mns, Jails are running in the same kernel as the host system so both host and jail will always show the same "uname -r" kernel release information.

The FreeBSD userland distributed with the core base part of the system is pulled out of the /bin/freebsd-version script itself. See "grep USERLAND_VERSION /bin/freebsd-version" or browse the script. But that is the official way to get the version of the userland.

The base userland version is separate and quite often very different from the kernel version.

And then everything else is in ports/pkgs.

f451: yes, that too :-)

rwp and debrup: thanks for the explanations.

with jails, is there any sort of jail management utilities (like Bastille) that actually support reproduceable jails? from what I saw with Bastille, it looked like the best you can get with a template is just installing the latest version of a package from the repo, so the actual software stack you get in a jail could be quite different depending on *when* you spin one up, even if the template is identical

hi, i have a failing test (kyua test ...) but all that the log file shows me is "/usr/src/contrib/kyua/utils/cmdline/ui.cpp:103: stdout: failed: 2 checks failed; see output for more details". How do I get that outout to see details, eg. line numbers, where it failed?

almost seems like the way to go is to just tarball /usr/local or have the jail template check out a specific commit of the ports repo to make builds locally, which does sound kinda clunky

oh "kyua report ..." gives you that

tm512, Either what you suggest, a snapshot of /usr/local, or a private pkg repository that is used for your jails. Usually the private pkg repository is the path taken. Quite often by NFS mounting /var/cache/pkg/ among the systems.

making a template after installing the software would be the reproduceable jail. once you start reaching out to external stuff post spinning it up, that expectation is pretty much out the window

Good point!

llua: you are using a different definition of "template" than Bastille uses

a Bastille template is kind of like a Dockerfile. it contains a series of instructions to build a jail. the sample templates all tend to include pkg commands to install software from the repos

anyway, dunno that it actually matters for me, but having to reach out to a repo for building a jail from a template is like the thing that stood out to me the most while doing research on Bastille so it was something I was wondering about

I think the point was a good one. If you want replicated jails then the template needs to be ready to go and post pkg install.

tm512: that docker like behavior was my assumption without knowing how bastille works. in a docker file if you build a container that installs stuff from an external repo at two different times, you can end up with two different containers due to version bumps. you don't control those external resources.

without the mirroring and such as mentioned

rwp: the template is just a text file with instructions though. it's not "ready to go". seems like the only option to work around that is to trick it into installing from a static source, or sidestep the templates entirely and shuttle around ZFS snapshots of the jail

I am not using bastille and don't know how it works. I would be using zfs snapshots and clones myself. But using a tar.gz tarfilebundle would be pretty good too.

oh, so it doesn't create an image of sorts

sounds more like a shell script than a docker file then

ditto on zfs snapshots

FreeBSD srv 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64

\o/

Hello, what are the commands to install this on my system? github.com/TheGoblinHero/dumptorrent

the source code comes with some Makefile and also cmake file

o/

Hey

I have this dumb question... I am trying to understand alternatives, please indicate if is achievable:

Can I setup traffic shaper to ISP with variable bandwidth? Combining two ISP's with different 'maximum hired and minimum guaranteed' fluctuates quite a bit.

definig rules with hired 'max bandwidth' works fairly ok off-peak. Busy hours and peaks, generates bad user experience compared to 'not traffic shape at all' .

Might also have a dumb question here... How can I list every package/port I've installed without also listing the dependencies that came with them?

mountainman1312: pkg query -a '%o'

ah sorry, i misunderstood

mountainman1312: this should list all non-automatic packages (i.e. packages not automatically installed as a dependencies to other packages): pkg query -e '%a = 0' %n

see pkg-query(8) for more details/examples

Anyone using bear on FreeBSD? Any issues with recent updates?

Making to grpc

Hi folks. What's the FreeBSD analogue of Bubblewrap of Linux? Is that jails? I'd like to run my browser in a way that it wouldn't have access to my SSH keys and stuff.

that's probably a chroot. you can think of a jail as (sort of) a docker container

At least in Linux, people keep saying that "chroot is not a security feature". Is it different in FreeBSD?

chroot _isn't_ a security feature (nor is docker, given the amount of escapes)Æ

s/.$//

jails were made to confine the root user, so if you need that kind of isolation, that's the way to go

use capsicum when possible, when the task is suited for it it's better

I hate that we run software that we don't trust. We don't trust the web browser. But we still run the web browser. There is something that feels wrong in that situation.

I've got a nextcloud instance installed in a jail. All of a sudden I notice that it can't ping the DNS server via IPv6, but can over IPv4, so DNS resolution times out till it resolves over IPv4. Is there any way to let the jail do the IPv6 traffic outgoing? I can reach it from other machines on the lan with the assigned IPv6 address

(this install has been working for 5+ years)

There are a lot of possible variables making it hard to know exactly what's not working for you. (And I am really not skilled with IPv6 enough to help IPv6 anyway.)

