debdrup: are you saying such MOTDs don't work?

I'm still in love with the BSOD XScreensaver

is there any visualization tool for pf?

I am thinking it would be something like this. clipart-library.com/newhp/96-964715…curity-burning-firewall-clipart.png

what a wall

hello, i have a question about jails - i intend to serve up a number of web apps behind a reverse proxy via jails and will require a bridge network. Is the bridge network created automatically, or will i need to create an interface myself. Additionally, firewall NAT rules will be required as well, correct

drijen, "automatically" depends upon if you are actually doing it yourself or using a utility such as iocage or some such. The utilities will generally do lots of stuff to help you automatically.

I don't like those for jails and so for me, no, I create the jails manually and have to create the bridge manually. I will have cloned_interfaces="bridge0" and "ifconfig_bridge0="addm eth1 up" and such in order to "manually" create the bridge that I am using when constructing the jails.

Is doing that manual or automatic? It depends upon your definitions. For me I have to manually put that configuration into /etc/rc.conf so it feels like a manual creation to me. But for others it might be considered automatic since they did not need to run ifconfig bridge create themselves.

on boot? if that's automatic, it is pretty common to use vnet bridge combo

pretty popular

rwp: thank you very much this is exactly the info i was needing to understand

luke_jobless_sb: cheers also

drijen, Also remember there are about 17,432 different ways, approximately, and so whether you need a bridge or not depends upon how you are configuring it.

thats ok; i just haven't used a nix system professionally in a very long time - im super rusty and taking forever to map out what i need to do to accomplish X

drijen: there are two different ways of doing jail networking, the old way, and the new vnet way. if you intend for each jail to have its own network interface that you will bridge on the host, you need to use vnet jails

the old way is that you assign a bunch of IP aliases to the host's network interface then bind each jail to one IP address, then there's no bridging involved at all

drijen: as to whether you need NAT, that depends on your network setup. if you have some internal range of addresses you use in your network (say 10.0.0.0/8) you can just take a /24 from that range, assign it to the bridge, and make sure the host is configured as a router; then your existing NAT router (or whatever you use) will handle the traffic as normal

drijen: otoh if this is something like a single colo/vps host with one public IP address, then yes, you probably need to configure the host to do the NAT for the bridge network itself

an alternative would be to simply not give the jails internet access at all, and run something like squid on the host to proxy http for freebsd-update/pkg/whatever

i also strongly recommend setting this up manually at least once (not using iocage/bastille/whatever) so you understand how it works at the OS level

so I'm trying out freebsd. So far, so good. Just one issue having to do with consoles. I launch xfce4 from a console logged in as regular user. If I switch back to a console, the command line sometimes becomes corrupted so I can't type anything into it, or it does "funny things" with my keystrokes.

I tried "stty sane" but that didn't help.

root is using a plain sh in console.

I am running freebsd under virtualbox 7.0.22. The guest additions are installed, and I'm using VBoxSVGA and no 3D for the VM

usually, I log into another console and kill the one that got wonky on me.

and this is freebsd 13.4

the host is devuan daedalus (basically bookworm)

this is not a huge problem, but a bit annoying. If there is a simple way to fix this, I'd appreciate knowing. Thanks.

anybody know vps hosts that got a 30 day free trial?

why the switch to vnet jails, anyway?

like i guess it lets you put firewall rules on the jail itself, and i bet it's handy for vpn endpoints

otherwise it's a little unclear

oh, I suppose it also lets you control how jails talk among themselves

Hm. I tried to bootstrap a 15.0-CURRENT jail on my 14.1-RELEASE host. That did not work out well. Expected?

mount_nullfs: Resource deadlock avoided

not this exact issue, but otherwise it's pretty much expected, you can't run newer userland on older kernel

Alver: yes, this is expected. you can't run a jail userland which is newer than the host.

Gotcha. Figured it was worth a try. :)

Anyone here played with podman on freebsd yet?

