00:04:31 scoobybejesus: if you choose to re-do the partition and re-do the resilver, i think you will want to use `replace`, not `online` 00:04:59 because it is technically a different entity than before from ZFS's perspective 00:05:54 an alternative is to use glabel, which provides one option to label without modifying the device, but i personally would re-do the partition and then re-do resilver like you said 00:07:24 however, i wonder how you are adding space to this pool by adding a drive to a mirror? 00:09:09 i'm replacing the first 1TB drive w/ a 2TB drive, and resilvering, and then replacing the 2nd 1 TB drive with another 2TB drive 00:09:29 probably have to gpart expand or something like that at the end, i guess 00:10:54 gpart resize wouldn't be called for at any time after adding to the pool. if you're adding the full 2TB to your pool each time, i think ZFS is able to intelligently handle this, to calculate the free space on a mirror based on the largest device in the mirror 00:11:40 in fact i think i learned of this intelligent mirror mechanic on this channel a few years ago (i've never personally done it though) 00:12:44 right now, zpool isn't happy that ada1 is already a part of the pool. even with zpool replace -f, it won't work. it says it needs to be manually repaired.. but I will continue digging 00:13:39 if that happens after you re-do the partition, you may need to run `zpool labelclear` 00:14:27 i mean, to run it (on the new device) before trying to replace it into the pool 00:14:43 it's a dangerous command though, so make sure it's run on the correct device 00:16:50 that actually seemed to work, thanks. now I will let it resilver again. and then hopefully I can zpool export tank, zpool import -d /dev/gpt, and it'll show the gpt label instead of one drive showing gpt/ada0-vol0 and the other just showing ada1 00:18:16 new disk ada1 is samsung evo870. old disk is adata SU760. the ada0 is reading at 100%, and the new ada1 is writing at average 45% (according to gstat) 00:18:33 thank you very much for the push and tips 00:19:05 OK great sure 00:56:38 Hello 00:57:46 I want to install gitea inside a freebsd-13.5 jail using this instruction: https://docs.gitea.com/installation/install-from-package 00:58:08 but 'pkg install gitea' doesn't work at all! 00:58:46 Is gitea removed from freebsd 13.5 repo? 01:03:17 What does 'portsnap fetch extract' do? 01:29:55 F... that didn't work 01:30:32 momken: gitea is only available in the latest repo, not quarterly 01:31:32 scoobybejesus As the last step I am trying to make it from source. Is is wrong? 01:32:12 Or should I only change my repo? 01:35:37 it's just a go binary, i think, so source might be easy enough if you already have go installed, but I'd just go with the pkg. I prefer the latest repo, in general 01:38:00 scoobybejesus I downloaded the latest binary and followed these instructions: 01:38:00 https://docs.gitea.com/installation/install-from-binary 01:38:01 Until I reached "1. Creating a service file to start Gitea automatically (recommended)" which doesn't have any manual for creating a freebsd service for it 01:39:47 this should work: https://paste.debian.net/plain/1364491 01:40:17 I'm using that with version 1.22.3 01:42:21 scoobybejesus How did you find that? 01:48:52 there is a way to find it in the ports tree, but I always forget. i took it from my jail 01:50:35 scoobybejesus I hope it work. Compiling in /usr/ports/www/gitea takes a lot of time and is extra work 02:22:17 scoobybejesus The service file didn't work as expected 02:22:33 I will continue with compile process 02:22:45 what's the error? 02:23:09 did you try service gitea onestart? did you do sysrc gitea_enable="YES" ? 02:24:15 root@gitea-manual:~ # service gitea onestart 02:24:16 Command error: stat /usr/local/bin/custom/conf/app.ini: no such file or directory 02:24:42 why does it search for app.ini inside bin directory? 