I lost track of who maintains the service, we might reasonably assume that it's no longer maintained. It's also in at least one other topic.

I'll ping koobs in Discord.

(About the topics.)

shoot me an e-mail when that is done and i'll take us for hot chocolate

;)

what did bsd.to do? google just gives me results about bahamian dollars

looks like a pastebin and etherpad

so, looks like I've hit upon a bug specific to Alder Lake. Pretty low-level, causes panics for various reasons, mainly page faults. It looks similar to bugs.freebsd.org/bugzilla/show_bug.cgi?id=261169

the thing is, the latest ufs corruption happened when I was deleting a backup copy of /usr/ports. And now I am stuck with a /usr/ports.old that appears empty or non-empty (2 files) depending on which ls options I'll use. rmdir and rm -rf both think the directory is not empty. Any ideas on how to fix this?

johnjaye: You didn't find "Bungo Stray Dogs" :D

nope. just bahamian dollars. and bitsend

what is vtnet0 interface? Is that just another interface like bge0 or em0 ?

I see it in a lot of jail related documentation

mns: Yes. It's the Virtual Network interface. It will act just like any other physical interface as far as configuration is concerned.

ek: is that something I need to have for vnet based jails?

mns: vtnet is virtio interface created by KVM/qemu jails

mns: nothing to do for vnet, for vnet you use epair interfaces

er, i mean "KVM/qemu virtual machines" - not jails

mns: Not necessarily. You jails can be configured many different ways. I generally use something different and "vnet" naming tends to be for VirtIO interfaces.

Whoopsie-doodle!

ivy beat me to it. ;)

do you need the book on jails. or does the handbook cover it enough?

michael lucas book that is

you can technically put a vtnet interface in a vnet jail, i actually do that on one VM here, but that's no different from putting em0 or ix0 or whatever in a jail

johnjaye: the handbook does a good job, barring networking when using vnets. I followed the handbook, but I can't ping either from the inside or the outisde of the jail.

The handbook covers it just fine (FreeBSD's documentation is serious second-to-none.) However, supporting authors that do write FBSD books is always appreciated!

ok. my braingpt interprets that as i'll be fine with the free resources until I need serious networking tasks

mns: You likely either need to re-route some stuff on the host side using a firewall for the jails, or just toss the jails on the same network/bridge.

johnjaye: You'll be fine. For very simple, everyday jails, the handbook is plenty informative.

If you're going to do some really crazy stuff, a book with details would certainly benefit.

ek: I did put the jail on the same network/bridge. But I'm sure I've screwed up something somewhere.

most likely in how I translated interface names in the documentation to what I have on my system

mns: Are you using VNET?

ek: yes. I'm not doing anything crazy. Just simple web server on https. no other jails or anything.

mns: paste somewhere, 'ifconfig' from host and from vm, 'netstat -rn' from host and from vm

this is the minimum information required to debug vnet routing issues

and by 'vm' i mean 'jail' obviously

obviously :-)

OBVIOUSLY!

yeah let me do that. need to find a good paste place.

There are a lot of different configs you can use.

distinguishing related but distinct semantics concepts is hard, let's go shopping

paste.purplehat.org

I've always found vnet with bridge and epair to be the easiest if I want literally nothing between my jails and physical systems.

And, completely off-topic, I'm going to tune in to (hopefully) watch Tyson knock Jake's block off.

Nearly 60-year-old Tyson... Crazy.

when dealing with these mysql clones like postgres or mariadb, how faithful are they?

is it like if you learn one you can mostly use the others?

i recommend asking about that in the postgres channel. let us know what happens

(be sure to phrase your question exactly as you have here)

popcorn time

lol i lost my nerve...

johnjaye: To give a generic answer for here (because I've run (and still run) all of the mentioned DB's,) yes. They're all very similar. Slight syntax differences, but mostly very relatable between them.

It would be like script simple bourne sheel and Bash. Similar.

Wow. I butchered that!