I'm trying it inside a jail and it's misbehaving (and I'm not that familiar with the codebase to know where to look)

having 10+ minutes of downtime every time you restart a jail due to it being stuck in 'dying' state is getting really annoying

Alver: just enough to build a very basic container

l00py: oracle has free tiny vms or one not-bad arm64 one

that run freebsd

ivy: any hint on what process is causing the fuss?

rtprio: there are no processes, the jail is dead. it's some timeout in the kernel, maybe related to vnet

oh

(by 'dead' i means it doesn't show in 'jls' but it does show in 'jls -d', which prevents it from restarting)

i mostly solved this by moving to bhyve but unfortunately arm64 on rpi4 doesn't support vmm(4) as it only has GICv2

fyi : starting in about two hours: youtube.com/live/jZ3mjJZEqs0

aquamo4k: might be worth mentioning exactly what it is that starts in two hours

ivy: tyvm ; fyi November 2024 FreeBSD Summit starting in about 2 hours, live stream is supposed to be here: youtube.com/live/jZ3mjJZEqs0

today's agenda appears to be this: x.com/freebsdfndation/status/1853878720789926256/photo/1

rtprio: on bare metal, I suppose?

Alver: right, not in a jail

you might test not-in-a-jail to see if that's what the problem is

aquamo4k: Thanks for the heads up.

i haven't used nushell (and have no idea what it is) but i did use fish as my login shell for a while, which is also not posix compliant, and that worked fine

wc

ivy: maybe you can elaboarate on this slow jail shutdown issue on #freebsd-jails channel?

dch: i suppose i could but literally the issue is "jails are stuck in dying state for 10 minutes". and this is a known issue, i've mentioned it to kevans before

ivy: thanks. I don't see this locally and I use jails every day. Is there a PR (bugzilla) with more info?

I'm interested in getting this fixed, first stage is a reproduction.

no, but if you're seriously interesting in investigating this issue, i could create one

ivy: yes please. I assume its either vnet, or filesystem related

dch: what's your bugzilla account so i can cc you (or assign to you if you prefer)?

just drop the PR# here and thats sufficient. or dch⊙Fo

ok, will do that when i get some free time

^5

hi, is there a freebsd alternative to gcs-fuse to mount google cloud storage buckets?

stdout: rclone probably does this for you. I don't use it for GCS but it looks like that works - rclone.org/googlecloudstorage

thanks dch, i think that'll work.

rtprio: I only have one FreeBSD machine at the moment, and I can't afford to let podman stick its fingers in the various OS orifices :°)

stdout: also freshports.org/devel/py-gcsfs is worth a look. but rclone should be faster and in go.

stdout: I have an encrypted password in ~/.config/rclone/rclone.conf

and then run this as required

`rclone mount -v --cache-dir (mktemp -d -t dropbox) --progress --password-command 'secret password comand' --vfs-cache-mode full --debug-fuse dropbox: ~/Dropbox`

most of that will be useful

ivy: you are spot on, its a colo’d server

well you can uninstall it once you determine it's a jail problem

where do I begin debugging if my freebsd 14.1 VM gets stuck at "lo0: link state changed to UP"?

it appears to have configured the network interfaces, as it's responding to pings, but neither on the vga console nor on the serial console does it provide any login prompt and sshd is not running yet either

i suspect there's something else running that hasn't updated the console

Is anyone here running fbsd on GCP? If so, what is the experience like and also are there issues running an unsupported image?

rtprio: here is the full boot log from serial console: paste.foxxx0.de/PHJ

I'm unable to spot anything ot of the ordinary, but I've never had to debug such issues on freebsd

out of the ordinary*

does ^C get you past it?

oh lol

it does

any dhclient?

it's supposed to have static networking, and it was already responding to pings

next line after ^C is immediately: "Starting Network: lo0 iavf0 vlan60."

so probably that networking start was stuck somewhere?

that's what i would suspect

is there a way to add more debug output around network initialization from /etc/rc.conf?

there's rc_debug="YES" but i'm not sure that will help you

let me try the obvious choice and comment-out the vlan60 cloned interface, I have a sneaking suspicion that might be the culprit

i would agree

yup, that's the cause

you can share those lines, i can take a look

even when aborting with ^C it hasn't set the mac address, it's still the same as the parent interface

that part looks suspect to me

so likely I'm doing that wrong

ifconfig_vlan60="inet 192.168.60.32 netmask 255.255.255.0 vlan 60 vlandev iavf0 link xx:xx:xx:Xx:xx:xx"

is what i'd try

you don't need _alias unless you want more ip addresses

you can't set family inet and family ether/link in the same ifconfig call

I'm gonna try forums.freebsd.org/threads/ether-random.82049/post-531451

foxxx0: why you want to override default iavf0 address for child vlan device ?