02:27:22 scoobybejesus I downloaded the binary fie from: https://dl.gitea.com/gitea/1.23.5/ 02:27:49 mine is in /usr/local/etc/gitea/conf 02:28:23 scoobybejesus I can't change the path 02:31:03 are you sure there is no paste error in creating the rc script? It is adding to the env GITEA_CUSTOM=${gitea_custom} which was set above as /usr/local/etc/${name} 02:32:10 scoobybejesus No I didn't change GITEA_CUSTOM 02:32:17 you created a file called /usr/local/etc/rc.d/gitea, made it executable, and used exactly as I pasted? put gitea_enable="YES" in /etc/rc.conf, and try to do service gitea start, rather than onestart 02:32:37 Yes 02:35:42 I will go with compiling from scratch 02:38:43 it sounds like an environment thing.. a script thing 02:38:54 i'm sorry i haven't been more helpful 02:39:30 you can always put yourself on the latest repo, install gitea, rc script and all, and then take yourself off latest, if you don't want that branch 02:45:57 scoobybejesus Thanks. How can I put the repo on latest? 03:21:01 mkdir -p /usr/local/etc/pkg/repos 03:21:13 echo 'FreeBSD: { url: 'pkg+http://pkg.FreeBSD.org/\$\{ABI\}/latest', enabled: yes }' > /usr/local/etc/pkg/repos/FreeBSD.conf 03:21:31 sorry. having my own tech problems rn 03:22:53 scoobybejesus: you still here? 03:24:19 that seems like a no 03:24:42 scoobybejesus: if you are trying to do pkgbase for -CURRENT. I can help you with that 03:26:39 SponiX: I was trying to help momken with getting gitea going. and i was getting help earlier with an ongoing thing with replacing both disks in a non-boot mirror pool 03:28:58 scoobybejesus: Oh, I just saw you doing something with /usr/local/etc/pkg/repos/ with the URL line, and "assumed" it had something to do with pkgbase at that point 03:29:20 I don't even know what gitea is, so I'm no help at all with that 03:29:47 I do know a slight bit about zfs, and might be able to help with the replace process 03:33:17 I think i finally got it. Of course, figure out the zfs stuff, and then i have physical device issues, but finally fixed that too... sheesh 03:36:35 glad you are getting it all figured out 03:50:16 spoke too soon. zpool status during resilvering said 40000 errors or somehting like that. tried zpool status -v, and now zfs is toast. in htop, i can't sigkill that zpool status -v command, nor a regular zpool status from another terminal... something is toast... F 03:50:34 pastebin what you have if you can 03:50:59 but if you still have one drive, good then there you go 03:51:39 I would love to pastebin the output of zpool status, but i can't because it won't return 03:52:20 ^C doesn't break out of it. 03:53:03 i'm ssh'd in. the session becomes unusable if I run a zpool command. 03:55:06 zfs list works. it shows the zroot/boot pool. the tank pool isn't there. ada0 and ada1 are in /dev (which are the tank pool). hm.. zpool status zroot will work fine. that's good. 03:56:24 always fun when the house gets crowded in the middle of working on something like this, and then get back to it when it's super late, and then you rush, and then things go wrong 03:56:42 I have to shut it down. need sleep. so annoying. thanks for the help 03:58:06 It is disconcerting that it does not finish. That's not good. I would look for errors logged to /var/log/messages system log file. 04:12:03 I have the ASRock System DESKMINI A300W, which has two nvme slots (my boot drives) and two goofy ssd sata cables/connectors. I have had problems before, and I'm guessing that's the cause. I love the small form factor, but this is a stupid problem. I would love something relatively small that can have four drives like this, so I have my nvme mirror zroot and sata mirror tank 05:04:24 which should one use for a static heavy nginx with clients likely to have high rtt? tcp_bbr.ko or tcp_rack.ko ? 05:04:46 I've read somewhere that tcp_bbr.ko was abandoned by Netflix and is likely to be removed in future, but I am not sure 05:04:58 HTTP/3 isn't an option for these clients, unfortunately 06:01:39 found in sys/netinet6/nd6.c: panic("%s: paths in a dark night can be confusing: %d", __func__, ln->ln_state); 06:12:16 kevans: i have this commit in my local branch and i don't remember why, was this something we were testing regarding INET6-only kernels? https://github.com/llfw/freebsd-src/commit/5098b897bdc110bac0bc46b866e95e6f54f35e4f 06:18:02 ivy: are you working on freebsd wg kmod by any chance? 