00:09:02 debdrup: are you saying such MOTDs don't work? 00:16:41 * rwp likes the BSOD motd idea, lol! 01:50:54 I'm still in love with the BSOD XScreensaver 04:51:26 is there any visualization tool for pf? 05:14:02 I am thinking it would be something like this. https://clipart-library.com/newhp/96-964715_firewall-fire-wall-computer-security-burning-firewall-clipart.png 05:30:36 what a wall 06:17:19 hello, i have a question about jails - i intend to serve up a number of web apps behind a reverse proxy via jails and will require a bridge network. Is the bridge network created automatically, or will i need to create an interface myself. Additionally, firewall NAT rules will be required as well, correct 06:25:03 drijen, "automatically" depends upon if you are actually doing it yourself or using a utility such as iocage or some such. The utilities will generally do lots of stuff to help you automatically. 06:26:20 I don't like those for jails and so for me, no, I create the jails manually and have to create the bridge manually. I will have cloned_interfaces="bridge0" and "ifconfig_bridge0="addm eth1 up" and such in order to "manually" create the bridge that I am using when constructing the jails. 06:27:31 Is doing that manual or automatic? It depends upon your definitions. For me I have to manually put that configuration into /etc/rc.conf so it feels like a manual creation to me. But for others it might be considered automatic since they did not need to run ifconfig bridge create themselves. 06:30:28 on boot? if that's automatic, it is pretty common to use vnet bridge combo 06:30:40 pretty popular 06:33:18 rwp: thank you very much this is exactly the info i was needing to understand 06:33:24 luke_jobless_sb: cheers also 06:47:46 drijen, Also remember there are about 17,432 different ways, approximately, and so whether you need a bridge or not depends upon how you are configuring it. 06:49:46 thats ok; i just haven't used a nix system professionally in a very long time - im super rusty and taking forever to map out what i need to do to accomplish X 07:21:02 drijen: there are two different ways of doing jail networking, the old way, and the new vnet way. if you intend for each jail to have its own network interface that you will bridge on the host, you need to use vnet jails 07:22:24 the old way is that you assign a bunch of IP aliases to the host's network interface then bind each jail to one IP address, then there's no bridging involved at all 07:25:51 drijen: as to whether you need NAT, that depends on your network setup. if you have some internal range of addresses you use in your network (say 10.0.0.0/8) you can just take a /24 from that range, assign it to the bridge, and make sure the host is configured as a router; then your existing NAT router (or whatever you use) will handle the traffic as normal 07:26:26 drijen: otoh if this is something like a single colo/vps host with one public IP address, then yes, you probably need to configure the host to do the NAT for the bridge network itself 07:28:04 an alternative would be to simply not give the jails internet access at all, and run something like squid on the host to proxy http for freebsd-update/pkg/whatever 07:28:46 i also strongly recommend setting this up manually at least once (not using iocage/bastille/whatever) so you understand how it works at the OS level 08:25:59 so I'm trying out freebsd. So far, so good. Just one issue having to do with consoles. I launch xfce4 from a console logged in as regular user. If I switch back to a console, the command line sometimes becomes corrupted so I can't type anything into it, or it does "funny things" with my keystrokes. 08:26:11 I tried "stty sane" but that didn't help. 08:26:39 root is using a plain sh in console. 08:27:26 I am running freebsd under virtualbox 7.0.22. The guest additions are installed, and I'm using VBoxSVGA and no 3D for the VM 08:28:12 usually, I log into another console and kill the one that got wonky on me. 08:28:50 and this is freebsd 13.4 08:29:50 the host is devuan daedalus (basically bookworm) 08:30:26 this is not a huge problem, but a bit annoying. If there is a simple way to fix this, I'd appreciate knowing. Thanks. 