data/ipt orval.prod.lan lambic.prod.lan duvel.prod.lan

and the mount occurs on duvel.prod.lan

server is 13.2, client is 14.1

I've changed to -network=x.x.x.x/24, no more warning.. but the mount doesn't work

for the data/ipt mount, not sure. try removing everything on your exports except for that one. maybe try restarting the server

normally reloading mountd should be enough, no?

this is a production server, I can't do random testings :(

OK

for your data/ipt line, my next guess would be that you need a component after /data/ipt, such as -rw, or something like -maproot

I don't think so, it works for other machines

sorry, not rw. ro if it's readonly

I just added "duvel.prod.lan" to that line and reloaded mountd

ah, i see

should I restart nfsd?

i wouldn't try that now if it's going to be disruptive

this is strange, it worked in the past

is there anything unusual with the IP addresses on those hosts? have they changed since connecting to the server before? any NAT?

if orval and lambic are able to mount that line, that's important to know. so try to isolate what's different about duvel

mage: bugs.freebsd.org/bugzilla/show_bug.cgi?id=263011

yeah, the first thing to know about nfs configuration (on any platform) is that it's broken. so you need to be methodical in debugging it with incomplete information

stevenix: this is solved with -network=x.x.x.x/24

or even swapping the of -network x.x.x.x -mask x.x.x.x to -mask x.x.x.x -network x.x.x.x

ok it works now

I did service mountd onerestart instead of service mountd onereload

pffff :-)

heh, sorry i read that you did "restart" instead of "reload"

normally a HUP to mountd is enough (from what I read in the manpages)

this is what service mountd onereload does I guess

not sure what the difference is between the HUP and restarting it. it seems like it does some things when it starts. maybe is related to rpcbind if you have that running

shbrngdo, problem I'm having is the physical interface is normal, intel Gbit so the interface is there, but the it takes a bit for the interface to get its v6 IP bound, 'cause it's an internal interface being configured via DHCPv6-PD.

ive just tried to install bhyve for the first time and it said that it is deprecated. is there a good alternative?

o_O

Install how?

with pkg install

ive just found out about bhyve

or rather bhyve_

+

is bhyve a standart tool?

Maybe run pkg-update

OwlWizard: it's the default go-to hypervisor for FreeBSD, so yes

have any of you ever tried to start expressvnpd under Linuxulator?

sdtolfa, on the website it says that it only supports pcie passtrough on intel cpu's. is that still true?

I installed expressvpn_3.76.0.4-1_amd64.deb in the ubuntu focal chroot environment, then I started expressvpnd.

However, when I type "expressvpn activate" and enter the activation code, I see the message: "Activating...

Unable to sign in. Please check your connection and try again."

OwlWizard: i'm not sure, i only run bhyve myself on intel CPUs so i can't really say. bhyve gained support for arm64 somewhat recently and riscv64 is in progress (maybe already under review?). i'd hope that PCI passthrough works on AMD chips but i'm the wrong person to ask

In the chroot environment, I ran strace on "expressvpn activate" and got these results: pastebin.com/PjpF1tvK

can you please tell me if you see anything in these results that might explain why I am unable to sign in?

OwlWizard, I think maybe the bhyve *port/pkg* is deprecated in favor of the /usr/sbin/bhyve that lives in base.

dstolfa, i meant as in can i pass through a gpu on an amd cpu. i assumed that they meant intel cpu's specifycly, i wasnt thinking about x86-64 in general

hi

i opened $ arduino

and it is kinda good, but the top menu doesn't work

File, Edit, Sketch...

...Tools, Help.

Oleg: how does it work on linux? open a tap/tun?

rtprio: On OpenSuse Tumbleweed (which runs natively on a different PC), I see this when I type "ip addr": tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1350 qdisc pfifo_fast state UNKNOWN group default qlen 500

link/none

inet 100.64.100.6 peer 100.64.100.5/32 scope global tun0

valid_lft forever preferred_lft forever

i would be really surprised if it worked under freebsd, tbh

rtprio: u're saying that an ubuntu jail or chroot environment won't be able to create something like tun0?

i don't know about that, but with no visibility into the application it's going to be exceedingly difficult to diagnose

I think if I were attempting this I would use wifibox to run it in a full Linux kernel bhyve environment. That's a well worn path that works for people. jrgsystems.com/posts/2022-04-20-802.11ac-on-freebsd-with-wifibox

Also xyinn.org/md/freebsd/wifibox is good. Upstream: github.com/pgj/freebsd-wifibox

or wireguard to a free vps in the country you're vpn'ing to

rwp: bhyve is different from something like virtual box? I mean, whatever is happening in the bhyve environment will cause the same thing to happen in the freebsd host environment? So, if expressvpn is started in bhyve, the freebsd host will utilize expressvpn too?

no, the wifi box creates two interfaces and routes or bridges the data back to the host

rtprio: why would a jail be incapable of creating something like a tun device?

though my limited understanding of the jail concept tells me that whatever is happening inside a jail is not supposed to affect a host environment

a lot to unpack there

Oleg: there are VNET jails and standard jails, in both of them you can utilise tun interfaces, but it gets configured in different ways

jails can create tun/tap, but you've indicated a linux root which probably can't talk to the kernel well enough to create an interface

we have some netlink support, but I don't think we've gone as far as interface creation (and I have no idea how well any of that works under the linuxolator)

Oleg: it's not the jail at fault, it's you don't exactly know what your vpn software is doing

you could, of course, ask expressvpn why it doesn't work. just pretend you're on linux when you answer their questions

kevans: wait, wait. jails can't affect hosts. doesn't it mean that even if expressvpn is running in a jail, the host still won't be able to access the internet with expressvpn's ip?