06:42:24 ei: using cc_cubic isn't good enough for you? 07:50:19 nimaje: not enough to satisfy even 200 mbit continuously for a single client with ~240 ms rtt and 8% packet loss 07:50:38 bbr works fine enough but I am not sure if I am using abandonware or not 08:01:36 > 240 08:01:39 it is 140 08:01:42 fat fingered 09:30:06 ei rack is well supported in general, but 8% packet loss seems rather high 09:30:16 I guess it is, what it is, right? 09:31:22 anybody know what's the thing that disables the FreeBSD tips on login? I thought it was .hushlogin but I am wrong 09:31:34 scoobybejesus Thanks dude. I compilted gitea from freebsd ports, configured app.ini, but gitea service does not start 09:32:14 however 'su - git -c "gitea web &"' works 09:32:18 dch: i don't think you can disable that, it's just run unconditionally from .profile 09:33:04 (i mean, you can disable it, but only by editing .profile) 09:33:37 aaah its `if [ -x /usr/bin/fortune ] ; then /usr/bin/fortune freebsd-tips ; fi` 09:33:42 thanks ivy yes indeed 09:34:14 I was awake last night until 6:30 am trying to install gitea, still no success 09:34:33 momken: did the provided gitea rc.d script not work? 09:35:47 dch Do you mean this one? https://paste.debian.net/plain/1364491 09:36:07 I mean the one in /usr/local/etc/rc.d/gitea that comes with the port 09:36:14 it looks the same as your pastebin 09:39:17 I completely did 'make install clean' in my jail and it took ~2 hours to build. Now 'gitea doctor check' shows everything ok. 'su - git -c "gitea web &"' also seems ok. But the service doesn't start 09:40:05 momken: unless you're wedded to gitea, I suggest trying forgejo, it comes with a template app.ini, is a fork of gitea, and has a pkg-message telling you how to get started 09:40:25 but if you *are* wedded to gitea, use forgejo as reference 09:40:52 momken: I just tried gitea, and yes you need some serious guess-work to make it run 09:41:59 dch But gitea has more users, more irc channel people online and I guess is more supported (not in FreeBSD though) 09:42:56 I may end up using forgejo if I can't install gitea 09:43:06 forgejo is supported by codeberg, fwiw 09:43:23 momken: it's worth logging a bug at bugs.freebsd.org mentioning that its hard to get started, and linking the files here https://cgit.freebsd.org/ports/tree/www/forgejo/files 09:43:50 momken: try following the pkg-message.in ^ but for your gitea install 09:43:55 I expect its 90% the same 09:46:44 ivy: I'm just going to remove /usr/bin/fortune everywhere as a simple fix 09:46:48 *boom* 10:27:20 why not removing .profile instead? 10:29:59 random idea: "user jails". like service jails, but for users: when the user logs in, they get put into a specially created jail similar to a svcj, with optional restrictions 10:48:43 ivy: yes please. Today I do this with some ssh shenanigans and tmux 10:58:56 i think it might be tricky to handle things like cron and at, but not impossible... i might have a look at hacking something together to test 11:03:48 actually, i guess you would just do it in the PAM session in pam_unix 11:03:56 or maybe a new pam module like pam_usrj 11:20:55 At last I became able to run gitea by installing it from "latest" repository and access it from browser. But I had to run it using 11:20:57 su - git -c "gitea web &" 11:21:31 service gitea start     still doesn't run 11:26:34 There is an important change to be made in app.ini: HTTP_ADDR = 0.0.0.0  so the server will listen to external requests 11:29:09 I still have issue to fixing gitea service 11:37:03 I can not change gitea to listen on port 80 instead of 3000. It says: 11:37:04 Command error: listen tcp 0.0.0.0:80: bind: permission denied 11:45:05 momken: ports <1024 are privileged and only root may use them - if this software does not allow to shed privileges and you don't want to run it as root (maybe a wise choice) you could map the port in your firewall settings 11:46:41 mzar: I believe they do, but it's not static. 11:49:48 ridcully Thanks. I don't want to run this software as root. How could I map the port in firewall settings? 11:56:53 huh, C doesn't have nullptr? i thought that got added at some point... or is it still a proposal? 