Stupid alcohol.

ivy: ek: paste.debian.net/1335685

apologies for the bad formatting in places. not sure why that happened

mns: The conifiguration doesn't look wrong. But, if you're trying to accomplish what I think you are, maybe take a look at forums.freebsd.org/threads/jail-networking.91341 ?

to build on ek's analogy, mysql and mariadb would be like /bin/sh and bash; postgres would be like t/csh

You're attempting jails on the same subnet/VLAN, correct? Just like adding a physical machine without firewall on the host?

ek, yes

mns: Kinda, yes. Postgres seems to care a little less about certain things (syntax-wise,) but command are very similar from the user point of view.

mns: for some reason, jail0 is not keeping the address you give it, that's probably the issue with the pings you showed

so try ifconfig jail0 inet 192.168.70.150/24

jmnbtsls1E: do that on the host side?

yeah

ek: thanks. bingAI just told me that they were not clones at all and in fact focus on optimizing very different areas. a very weaselly answer of the type i've come to expect from AI

never ever trust AI machines

johnjaye: They are certainly not "clones." Maria is a fork of MySQL and Postgres is an entirely different beast.

well i would have to interrogate chatgpt and google for a few minutes to come to the same conclusion that ek just told me because he knows the answer.

They are definitely all different. but they respond the same... if that makes sense.

right

... from a user command-side.

jmnbtsls1E: I can ping .150 from the host now. From inside the jail I still get the same results, which is nothing

the API is a common standard

they do the same job very very different ways

mns: if you get no response from 70.150, maybe it's a firewall issue. no response from 70.1, maybe it's net.inet.ip.forwarding needs to be 1

in my defense i'm not writing large blocks of code with chatbots, then when finding it's wrong instead of fixing it trying to just redefine the chat prompt. this is a thing that actually happens

mns: for debugging jail ping to 70.150, check tcpdump on the relevant interfaces

let me check on ip.forwarding

It certainly seems like an issue with routing. Especially if you can ping from the host. So, the host needs to allow the route out and in.

If keeping it as simple as possible, there should be no firewall issue (unless it's exposed with an external IP?)

So, IP forwarding allowance may fix it.

but ip forwarding won't fix inability to get 70.150 from the jail

so I enabled ip.forwarding on the host.

but the jail can't ping 70.1

I'm guessing I don't need to restart the jail

ah, they're all on the same subnet, so if you want that, you have to bridge it. you might want to put your jail subnet on a different subnet then add a route on 70.1 for that subnet

70.1 has no way of knowing where 70.151 is

jmnbtsls1E: Nope. It won't. I was hoping, if it wasn't already set, that it would allow any routing on the subnet to just continue going.

mns: No need for a jail restart. That has nothing to do with the network allowance/routing.

Something on the host in limiting it.

yeah so, mns, one solution is to do ifconfig bridge0 addm bge0...that should work

another solution depending on what you want to do is to use a different jail subnet and add a static route on 70.1 for your new jail subnet via 70.4

ok so adding bge0 to bridge0 allows for pinging 70.150 from inside the jail, but I can't ping 70.1 from inside the jail

ensure firewall is disabled and check tcpdump on bge0

yeah firewall is disabled

guess this is a good time to re-learn tcpdump

tcpdump -ni bge0 icmp and host 192.168.70.1

then probably tcpdump -ni bge0 arp

nothing happened when pinging from inside the jail to 70.1

check icmp again on jail0

tcpdump (running on the host) didn't see anything

same, nothing

weird. that doesn't seem consistent with the output you pasted

ah well, check arp also on jail0

with arp on bge0 I do see some output

let me try jail0 as well

you see a who-has with no reply?

i haven't done this setup much so i think i'm getting something wrong about how it should be setup. i recommend using a different subnet and adding a route on 70.1

jmnbtsls1E: correct. on bge0 and jail0 ARP who-has does not get a reply when 70.151 is asking

i think the big problem i didn't realise is you need to take the address off of bge0 and put it elsewhere

(so you would need to put bge0's address on some other bridge and connect the two bridges together)

bge0 is the physical interface on the host.

yeah, you would need to take the address off bge0, put it on a bridge1, and do ifconfig bridge0 addm bridge1

ahh ok

so that might complicate other things

hmmm

this is why I wanted to do jails without jail managers, to get an understanding of all this. I guess I have some more learnign and reading to do.

if this is a small site, i'd just use a different /24 for your jail and add a route to it from any host on 70.0/24 that needs to access it. this becomes bad if you have lots of hosts on 70.0/24 that need to access it.

