00:43:25 of you make it posible to download a self-signed root cert the browsers and mail applicastions should let you install it in the cert store,. I did that for my IMAP when on-site 00:43:53 use a droid slab to read IMAP mail stored at home 00:45:14 since then "letsencrypt" happened so I should take the time to update it to use letsencrypt 03:08:31 i use LE for my internal sites too 08:55:24 In case of Linux the ACPI "power button" press is captured by button driver and if there is an ACPI signals listener like acpid or systemd-logind, then the system acts accordingly, e.g initiates a shutdown. How does this work on FreeBSD? I mean what daemon is (usually) used to handle ACPI signals? 09:08:22 mrtnt: devd(8) 09:09:22 mzar: ok, thanks. I'll look into this. 10:36:31 hello everyone, anybody using pkgsrc on top of freebsd here? 12:48:35 Not me. 13:03:02 hello 13:03:19 any idea for this: https://gist.github.com/silenius/867e1bea986bec511d5b640ac31e7601 ? (NFS issue) 13:03:52 from what I can read in the manpage -mask should be supported... ? 13:06:39 (this is on a 13.2-RELEASE) 13:17:59 i agree that the manpage seems to say that your config is correct. i would try using an equals sign. if that doesn't work, using /24 instead of the mask 13:25:18 also when I'm modifying /etc/exports on the NFS server is it enough to reload mountd ? 13:26:18 yeah 13:28:51 for some reasons it doesn't seems to work 13:30:35 you tried using mask=, and then using /24 13:32:03 let me try 13:32:48 mage: look for the exports(5), check examples 13:33:08 s/for/at/ 13:37:42 looks like he's consulted the manpage 13:38:30 mzar: I did 13:39:34 I'm getting "nfsv4 no file handle: usually means the file system is not exported on the NFSv4 server" 13:39:44 although I reloaded mountd on the NFS server 13:40:04 mage: have you tried something like `-network=10.209.1.0/24` ? 13:40:06 this is with: chimay.prod.lan:/ipt /jails/ipt/filer/ipt nfs nfsv4,rw,bg,late 0 0 13:40:38 for this FS I have a single /data/ipt orval.prod.lan lambic.prod.lan duvel.prod.lan 13:40:47 and the mount occurs on duvel.prod.lan 13:41:16 server is 13.2, client is 14.1 13:45:33 I've changed to -network=x.x.x.x/24, no more warning.. but the mount doesn't work 13:45:47 for the data/ipt mount, not sure. try removing everything on your exports except for that one. maybe try restarting the server 13:47:15 normally reloading mountd should be enough, no? 13:47:32 this is a production server, I can't do random testings :( 13:47:43 OK 13:50:09 for your data/ipt line, my next guess would be that you need a component after /data/ipt, such as -rw, or something like -maproot 13:50:48 I don't think so, it works for other machines 13:50:49 sorry, not rw. ro if it's readonly 13:51:04 I just added "duvel.prod.lan" to that line and reloaded mountd 13:51:18 ah, i see 13:51:30 should I restart nfsd? 13:51:51 i wouldn't try that now if it's going to be disruptive 13:52:14 this is strange, it worked in the past 13:52:17 is there anything unusual with the IP addresses on those hosts? have they changed since connecting to the server before? any NAT? 13:53:31 if orval and lambic are able to mount that line, that's important to know. so try to isolate what's different about duvel 13:54:43 mage: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263011 13:55:28 yeah, the first thing to know about nfs configuration (on any platform) is that it's broken. so you need to be methodical in debugging it with incomplete information 13:55:37 stevenix: this is solved with -network=x.x.x.x/24 13:56:10 or even swapping the of -network x.x.x.x -mask x.x.x.x to -mask x.x.x.x -network x.x.x.x 13:56:47 ok it works now 13:57:04 I did service mountd onerestart instead of service mountd onereload 13:57:25 pffff :-) 13:57:44 heh, sorry i read that you did "restart" instead of "reload" 13:58:22 normally a HUP to mountd is enough (from what I read in the manpages) 13:58:33 this is what service mountd onereload does I guess 14:06:02 not sure what the difference is between the HUP and restarting it. it seems like it does some things when it starts. maybe is related to rpcbind if you have that running 14:18:04 shbrngdo, problem I'm having is the physical interface is normal, intel Gbit so the interface is there, but the it takes a bit for the interface to get its v6 IP bound, 'cause it's an internal interface being configured via DHCPv6-PD. 16:22:51 ive just tried to install bhyve for the first time and it said that it is deprecated. is there a good alternative? 16:25:42 o_O 16:25:46 Install how? 16:26:47 with pkg install 16:26:54 ive just found out about bhyve 16:27:10 or rather bhyve_ 16:27:15 + 16:27:23 is bhyve a standart tool? 16:27:42 Maybe run pkg-update 16:27:44 OwlWizard: it's the default go-to hypervisor for FreeBSD, so yes 16:27:47 have any of you ever tried to start expressvnpd under Linuxulator? 