I am totally confused at this point.

but by now, you have understood what my goal is: I want the FreeBSD host to access the internet with the ip provided by expressvpn. The FreeBSD native openvpn solution for expressvpn won't work for me because at least one ISP I am familiar with won't let me to utilize openvpn because of its firewalling rules. however, the expressvpn linux app would work differently.

I gotta go now. Thanks for your suggestions about wifibox.

accessvector.net/2024/freebsd-umtx-privesc been waiting for this writeup for a while

kevans: so, I said that jails can't affect hosts. does it mean it would be a useless idea to try to set up a vpn connection inside a jail if my goal is to access the vpn connection in the host environment?

Oleg: does your vpn allow network traffic routed to it?

Oleg: do you have vnet enabled in your jail config?

A jail is not a completely separate virtual machine. It truly is "just a fancy chroot" at a lot of levels. But there are levels. The simplest SHARES the network stack with the host. The VNET jail namespaces into a separate network stack. And a VM is completely separate. It depends so much upon exactly what implementation is chosen.

Also the kernel implements layers of security through the state control through sysctl control of the "sysctl security.jail" which has many parameters. I understand only a very few of those.

Oleg: you can run a VPN in a jail and access it in the host (at least with VNET) but it would be like running the VPN On a different machine: you need a way to route traffic from the host via the jail so it reaches the VPN

that could be e.g. a static route over the epair interface, or whatever, depends on what exactly you're trying to do

Seems to me that if one shared the network with the jail that the vpn could run in the jail and the host could use it.

But the problem I read was that this was expressvpn_3.76.0.4-1_amd64.deb requiring a Linux compatible ABI via Linuxator and that's where things broke down.

If it were simply OpenVPN or Wireguard or some such then it would probably Just Work. And also not sure that a jail would be needed in that case.

Also as I understand it Linuxator is like The Highlander, there can be only one. So doesn't that mean dedicating it to this task in the jail would block it from any other use? And it might already be in use already?

maybe it would be easier to switch to a vpn service that uses Wireguard...

a chroot environment running under linuxulator can never create the tun device? an actual jail is needed for that?

no, a jail is not required

this might be simplified if you didn't run it in a jail

+1 for avoiding the jail. Usually it is better to get something working first. Then jail it if that is desired afterward.

oh, so, something like tun0 can be created in simple chroot environments? okay.

I suggest avoiding the chroot too. Just Do It.

Though I guess Linuxator itself is a chroot. So that was a silly thing for me to say.

i wouldn't even do it in a chroot first

get it running first

then chroot and/or jail it

what do you mean "get it running first"? it's a linux app which requires either a chroot or jail on FreeBSD.

but to be honest, i would use something universal like ivy/rwp suggests

linux chroot, then

the linux emulator doesn't inherently require a chroot, although it's often used that way

yeah, that's what i thought

I have so far avoided using Linuxator at all. Simple and native is better for me. So I myself would need to work through wiki.freebsd.org/Linuxulator and wiki.freebsd.org/LinuxJails but I think it will be tricky because a Jail is not an independent virtual machine. That's why I would probably set it up using wifibox.

Oleg: it's that your linux ip or whatever binary may not be able to kernel-speak its way into creating an interface

iirc it's all netilnk these days, which we support, but I don't know if we actually support the interface creation bits of netlink

kevans: but according to this post forums.freebsd.org/threads/cant-create-tun-interface-in-jail.74847 , a tun interface can be created

yes.

it is not a jail vs non-jail thing

it's a linux binary vs native binary thing

maybe your vpn service supports some other ports for openvpn that aren't blocked by the ISP

okay, guys, thanks for the info. ttyl.

This an IPsec IPv4 thing?

Maybe with a sprinkle of cgNAT?

no, they're using a privacy VPN that has some proprietary protocol with a client that only works on linux

I got curious about it and decided to take a look; they acutally published a fair amount of code

can't speak to the quality of it (nor do I find it particularly interesting), but at least it's out there: github.com/expressvpn/lightway-core

is it actually their own protocol or just an authentication frontend to wireguard or something?

my understanding is that this is the actual protocol implementation, and the authentication frontend is another thingy (written in Go it seems, couldn't find the source for that one though)

so, now that wifibox is running, what command should I type to access its linux environment?