00:45:47 mns, Jails are running in the same kernel as the host system so both host and jail will always show the same "uname -r" kernel release information. 00:46:59 The FreeBSD userland distributed with the core base part of the system is pulled out of the /bin/freebsd-version script itself. See "grep USERLAND_VERSION /bin/freebsd-version" or browse the script. But that is the official way to get the version of the userland. 00:47:24 The base userland version is separate and quite often very different from the kernel version. 00:47:34 And then everything else is in ports/pkgs. 01:38:51 f451: yes, that too :-) 04:13:15 rwp and debrup: thanks for the explanations. 05:18:21 with jails, is there any sort of jail management utilities (like Bastille) that actually support reproduceable jails? from what I saw with Bastille, it looked like the best you can get with a template is just installing the latest version of a package from the repo, so the actual software stack you get in a jail could be quite different depending on *when* you spin one up, even if the template is identical 05:19:07 hi, i have a failing test (kyua test ...) but all that the log file shows me is "/usr/src/contrib/kyua/utils/cmdline/ui.cpp:103: stdout: failed: 2 checks failed; see output for more details". How do I get that outout to see details, eg. line numbers, where it failed? 05:20:14 almost seems like the way to go is to just tarball /usr/local or have the jail template check out a specific commit of the ports repo to make builds locally, which does sound kinda clunky 05:21:56 oh "kyua report ..." gives you that 05:24:54 tm512, Either what you suggest, a snapshot of /usr/local, or a private pkg repository that is used for your jails. Usually the private pkg repository is the path taken. Quite often by NFS mounting /var/cache/pkg/ among the systems. 06:24:53 making a template after installing the software would be the reproduceable jail. once you start reaching out to external stuff post spinning it up, that expectation is pretty much out the window 06:29:08 Good point! 07:02:37 llua: you are using a different definition of "template" than Bastille uses 07:03:52 a Bastille template is kind of like a Dockerfile. it contains a series of instructions to build a jail. the sample templates all tend to include pkg commands to install software from the repos 07:13:33 anyway, dunno that it actually matters for me, but having to reach out to a repo for building a jail from a template is like the thing that stood out to me the most while doing research on Bastille so it was something I was wondering about 07:30:11 I think the point was a good one. If you want replicated jails then the template needs to be ready to go and post pkg install. 07:36:17 tm512: that docker like behavior was my assumption without knowing how bastille works. in a docker file if you build a container that installs stuff from an external repo at two different times, you can end up with two different containers due to version bumps. you don't control those external resources. 07:38:39 without the mirroring and such as mentioned 07:44:21 rwp: the template is just a text file with instructions though. it's not "ready to go". seems like the only option to work around that is to trick it into installing from a static source, or sidestep the templates entirely and shuttle around ZFS snapshots of the jail 07:45:58 I am not using bastille and don't know how it works. I would be using zfs snapshots and clones myself. But using a tar.gz tarfilebundle would be pretty good too. 07:50:36 oh, so it doesn't create an image of sorts 07:50:53 sounds more like a shell script than a docker file then 07:51:18 ditto on zfs snapshots 13:23:05 FreeBSD srv 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64 13:23:21 \o/ 16:14:12 Hello, what are the commands to install this on my system? https://github.com/TheGoblinHero/dumptorrent 16:15:12 the source code comes with some Makefile and also cmake file 16:15:56 o/ 17:14:45 Hey 17:21:56 I have this dumb question... I am trying to understand alternatives, please indicate if is achievable: 17:25:15 Can I setup traffic shaper to ISP with variable bandwidth? Combining two ISP's with different 'maximum hired and minimum guaranteed' fluctuates quite a bit. 17:27:20 definig rules with hired 'max bandwidth' works fairly ok off-peak. Busy hours and peaks, generates bad user experience compared to 'not traffic shape at all' . 19:03:06 Might also have a dumb question here... How can I list every package/port I've installed without also listing the dependencies that came with them? 19:18:12 mountainman1312: pkg query -a '%o' 19:18:30 ah sorry, i misunderstood 19:18:40 mountainman1312: this should list all non-automatic packages (i.e. packages not automatically installed as a dependencies to other packages): pkg query -e '%a = 0' %n 19:18:58 see pkg-query(8) for more details/examples 19:20:48 Anyone using bear on FreeBSD? Any issues with recent updates? 19:20:52 Making to grpc 19:43:15 Hi folks. What's the FreeBSD analogue of Bubblewrap of Linux? Is that jails? I'd like to run my browser in a way that it wouldn't have access to my SSH keys and stuff. 19:44:28 that's probably a chroot. you can think of a jail as (sort of) a docker container 19:49:26 At least in Linux, people keep saying that "chroot is not a security feature". Is it different in FreeBSD? 19:53:01 chroot _isn't_ a security feature (nor is docker, given the amount of escapes)Æ 19:53:12 s/.$// 19:54:03 jails were made to confine the root user, so if you need that kind of isolation, that's the way to go 20:06:15 use capsicum when possible, when the task is suited for it it's better 20:30:23 I hate that we run software that we don't trust. We don't trust the web browser. But we still run the web browser. There is something that feels wrong in that situation. 