What's in the jail's /etc/resolv.conf file? Seems like if it were an IPv4 address that it would be resolving over IPv4 and not IPv6. But what you say implies that it must be an IPv6 nameserver address.

Could as well be "myjail.ip6", "myjail.ip6.addr", "ipv6_activate_all_interfaces" in /etc/rc.conf on the host or whatever

hard to say, yea

vortexx: fwiw the hostname of my jails host is "vortex"...

rwp: both the IPv6 and IPv4 address of the DNS server, with IPv6 being first. dig nextcloud.my.lan from within the jail times out on v6 then resolves in v4

armin: heh

FreeBSD vortex 14.1-RELEASE FreeBSD 14.1-RELEASE releng/14.1-n267679-10e31f0946d8 GENERIC amd64

I just tested traceroute6, it's not working on the host either actually (to outside the lan). Got to dig further

works from the laptop, so it's a misconfiguration in /etc/rc.conf I reckon

vortexx: I'm terrible in that regard, I still live the "internal LAN" thinking and use IPv4 only on the inside. At least all my public services got IPv6 connectivity, but I'm guilty of not running IPv6 the way it was meant to be.

armin: I suspect I haven't read some upgrade notices when moving to 14.x for rc.conf

Could you swap the order of the two nameserver lines so that the IPv4 line is first? That would stop the current pain of the IPv6 timeout. Then continue working on the IPv6 connectivity problem.

I'm on 14.1-RELEASE-p5 right now

rwp: yes I could

You said things were working and then stopped working. So something has changed. Have you implemented the standard repair procedure #1 and rebooted it just in case that fixes things?

no I haven't rebooted, I suspect this issue has been ongoing for a while and I never noticed till pkg decided I needed to move to nextcloud 30 AND upgrade to postgresl16

I do remember traceroute6 was working back in June when I moved to my new home

<moss> Have you tried forcing an unexpected reboot? </moss>

I've got some other things running right now that prevent me from rebooting just this second. I'll do that a bit later

an OpenBSD bhyve VM on the host can traceroute6 fine, it's definitely a host issue, let me read the rc.conf manpage

(IPv6 is manually configured btw, I'm not using RAV or anything like that)

mh I was missing ipv6_defaultrouter for one thing

Let's assume it isn't fixed by a reboot. Then something has changed somewhere which has moved things from working to not working. Any changes you are aware of? Do you have an old snapshot you can "zfs diff zroot/ROOT/default@2024-09-12-18:03:40-0 zroot/ROOT/default | grep /etc" type of research into what's changed?

Also if you are pretty sure it is something in rc.conf then you could diff such as: diff -u /.zfs/snapshot/2024-09-12-18:03:40-0/etc/rc.conf /etc/rc.conf

hey, does anybody know what x87 features the freebsd installer uses on i686+mmx? i'm the dev of a pc emulator called pcbox, and i'm trying to debug an issue that only occurs when using the softfloat fpu option in my emulator, for full 80-bit precision instead of the 64-bit precision that having that option off gets you

there's also another bug that happens with hardfloat fpu where the "files read" counter goes haywire and reports HUGE positive AND negative numbers

i'm only emulating a cpu with i686+mmx, so it can't be sse

netbsd's installer seems immune to these issues

openbsd's installer at least doesn't have any fpu bugs

on hardfloat i mean

i haven't tested openbsd on softfloat yet :p

but yeah, with softfloat fpu on, the freebsd installer REALLY likes showing empty error boxes and crashing

no idea why, it doesn't do this with softfloat off

rwp: the setup here is a couple of network interfaces tied together as lagg0, with a bridge interface ontop with the network configuration on it, the jail has an aliased address of each v4 and v6 on it. I don't have snapshots unfortunately

j/30

Seeing some weirdness after updating to 13.4. has mountd always used port 995? All of a sudden I'm seeing Dovecot complain about it being in use "master: Error: service(pop3-login): listen(*, 995) failed: Address already in use"

hmm, according to the man page, mountd selects a random port

No way that after more than 15 years t happens to collide with dovecot

tuaris, I'll say, no way that mountd has chosen that port. And if it were random then restarting would pick a different one. Use lsof or fuser to deduce what is using that port 995. Likely it is a different copy of dovecot.

It was mountd, that's what sockstat showed

Hmm... Very strange!

That does seem like a random collision then.

I gave a try to pam_zfs_key, but it still looks like work in progress - is anyone using it with graphical login manager ?