09:33:54 anybody know vps hosts that got a 30 day free trial? 10:34:40 why the switch to vnet jails, anyway? 10:35:26 like i guess it lets you put firewall rules on the jail itself, and i bet it's handy for vpn endpoints 10:36:03 otherwise it's a little unclear 10:36:12 oh, I suppose it also lets you control how jails talk among themselves 10:49:22 Hm. I tried to bootstrap a 15.0-CURRENT jail on my 14.1-RELEASE host. That did not work out well. Expected? 10:50:33 mount_nullfs: Resource deadlock avoided 10:57:19 not this exact issue, but otherwise it's pretty much expected, you can't run newer userland on older kernel 10:57:56 Alver: yes, this is expected. you can't run a jail userland which is newer than the host. 11:01:37 Gotcha. Figured it was worth a try. :) 11:04:01 Anyone here played with podman on freebsd yet? 11:04:35 I'm trying it inside a jail and it's misbehaving (and I'm not that familiar with the codebase to know where to look) 13:39:35 having 10+ minutes of downtime every time you restart a jail due to it being stuck in 'dying' state is getting really annoying 13:40:21 Alver: just enough to build a very basic container 13:40:44 l00py: oracle has free tiny vms or one not-bad arm64 one 13:40:49 that run freebsd 13:42:35 ivy: any hint on what process is causing the fuss? 13:43:20 rtprio: there are no processes, the jail is dead. it's some timeout in the kernel, maybe related to vnet 13:44:00 oh 13:44:04 (by 'dead' i means it doesn't show in 'jls' but it does show in 'jls -d', which prevents it from restarting) 13:45:46 i mostly solved this by moving to bhyve but unfortunately arm64 on rpi4 doesn't support vmm(4) as it only has GICv2 14:05:58 fyi : starting in about two hours: https://www.youtube.com/live/jZ3mjJZEqs0 14:07:12 aquamo4k: might be worth mentioning exactly what it is that starts in two hours 14:08:11 ivy: tyvm ; fyi November 2024 FreeBSD Summit starting in about 2 hours, live stream is supposed to be here: https://www.youtube.com/live/jZ3mjJZEqs0 14:09:56 today's agenda appears to be this: https://x.com/freebsdfndation/status/1853878720789926256/photo/1 14:12:18 rtprio: on bare metal, I suppose? 14:25:12 Alver: right, not in a jail 14:25:32 you might test not-in-a-jail to see if that's what the problem is 14:25:41 aquamo4k: Thanks for the heads up. 14:34:37 i haven't used nushell (and have no idea what it is) but i did use fish as my login shell for a while, which is also not posix compliant, and that worked fine 14:34:40 wc 14:44:30 ivy: maybe you can elaboarate on this slow jail shutdown issue on #freebsd-jails channel? 14:50:47 dch: i suppose i could but literally the issue is "jails are stuck in dying state for 10 minutes". and this is a known issue, i've mentioned it to kevans before 14:57:12 ivy: thanks. I don't see this locally and I use jails every day. Is there a PR (bugzilla) with more info? 14:57:46 I'm interested in getting this fixed, first stage is a reproduction. 14:57:51 no, but if you're seriously interesting in investigating this issue, i could create one 15:01:16 ivy: yes please. I assume its either vnet, or filesystem related 15:02:03 dch: what's your bugzilla account so i can cc you (or assign to you if you prefer)? 15:02:27 just drop the PR# here and thats sufficient. or dch⊙Fo 15:05:26 ok, will do that when i get some free time 15:08:56 ^5 15:12:11 hi, is there a freebsd alternative to gcs-fuse to mount google cloud storage buckets? 15:13:22 stdout: rclone probably does this for you. I don't use it for GCS but it looks like that works - https://rclone.org/googlecloudstorage/ 15:20:58 thanks dch, i think that'll work. 15:21:13 rtprio: I only have one FreeBSD machine at the moment, and I can't afford to let podman stick its fingers in the various OS orifices :°) 15:21:39 stdout: also https://www.freshports.org/devel/py-gcsfs is worth a look. but rclone should be faster and in go. 15:22:24 stdout: I have an encrypted password in ~/.config/rclone/rclone.conf 15:22:28 and then run this as required 15:23:24 `rclone mount -v --cache-dir (mktemp -d -t dropbox) --progress --password-command 'secret password comand' --vfs-cache-mode full --debug-fuse dropbox: ~/Dropbox` 15:23:31 most of that will be useful 15:26:58 ivy: you are spot on, its a colo’d server 16:07:34 well you can uninstall it once you determine it's a jail problem 17:00:46 where do I begin debugging if my freebsd 14.1 VM gets stuck at "lo0: link state changed to UP"? 