16:30:06 sdtolfa, on the website it says that it only supports pcie passtrough on intel cpu's. is that still true? 16:32:14 I installed expressvpn_3.76.0.4-1_amd64.deb in the ubuntu focal chroot environment, then I started expressvpnd. 16:33:34 However, when I type "expressvpn activate" and enter the activation code, I see the message: "Activating... 16:33:36 Unable to sign in. Please check your connection and try again." 16:35:31 OwlWizard: i'm not sure, i only run bhyve myself on intel CPUs so i can't really say. bhyve gained support for arm64 somewhat recently and riscv64 is in progress (maybe already under review?). i'd hope that PCI passthrough works on AMD chips but i'm the wrong person to ask 16:38:05 In the chroot environment, I ran strace on "expressvpn activate" and got these results: https://pastebin.com/PjpF1tvK 16:39:41 can you please tell me if you see anything in these results that might explain why I am unable to sign in? 16:40:27 OwlWizard, I think maybe the bhyve *port/pkg* is deprecated in favor of the /usr/sbin/bhyve that lives in base. 16:45:25 dstolfa, i meant as in can i pass through a gpu on an amd cpu. i assumed that they meant intel cpu's specifycly, i wasnt thinking about x86-64 in general 17:05:46 hi 17:05:52 i opened $ arduino 17:06:01 and it is kinda good, but the top menu doesn't work 17:06:20 File, Edit, Sketch... 17:06:27 ...Tools, Help. 17:29:07 Oleg: how does it work on linux? open a tap/tun? 17:33:35 rtprio: On OpenSuse Tumbleweed (which runs natively on a different PC), I see this when I type "ip addr": tun0: mtu 1350 qdisc pfifo_fast state UNKNOWN group default qlen 500 17:33:37 link/none 17:33:39 inet 100.64.100.6 peer 100.64.100.5/32 scope global tun0 17:33:41 valid_lft forever preferred_lft forever 17:33:57 i would be really surprised if it worked under freebsd, tbh 17:35:06 rtprio: u're saying that an ubuntu jail or chroot environment won't be able to create something like tun0? 17:36:00 i don't know about that, but with no visibility into the application it's going to be exceedingly difficult to diagnose 17:39:40 I think if I were attempting this I would use wifibox to run it in a full Linux kernel bhyve environment. That's a well worn path that works for people. https://jrgsystems.com/posts/2022-04-20-802.11ac-on-freebsd-with-wifibox/ 17:40:10 Also https://xyinn.org/md/freebsd/wifibox is good. Upstream: https://github.com/pgj/freebsd-wifibox 17:40:52 or wireguard to a free vps in the country you're vpn'ing to 17:48:24 rwp: bhyve is different from something like virtual box? I mean, whatever is happening in the bhyve environment will cause the same thing to happen in the freebsd host environment? So, if expressvpn is started in bhyve, the freebsd host will utilize expressvpn too? 17:53:54 no, the wifi box creates two interfaces and routes or bridges the data back to the host 17:55:37 rtprio: why would a jail be incapable of creating something like a tun device? 17:56:48 though my limited understanding of the jail concept tells me that whatever is happening inside a jail is not supposed to affect a host environment 17:57:46 a lot to unpack there 17:58:57 Oleg: there are VNET jails and standard jails, in both of them you can utilise tun interfaces, but it gets configured in different ways 17:59:25 jails can create tun/tap, but you've indicated a linux root which probably can't talk to the kernel well enough to create an interface 17:59:51 we have some netlink support, but I don't think we've gone as far as interface creation (and I have no idea how well any of that works under the linuxolator) 18:00:53 Oleg: it's not the jail at fault, it's you don't exactly know what your vpn software is doing 18:01:22 you could, of course, ask expressvpn why it doesn't work. just pretend you're on linux when you answer their questions 18:02:43 kevans: wait, wait. jails can't affect hosts. doesn't it mean that even if expressvpn is running in a jail, the host still won't be able to access the internet with expressvpn's ip? 18:03:23 I am totally confused at this point. 18:07:08 but by now, you have understood what my goal is: I want the FreeBSD host to access the internet with the ip provided by expressvpn. The FreeBSD native openvpn solution for expressvpn won't work for me because at least one ISP I am familiar with won't let me to utilize openvpn because of its firewalling rules. however, the expressvpn linux app would work differently. 18:08:18 I gotta go now. Thanks for your suggestions about wifibox. 19:00:12 https://accessvector.net/2024/freebsd-umtx-privesc been waiting for this writeup for a while 19:53:40 kevans: so, I said that jails can't affect hosts. does it mean it would be a useless idea to try to set up a vpn connection inside a jail if my goal is to access the vpn connection in the host environment? 