(nuclear solution is to use do nat on bge0 and keep your jail subnet hidden from the outside. outside thinks it's talking to 70.4)

but, nothing that we just did should have changed anything about the jail's ability to get to 70.150

its a small site, just static personal pages being served. As I had mentioned before, nothing fancy. There are no other usable hosts on 70.0/24, except for phones, tables, etc.

if you have a gateway modem device, there is probably a setting there to add a static route for a separate subnet, via 70.4. now, whether it will allow you to port forward and such, to that new subnet, not sure.

I'll have to take a step back. I'm sure I'm missing something. This all worked when I was using Bastille, and I had it working after I stopped using bastille as well. But it stopped around end of October. Will have to see what my upgrading to 14.1Rp6 might have done

I'll have to check the gateway modem, but I doubt Comcast will let me do that

OK. in theory this current "addm bge0" should work without taking the address off bge0, but that's what occurred to me to try to fix it

I'll have to pick this up tomorrow. Thank you for the help, jmnbtsls1E, ek

it shouldn't matter for your ISP, it's really internal to your network

OK

it seems that your jail manager did some setup, since the way it was when we started, it could not have worked

yeah I am sure it did. I'll have to see if I have notes from then to see what exactly I did.

has nyone compiled grub 2.12 recenltY?

I have freebsd on this raspberry pi 2b and every time i try to make a bridge and add an epair to it it kernel panics

i'm installing freebsd 14.1 on a laptop with no ethernet, in the dmesg, it shows rtw880 failed to download firmware but i need to connect to the wifi to download it. how do i do it?

im starting to use public key encryption for ssh access instead of passwords. question is, on a box that i can't transfer the private key to, but i still want to ssh from, can i recreate the private key on the box using the pw i used to create the pub/priv key originally?

If by recreate you mean generate a new one, yes. You'll get a new and different key pair that way, so you'll need to transfer that public key too to the places you wish to authenticate to

no i want to recreate the priv key on a box that i can't transfer it to

not possible i guess?

I suggest not spreading your private keys around. I have a key pair (in some cases more than one) generated on each of my client I use to ssh out from. I never share privates.

What is stopping you from transferring the key btw?

ssh key generation does NOT use the same type of mechanism as hashing a password, thus supplying the same passphrase will not give you an identical key. That would make the whole idea useless.

that's a good idea. i can just generate a new keypair on the troublesome box then add the public key to the box i wanna ssh to

i don't wanna make any usb connections to it to keep it kinda isolated

You can also allow agent forwarding on that host if you deem it safe

what's that?

Familiar with ssh-agent?

not other than you preserve a key in it after unlocking with pw so it can be reused during the session

Exactly

ah ok

tyvm

Allowing agent forwarding lets you ssh from, say, hostA to hostB to host C, using that loaded-in-memory-key on hostA to authenticate all the way to host C

I am assuming that you ssh into that host you can't transfer your privkey to. Is that a wrong assumption?

no i only intend to ssh out

so i'll sneakernet its pub key over to the destination box

Ok, I see. In that case I'd generate its own set of keys and sneakernet the pub key out. Or ssh-using-password it out once.

awesome ty!

Or curl it to a pastebin or whatever. The pubkey doesn't need to be secret

how do i enable touchpad in the console?

jnth: was there a psm0 in the dmsg?

iirc you just start moused

volumes:

- name: cache

path: /cache

Hi, I'm getting errors while trying to run an application using Linux compatibility layer, but I wonder if the system is actually running it as FreeBSD. How can I know if it is picking up compatibility layer instead of trying to run as FreeBSD?

what's the error?

jmnbtsls1E: ek: thanks for the help last night with jails and vnet. Turns out what we did, was good enough apparently. This morning everything is working as expected. Now just have to go over those steps and see which ones did what.

ooh, someone else playing around with vnet jails today

I'm the sort of weirdo who likes to run things from the ground up so I worked out how to create a bridge and add an epair to it and then use the `jail` command in the raw to get that sucker up and running

tremendous fun :)

markmcb, If your home desktop is solid for your NAS disks then there is no reason not to do it.

rtprio: so there is no alternative than to split your DNS for this issue?