17:01:16 it appears to have configured the network interfaces, as it's responding to pings, but neither on the vga console nor on the serial console does it provide any login prompt and sshd is not running yet either 17:01:57 i suspect there's something else running that hasn't updated the console 17:02:12 Is anyone here running fbsd on GCP? If so, what is the experience like and also are there issues running an unsupported image? 17:05:15 rtprio: here is the full boot log from serial console: https://paste.foxxx0.de/PHJ/ 17:06:19 I'm unable to spot anything ot of the ordinary, but I've never had to debug such issues on freebsd 17:06:30 out of the ordinary* 17:06:30 does ^C get you past it? 17:06:40 oh lol 17:06:42 it does 17:06:44 any dhclient? 17:07:15 it's supposed to have static networking, and it was already responding to pings 17:07:42 next line after ^C is immediately: "Starting Network: lo0 iavf0 vlan60." 17:07:54 so probably that networking start was stuck somewhere? 17:08:07 that's what i would suspect 17:08:17 is there a way to add more debug output around network initialization from /etc/rc.conf? 17:08:48 there's rc_debug="YES" but i'm not sure that will help you 17:10:18 let me try the obvious choice and comment-out the vlan60 cloned interface, I have a sneaking suspicion that might be the culprit 17:10:32 i would agree 17:10:43 yup, that's the cause 17:11:01 you can share those lines, i can take a look 17:12:03 https://paste.foxxx0.de/mFOq5/ 17:12:31 even when aborting with ^C it hasn't set the mac address, it's still the same as the parent interface 17:12:44 that part looks suspect to me 17:12:46 so likely I'm doing that wrong 17:13:36 ifconfig_vlan60="inet 192.168.60.32 netmask 255.255.255.0 vlan 60 vlandev iavf0 link xx:xx:xx:Xx:xx:xx" 17:13:39 is what i'd try 17:13:46 you don't need _alias unless you want more ip addresses 17:15:00 you can't set family inet and family ether/link in the same ifconfig call 17:15:06 I'm gonna try https://forums.freebsd.org/threads/ether-random.82049/post-531451 17:17:09 foxxx0: why you want to override default iavf0 address for child vlan device ? 17:17:35 I'm trying to keep mac-addrs unique, to not have the same mac addr on multiple VLANs 17:18:20 I don't have that many devices here and it really helps when debugging stuff, if you can pinpoint a mac address uniquely to a vlan+interface 17:19:02 bah, that's what lldp is for 17:19:28 hm, that would also be an option 17:20:30 i mean, if you know the mac, you know the machine, i guess i don't see how it needs to be unique 17:21:14 oh, now I know where it actually gets stuk 17:21:32 following https://forums.freebsd.org/threads/ether-random.82049/post-531451 worked 17:21:58 as in: https://paste.foxxx0.de/Y5W6/ 17:24:31 foxxx0: interesting, but IMHO there are only 2 reasons to change ether address: 1. anonymisation 2. spoofing 17:25:14 yeah, I've removed that part now 17:25:36 now I still need to figure out what kind of magic is silently dropping vlan stuff for the VFs 17:26:13 in theory each VF should be able to fully utilize vlan tagging on its own, unless you restrict the VF to a specific vlan 17:27:26 vf? 17:27:40 virtual function, sr-iov 17:27:53 foxxx0: i am not convinced "restrict the VF to a specific vlan" actually works 17:28:07 i could not get this working on either Intel X520 or Chelsio T540 17:28:21 ah well, I derped and forgot to actually trunk the port on the switch ... add vlan60 tagged and it just starts working 17:28:23 inspecting the source, it might work on a specific variant of the chelsio cards 17:28:50 lol 17:29:20 I've been fighting the weirdest issue over the last two days and that has made my brain into mush 17:29:57 I shutoff the system one evening, wouldn't boot the next day. right after grub timeout reached 0 and it would try to load the kernel/initrd, it just started endlessly spewing "error: false." at me 17:30:46 after multiple rounds of resetting to factory defaults, cmos clears, reflashing bmc firmware and bios ... nothing worked. reproduced with a fresh install and after switching from grub to syslinux it immediately started booting again 17:30:47 so? it had no error, what are you complaining about?! 