19:54:23 Oleg: does your vpn allow network traffic routed to it? 19:55:35 Oleg: do you have vnet enabled in your jail config? 19:55:36 https://forums.freebsd.org/threads/cant-create-tun-interface-in-jail.74847/ 19:58:02 A jail is not a completely separate virtual machine. It truly is "just a fancy chroot" at a lot of levels. But there are levels. The simplest SHARES the network stack with the host. The VNET jail namespaces into a separate network stack. And a VM is completely separate. It depends so much upon exactly what implementation is chosen. 19:59:19 Also the kernel implements layers of security through the state control through sysctl control of the "sysctl security.jail" which has many parameters. I understand only a very few of those. 19:59:31 Oleg: you can run a VPN in a jail and access it in the host (at least with VNET) but it would be like running the VPN On a different machine: you need a way to route traffic from the host via the jail so it reaches the VPN 19:59:52 that could be e.g. a static route over the epair interface, or whatever, depends on what exactly you're trying to do 20:02:25 Seems to me that if one shared the network with the jail that the vpn could run in the jail and the host could use it. 20:02:30 But the problem I read was that this was expressvpn_3.76.0.4-1_amd64.deb requiring a Linux compatible ABI via Linuxator and that's where things broke down. 20:03:15 If it were simply OpenVPN or Wireguard or some such then it would probably Just Work. And also not sure that a jail would be needed in that case. 20:03:54 Also as I understand it Linuxator is like The Highlander, there can be only one. So doesn't that mean dedicating it to this task in the jail would block it from any other use? And it might already be in use already? 20:04:50 maybe it would be easier to switch to a vpn service that uses Wireguard... 20:05:26 a chroot environment running under linuxulator can never create the tun device? an actual jail is needed for that? 20:06:58 no, a jail is not required 20:07:09 this might be simplified if you didn't run it in a jail 20:07:49 +1 for avoiding the jail. Usually it is better to get something working first. Then jail it if that is desired afterward. 20:09:50 oh, so, something like tun0 can be created in simple chroot environments? okay. 20:11:01 I suggest avoiding the chroot too. Just Do It. 20:11:47 Though I guess Linuxator itself is a chroot. So that was a silly thing for me to say. 20:11:57 i wouldn't even do it in a chroot first 20:12:02 get it running first 20:12:08 then chroot and/or jail it 20:13:07 what do you mean "get it running first"? it's a linux app which requires either a chroot or jail on FreeBSD. 20:13:12 but to be honest, i would use something universal like ivy/rwp suggests 20:13:29 linux chroot, then 20:13:32 the linux emulator doesn't inherently require a chroot, although it's often used that way 20:14:35 yeah, that's what i thought 20:15:15 I have so far avoided using Linuxator at all. Simple and native is better for me. So I myself would need to work through https://wiki.freebsd.org/Linuxulator and https://wiki.freebsd.org/LinuxJails but I think it will be tricky because a Jail is not an independent virtual machine. That's why I would probably set it up using wifibox. 20:44:33 Oleg: it's that your linux ip or whatever binary may not be able to kernel-speak its way into creating an interface 20:46:07 iirc it's all netilnk these days, which we support, but I don't know if we actually support the interface creation bits of netlink 20:46:25 kevans: but according to this post https://forums.freebsd.org/threads/cant-create-tun-interface-in-jail.74847 , a tun interface can be created 20:46:59 yes. 20:47:13 it is not a jail vs non-jail thing 20:47:30 it's a linux binary vs native binary thing 20:49:32 maybe your vpn service supports some other ports for openvpn that aren't blocked by the ISP 21:33:28 okay, guys, thanks for the info. ttyl. 21:44:28 This an IPsec IPv4 thing? 21:44:44 Maybe with a sprinkle of cgNAT? 21:50:15 no, they're using a privacy VPN that has some proprietary protocol with a client that only works on linux 23:18:55 I got curious about it and decided to take a look; they acutally published a fair amount of code 23:19:29 can't speak to the quality of it (nor do I find it particularly interesting), but at least it's out there: https://github.com/expressvpn/lightway-core/ 23:19:48 is it actually their own protocol or just an authentication frontend to wireguard or something? 23:21:12 my understanding is that this is the actual protocol implementation, and the authentication frontend is another thingy (written in Go it seems, couldn't find the source for that one though) 23:26:36 so, now that wifibox is running, what command should I type to access its linux environment?