20:34:35 I've got a nextcloud instance installed in a jail. All of a sudden I notice that it can't ping the DNS server via IPv6, but can over IPv4, so DNS resolution times out till it resolves over IPv4. Is there any way to let the jail do the IPv6 traffic outgoing? I can reach it from other machines on the lan with the assigned IPv6 address 20:34:49 (this install has been working for 5+ years) 20:46:41 There are a lot of possible variables making it hard to know exactly what's not working for you. (And I am really not skilled with IPv6 enough to help IPv6 anyway.) 20:47:26 What's in the jail's /etc/resolv.conf file? Seems like if it were an IPv4 address that it would be resolving over IPv4 and not IPv6. But what you say implies that it must be an IPv6 nameserver address. 20:49:55 Could as well be "myjail.ip6", "myjail.ip6.addr", "ipv6_activate_all_interfaces" in /etc/rc.conf on the host or whatever 20:50:02 hard to say, yea 20:51:58 vortexx: fwiw the hostname of my jails host is "vortex"... 20:52:22 rwp: both the IPv6 and IPv4 address of the DNS server, with IPv6 being first. dig nextcloud.my.lan from within the jail times out on v6 then resolves in v4 20:52:34 armin: heh 20:53:11 FreeBSD vortex 14.1-RELEASE FreeBSD 14.1-RELEASE releng/14.1-n267679-10e31f0946d8 GENERIC amd64 20:53:17 I just tested traceroute6, it's not working on the host either actually (to outside the lan). Got to dig further 20:54:16 works from the laptop, so it's a misconfiguration in /etc/rc.conf I reckon 20:56:53 vortexx: I'm terrible in that regard, I still live the "internal LAN" thinking and use IPv4 only on the inside. At least all my public services got IPv6 connectivity, but I'm guilty of not running IPv6 the way it was meant to be. 20:58:31 armin: I suspect I haven't read some upgrade notices when moving to 14.x for rc.conf 20:59:01 Could you swap the order of the two nameserver lines so that the IPv4 line is first? That would stop the current pain of the IPv6 timeout. Then continue working on the IPv6 connectivity problem. 20:59:09 I'm on 14.1-RELEASE-p5 right now 20:59:19 rwp: yes I could 20:59:47 You said things were working and then stopped working. So something has changed. Have you implemented the standard repair procedure #1 and rebooted it just in case that fixes things? 21:02:40 no I haven't rebooted, I suspect this issue has been ongoing for a while and I never noticed till pkg decided I needed to move to nextcloud 30 AND upgrade to postgresl16 21:03:03 I do remember traceroute6 was working back in June when I moved to my new home 21:03:06 Have you tried forcing an unexpected reboot? 21:03:54 I've got some other things running right now that prevent me from rebooting just this second. I'll do that a bit later 21:04:54 an OpenBSD bhyve VM on the host can traceroute6 fine, it's definitely a host issue, let me read the rc.conf manpage 21:06:51 (IPv6 is manually configured btw, I'm not using RAV or anything like that) 21:09:56 mh I was missing ipv6_defaultrouter for one thing 21:10:34 Let's assume it isn't fixed by a reboot. Then something has changed somewhere which has moved things from working to not working. Any changes you are aware of? Do you have an old snapshot you can "zfs diff zroot/ROOT/default@2024-09-12-18:03:40-0 zroot/ROOT/default | grep /etc" type of research into what's changed? 21:12:33 Also if you are pretty sure it is something in rc.conf then you could diff such as: diff -u /.zfs/snapshot/2024-09-12-18:03:40-0/etc/rc.conf /etc/rc.conf 21:19:40 hey, does anybody know what x87 features the freebsd installer uses on i686+mmx? i'm the dev of a pc emulator called pcbox, and i'm trying to debug an issue that only occurs when using the softfloat fpu option in my emulator, for full 80-bit precision instead of the 64-bit precision that having that option off gets you 21:20:18 there's also another bug that happens with hardfloat fpu where the "files read" counter goes haywire and reports HUGE positive AND negative numbers 21:20:51 i'm only emulating a cpu with i686+mmx, so it can't be sse 21:22:11 netbsd's installer seems immune to these issues 21:22:21 openbsd's installer at least doesn't have any fpu bugs 21:22:26 on hardfloat i mean 21:22:39 i haven't tested openbsd on softfloat yet :p 21:24:48 but yeah, with softfloat fpu on, the freebsd installer REALLY likes showing empty error boxes and crashing 21:24:57 no idea why, it doesn't do this with softfloat off 21:29:01 rwp: the setup here is a couple of network interfaces tied together as lagg0, with a bridge interface ontop with the network configuration on it, the jail has an aliased address of each v4 and v6 on it. I don't have snapshots unfortunately 22:14:39 j/30 22:46:40 Seeing some weirdness after updating to 13.4. has mountd always used port 995? All of a sudden I'm seeing Dovecot complain about it being in use "master: Error: service(pop3-login): listen(*, 995) failed: Address already in use" 22:47:57 hmm, according to the man page, mountd selects a random port 22:48:53 No way that after more than 15 years t happens to collide with dovecot 22:59:06 tuaris, I'll say, no way that mountd has chosen that port. And if it were random then restarting would pick a different one. Use lsof or fuser to deduce what is using that port 995. Likely it is a different copy of dovecot. 23:01:34 It was mountd, that's what sockstat showed 23:02:55 Hmm... Very strange! 23:03:59 That does seem like a random collision then. 23:12:59 I gave a try to pam_zfs_key, but it still looks like work in progress - is anyone using it with graphical login manager ?