I'm trying to keep mac-addrs unique, to not have the same mac addr on multiple VLANs

I don't have that many devices here and it really helps when debugging stuff, if you can pinpoint a mac address uniquely to a vlan+interface

bah, that's what lldp is for

hm, that would also be an option

i mean, if you know the mac, you know the machine, i guess i don't see how it needs to be unique

oh, now I know where it actually gets stuk

following forums.freebsd.org/threads/ether-random.82049/post-531451 worked

as in: paste.foxxx0.de/Y5W6

foxxx0: interesting, but IMHO there are only 2 reasons to change ether address: 1. anonymisation 2. spoofing

yeah, I've removed that part now

now I still need to figure out what kind of magic is silently dropping vlan stuff for the VFs

in theory each VF should be able to fully utilize vlan tagging on its own, unless you restrict the VF to a specific vlan

vf?

virtual function, sr-iov

foxxx0: i am not convinced "restrict the VF to a specific vlan" actually works

i could not get this working on either Intel X520 or Chelsio T540

ah well, I derped and forgot to actually trunk the port on the switch ... add vlan60 tagged and it just starts working

inspecting the source, it might work on a specific variant of the chelsio cards

lol

I've been fighting the weirdest issue over the last two days and that has made my brain into mush

I shutoff the system one evening, wouldn't boot the next day. right after grub timeout reached 0 and it would try to load the kernel/initrd, it just started endlessly spewing "error: false." at me

after multiple rounds of resetting to factory defaults, cmos clears, reflashing bmc firmware and bios ... nothing worked. reproduced with a fresh install and after switching from grub to syslinux it immediately started booting again

so? it had no error, what are you complaining about?!

I still have NO idea why it worked for ~2 weeks with grub just fine and just completely bricked suddenly with no way to fix it

usually I'm able to figure out such issues or at least make some sort of progress but this just refused to cooperate and went against all logic (that I could come up with)

at least one friend told me he also has one mainboard that is just not working with grub but works with syslinux just fine, so I'm not totally alone. just still really confused why it worked it the beginning then

I was starting to question my sanity <hidethepainharold.jpg>

anyways, thank you rtprio , mzar and ivy !

I had a long, boring meeting so I put freebsd on the hp 705 :D

what's an hp 705

a little mini computer

is that better than an rpi3?

it's an improvement over an rpi2b for sure

gets kinda warm though

it's winter, put it under your duvet

hah, I've often thought that energy savings on computers were rather a moot point in Scotland

now I have to decide if I can be arsed to set up wpa_supplicant

I suppose it doesn't desperately need to be wired in to the network

wpa_supplicant is in the base, you can use it with wired and wireless interfaces

I have often reasoned that if someone has electric heat in their house that they might as well crank up a server farm turning electricity into heat that way. It's the same thing but at least something useful more than just heat is produced by it.

yes, heating room in winter with waste heat from computer makes your computing green

it'd be great if i could host a rack and have a thermostat attached to it

setup seems to let me create a zfs volume for an encrypted home directory but then there's nothing actually configured to make it happen and it's not clear that ssh is equipped for it. that's a shame

I suppose there's TPM nonsense I could be doing

zip: i'm not sure what bsdinstall does, but never, ever use zfs native encryption, it has been broken since the day it was committed

if you need encryption with zfs, use geli

i haven't found that to be true

it doesn't affect all users, it depends how you use the filesystems

if you use non-encrypted zfs send from a zfs encrypted filesystem, it will cause random i/o errors on your disks (but it won't actually corrupt data on disk, reboot fixes it)

this is a well known bug which has been open for months, openzfs position is basically "sorry, we do not understand this code well enough to fix it"

even the folks who wrote it?

those people quit Sun 15 years ago and aren't working on openzfs

I don't need encryption on servers really

for laptops it's mandatory because they're the most stealable and loseable devices and are most likely to have sensitive documents

though it'd be nice to have a machine grab a key from another device on the network

also I love the redneck engineering of getting wifi working by running a copy of alpine linux in a VM and handing it the hardware. Absolutely deranged.

(I did not do this)

as deranged as reading the binary bits of a windows driver?

i would say yes

haha, those were the days

i think that's the time i bought a usb ethernet adapter

that's weird, i rebooted this system, it did not come back up, connected a serial console and it was stuck at loader's 'OK ' prompt. type 'boot', it boots fine, rebooted, it reboots fine

must be a heisenboot

i've only really seen phantom input like that with the serial console already attached

hmm, how do i get nmh's repl to quote the body in the reply? can't work out the right way to do this in replcomps

ah, repl -format

the first talk for the Fall 2024 FreeBSD Summit is pretty cool! youtube.com/watch?v=jZ3mjJZEqs0