11:57:21 you could use mac_portacl instead, afaiu you would load the kernel module and add the rule uid::tcp:80 to security.mac.portacl.rules 11:57:46 I throught nullptr was added to C23, but not sure 11:58:28 maybe our llvm is too old 11:58:30 do keep in mind that on most systems, NULL already is defined as a pointer and not a number 11:58:43 the C standard permits both IIRC 12:02:27 in a pointer context the constant 0 is a null pointer constant, you can add a void* cast in ´#define NULL´ to make sure it is only useable in a pointer context and gives a type error otherwise (more or less) 12:13:11 How can I map port 80 -> 3000 inside a jail? Configuring PF inside the jail is hard 12:13:48 reverse proxy? 12:14:06 wsky Do you mean ngingx? 12:14:16 i use apache but yes 12:14:49 how about using mac_portacl and allow the user to bind that port? 12:15:05 nimaje How? 12:16:05 afaiu you would load the kernel module and add the rule uid::tcp:80 to security.mac.portacl.rules https://docs.freebsd.org/en/books/handbook/mac/#mac-portacl 12:24:13 any ideas on what's needed to direct-connect 2 FreeBSD servers via ethernet? 12:24:23 - I did the cabling ofc 12:24:37 - added a static IP to each NIC, in a separate dedicated subnet 12:24:47 - added a route for that subnet to the NIC 12:24:56 that's insufficient 12:25:09 `arp -i cc0 -a` shows only the local NIC, not the remote one 12:25:28 tried various things to add statically the remote IP : ethernet addr, unsuccessfully 12:25:56 I think the last time I had to do this was a windows NT 4.0 cluster ... 12:27:21 doing `arp -S 10.0.0.5 00:07:43:4a:90:40` yields an error `arp: delete: cannot locate 10.0.0.5` 12:27:33 the NICs think they're UP and ACTIVE 12:28:05 dch: you don't need to add a route, just configure one ip address on each side in the same subnet 12:28:15 if it doesn't work, something else is wrong - look at tcpdump to start with... 12:28:42 (one obvious thing to check: pf/ipfw?) 12:31:38 the only thing I've not checked is (they're dual port nics) is perhaps the ports are wired wrongly 12:31:51 no firewalls atm, just boxes with the nics 12:32:00 and i see nothing on tcpdump at all 12:32:27 show ifconfig output on both sides? 12:32:34 also how are you testing, ping? 12:37:59 I'm going to gist this .. https://gist.skunkwerks.at/dch/156a689 so I can just update/refresh it 12:38:09 for the moment, not even ping, just `arp` 12:39:04 I definitely need the route, otherwise it tries to go via the gateway, I guess /32 should be /24 or something 12:39:29 aand there it is! 12:39:33 use a /24 #facepalm 12:40:23 you definitely do not need the route :-) a route is created automatically when you add the ip address (as i guess you just discovered) 12:40:27 ivy: do you know if LACP can be done over direct connect? 12:40:43 i see no reason why not, but i've never tried it on freebsd 12:40:52 me too, lets see 12:41:24 btw, freebsd supports /31s for this type of link net, i.e. a network with just two addresses 12:43:31 i wish jail_set would return something more informative than EINVAL... is there some sort of debugging mode? 12:44:54 oh, you're meant to pass the parameters as name, value pairs, not a list of "name=value" 13:00:46 ivy: you mean `jail_set(2)` ? the iovec thingy? 13:01:52 yes, although i just found that you're probably meant to use jailparam_set instead - but it still doesn't work :-( 13:02:28 ivy: https://gist.skunkwerks.at/dch/9e85d523bfce4c4999cf5fdc6ed6adb3 13:02:35 https://www.le-fay.org/tmp/7d/jailparam.txt 13:03:47 reasonably sure we recommend `jail_set` these days 13:04:29 wait, what's &persist? i thought that would be a valueless parameter 13:06:39 ivy: see PM. its `int persist=1;` 13:16:33 okay, i tried with just name and path and now i get ENOTTY, which isn't even a documented errno value for jail_set() 13:17:08 ah, "errmsg" looks interesting... 13:17:12 how are you running it? 13:17:27 hang on, let me see what errmsg says then i'll show another example 13:17:44 I am stuck :(( 13:18:01 I just want to bind gitea to port 80 in a jail 13:18:44 jail_set failed: Inappropriate ioctl for device (path cannot be changed after creation) 13:18:51 can I decrease 13:18:52 sysctl kern.securelevel 13:18:52 inside a jail? 13:20:26 dch: https://www.le-fay.org/tmp/7d/jailparam.txt - this is what gives the "path cannot be changed after creation" error... 