I thought so but I wanted to make sure :/

jmnbtsls1E: ek: ivy: so it seems that the solution was to add the bge0 to the bridge0. I was already doing that in my /etc/rc.conf (as per the Handbook). The problem was with this line in my /etc/rc.conf: ifconfig_bridge0_name="jail0" If comment that line out, everythign works as expected. bge0 becomes a member of bridge0, bridge0 has the 70.150 ip address, etc. If I keep that line in there, then

bge0 is not a member of bridge0 (even though I have that in the line prior).

for reference you can look at paste.debian.net/1335685 just commenting out line 14, and changing line 51, fixes everything.

mns, I think (not sure) that if you rename a bridge that you should do the addm using the renamed bridge name. I think. I would need to test it to verify as I don't rename my bridges.

cloned_interfaces="bridge0" ifconfig_bridge0_name="jail0" ifconfig_jail0="inet 192.168.70.150/24 addm bge0 up"

But I think that is the problem you are hitting.

rwp I'll try that out. I realised that I hadn't tested that sceanrio before posting my message earlier.

The best way to think of yet another possible solution is to post something and then it is inevitable! :-)

that happens to me far more than it should. I'll be half-way writting through the scneario and then the solution will hit me!

In /etc/rc.conf, does the order of the settings matter? I'm guessing not.

It's the method of the stuffed monkey. We are all like that.

Order does not matter in /etc/rc.conf file as it is all just setting variables and variables can be set in any order.

Assuming one is not using a variable to set another variable.

bbiab, going to try rebooting and seeing what happens

rwp: that worked! thanks.

mns, \o/

mns, in general, no. .. unless you're doing stuff like giving interfaces aliases, like rwp.

rc.conf just sets a bunch of environment variables for the /etc/rc script.

The strategy used in the rc scripts which includes rc.conf is that string names are used to name variables which are expanded perform the configuration.

For example cloned_interfaces="bridge0 bridge1" and so on is going to be used in a for int in $cloned_interfaces; do ifconfig create $int; done loop to create each of those named things.

And ifconfig itself has a naming strategy. If you look at the ifconfig man page things named bridge become a bridge (obviously) but other named things become other named things. I think the "clone" part of the cloned_interfaces is a poor naming. It really should be something like created_interfaces or something.

And then the rc scripts know what interfaces it creates and so will know it created bridge0 and then will look to see if [ -n "$ifconfig_bridge0_name" ]; then ...do rename...; fi

And it knows the new name of the interface and so then will perform more actions on the interface. eval ifconfig \$ifconfig_bridge0_name \${ifconfig_${ifconfig_bridge0_name}}

And it just keeps going like that until it has worked through all of the specified configuration.

This strategy of scripting created a declarative rc.conf interface where everything is just variables and all of the procedural action is done based upon it.

I'm just typing this in off the top of my head so please forgive me leaving "rename" out of the above rename syntax! It's the idea that counts here. :-)

polarian: that's how i solve it. it wouldn't be a problem if wireguard was on the router rather than behind it

rwp: thanks for the explanation, that helps out a lot.

next step will be to learn pf, then combine that with the knowledge about bridges and vnets to create logical data centers. Each bridge would have its on subnet/s to handle, etc. Have pf do the routing, or maybe something like haproxy. Just thinking out loud here.

but that's for some other time.

14.0 bsdinstall got fancy?

looks cooler I don't remember how cli was before exactly but something looks differnt

I need to figure out how to get my home network to properly route to VMs and jails on the freebsd box tbh

just adding a route on the router seems to do the trick but with a lot of IGMP "hey, wrong gateway dipshit" messages

perhaps that's fine

interestingly enough someone else recently had a similar situation. ICMP Redirect is acceptable. the alternative is to bridge your internal network to the outer (home) network

rtprio: wireguard IS on the router

you are missing the point

the server is behind the router, the wireguard server is on the router, if I connect to my email it goes through the same router as my wireguard tunnel

<wireguard Server IP> <Private IP> UGHS wlan0

is whats in the routing table

now wireguard adds a route for 0.0.0.0/1 to go via wg0

anything not in the routing table, should go via wg0

but the wireguard server IP *IS* In the routing table... so my email server, which is behind the same IP as the IP the wireguard daemon is bound to (but the email server is port forwarded) the packet goes via wlan0 first, not wg0

jmnbtsls1E: lol that someone was me.