17:31:22 I still have NO idea why it worked for ~2 weeks with grub just fine and just completely bricked suddenly with no way to fix it 17:32:32 usually I'm able to figure out such issues or at least make some sort of progress but this just refused to cooperate and went against all logic (that I could come up with) 17:33:18 at least one friend told me he also has one mainboard that is just not working with grub but works with syslinux just fine, so I'm not totally alone. just still really confused why it worked it the beginning then 17:33:57 I was starting to question my sanity 17:41:05 anyways, thank you rtprio , mzar and ivy ! 17:48:55 I had a long, boring meeting so I put freebsd on the hp 705 :D 17:49:29 what's an hp 705 17:49:35 a little mini computer 17:49:36 is that better than an rpi3? 17:50:21 https://www.servethehome.com/wp-content/uploads/2020/09/HP-EliteDesk-705-G4-Mini-Cover.jpg 17:50:31 it's an improvement over an rpi2b for sure 17:50:37 gets kinda warm though 17:51:16 it's winter, put it under your duvet 17:53:27 hah, I've often thought that energy savings on computers were rather a moot point in Scotland 17:53:56 now I have to decide if I can be arsed to set up wpa_supplicant 17:54:12 I suppose it doesn't desperately need to be wired in to the network 18:13:09 wpa_supplicant is in the base, you can use it with wired and wireless interfaces 18:15:37 I have often reasoned that if someone has electric heat in their house that they might as well crank up a server farm turning electricity into heat that way. It's the same thing but at least something useful more than just heat is produced by it. 18:20:02 yes, heating room in winter with waste heat from computer makes your computing green 18:22:52 it'd be great if i could host a rack and have a thermostat attached to it 19:00:46 setup seems to let me create a zfs volume for an encrypted home directory but then there's nothing actually configured to make it happen and it's not clear that ssh is equipped for it. that's a shame 19:00:56 I suppose there's TPM nonsense I could be doing 19:02:01 zip: i'm not sure what bsdinstall does, but never, ever use zfs native encryption, it has been broken since the day it was committed 19:02:14 if you need encryption with zfs, use geli 19:03:06 i haven't found that to be true 19:03:22 it doesn't affect all users, it depends how you use the filesystems 19:03:52 if you use non-encrypted zfs send from a zfs encrypted filesystem, it will cause random i/o errors on your disks (but it won't actually corrupt data on disk, reboot fixes it) 19:04:12 this is a well known bug which has been open for months, openzfs position is basically "sorry, we do not understand this code well enough to fix it" 19:04:44 even the folks who wrote it? 19:05:03 those people quit Sun 15 years ago and aren't working on openzfs 19:08:54 I don't need encryption on servers really 19:09:15 for laptops it's mandatory because they're the most stealable and loseable devices and are most likely to have sensitive documents 19:09:27 though it'd be nice to have a machine grab a key from another device on the network 19:10:21 also I love the redneck engineering of getting wifi working by running a copy of alpine linux in a VM and handing it the hardware. Absolutely deranged. 19:10:33 (I did not do this) 19:10:45 as deranged as reading the binary bits of a windows driver? 19:16:13 i would say yes 19:16:35 haha, those were the days 19:17:25 i think that's the time i bought a usb ethernet adapter 19:17:29 that's weird, i rebooted this system, it did not come back up, connected a serial console and it was stuck at loader's 'OK ' prompt. type 'boot', it boots fine, rebooted, it reboots fine 19:21:21 must be a heisenboot 19:30:20 i've only really seen phantom input like that with the serial console already attached 20:18:10 hmm, how do i get nmh's repl to quote the body in the reply? can't work out the right way to do this in replcomps 20:18:52 ah, repl -format 21:39:35 the first talk for the Fall 2024 FreeBSD Summit is pretty cool! https://www.youtube.com/watch?v=jZ3mjJZEqs0