13:20:50 momken: I used this when I set mine up, though I still had to figure a couple things out https://www.ccammack.com/posts/jail-gitea-in-freebsd/ 13:21:29 dch: it works if i remove JAIL_UPDATE, which... i sort of understand but that's a bit unhelpful 13:22:01 momken: no, you cannot decrease securelevel ever, that is the point of it, you have to change config file, then reboot. 13:22:17 i guess i need the TOCTOU dance with jail_set(JAIL_CREATE) / EEXIST / jail_set(JAIL_UPDATE) 13:22:56 ivy: I guess `JAIL_CREATE | JAIL_UPDATE | JAIL_ATTACH` is the equivalent of `jail -cm ...` from the terminal 13:23:21 dch Thanks for response. Which config file should I change? 13:23:22 yes, and jail_set(2) says it should work, but if you can't specify the path i'm not sure what good it is! 13:24:51 momken: https://man.freebsd.org/securelevel 13:25:27 scoobybejesus I was able to run gitea on port 3000 using 13:25:28 su - git -c "gitea web" 13:25:28 Not able to run it on port 80 and its service don't work too! 13:26:21 ivy: I like your IOV macro. Not a C programmer myself. 13:26:26 1000x more readable 13:27:11 next problem, setting "ip4" to "inherit" does not work, i guess you need a magic value like 0.0.0.0? is this stuff documented anywhere? 13:28:45 ivy: what happens if you just leave ip4 and ip6 out, doesn't that do what you want? 13:28:58 no, then i don't get any IP addresses at all 13:29:04 or does that give you a jail without net at all 13:29:15 IDK on that 13:29:25 momken I suggest running caddy or another reverse proxy in another jail, and it'll listen on 80/443, and it will connect to gitea on 3000 13:29:26 i'll try a few things :-) 13:29:31 I will look later for you 13:29:32 thanks for the help 13:30:19 ivy: why do you do `JAIL_CREATE | JAIL_UPDATE | JAIL_ATTACH` there? 13:30:31 I'd expect only one of them, not or'd together 13:30:40 scoobybejesus Isn't there any other option to force the jail to allow gitea to listen on port 80? 13:31:00 momken: yep, ummm 13:31:22 dch: jail_set(2) says you can use both to either create a new jail or attach or an existing one if it already exists 13:33:12 ivy: fair enough, it does! I guess if you try to change e.g. the path, this should fail. 13:33:57 https://www.le-fay.org/tmp/7d/userjail.txt 13:34:07 great (partial) success - didn't sort out the networking yet 13:34:37 momken: use either `net.inet.ip.portrange.reservedhigh=0` ion /etc/sysctl.conf (on the parent) or look into https://man.freebsd.org/mac_portacl 13:35:17 personally I would go for wot scoobybejesus said, use a reverse proxy, have it do the TLS termination as well 13:35:41 ivy: please let me know when you figure it all out! 13:36:04 dch: i think you follow me on mastodon, i'll post something there once i have a workable PoC 13:36:11 then the bikeshedding can begin :-) 13:36:47 would like to get this into base so it's properly integrated with login.conf, manpages etc 13:37:06 oooh yes 13:37:12 much better than our janky solution 13:37:15 command="/usr/local/bin/sudo /usr/local/bin/jenkins-tmux.sh" ssh-ed25519 AAAAC3N...' 13:37:42 the idea is you'd be able to say stuff like jailed:userjail:userjail.ip4=1.1.1.1:tc=default: 13:37:43 said script being `/usr/sbin/jexec jenkins su -l $USER -c '/usr/local/bin/tmux -u new -DAs jenkins' 13:37:53 or any other jail parameter, so you could set it for a whole class or a specific user 13:38:09 ivy: please join #freebsd-jails when you have something, I'd love to see this in base 13:38:13 sure 13:39:50 dch Yeah I need to enable https for gitea too. It seems it's not possible with gitea's config file app.ini 13:40:44 god bless gitea api 13:41:27 luke_sb Was it a mocking? 14:09:10 scoobybejesus I found out why gitea service didn't work. It immediately receive a sigterm signal. 14:09:10 I don't know from where? 14:10:07 I am going to try forgejo on another jail. Maybe its service work fine. 14:11:59 dch: found how to do networking, you need to set "ip4" or "ip6" to the binary value JAIL_SYS_INHERIT 14:13:20 ivy: wtf how did you divine that? in `jail.h` its `L107:#define JAIL_SYS_INHERIT 2` 14:13:35 dch: spent 15 minutes reading sys/kern/kern_jail.c :-) 14:13:42 I guessed 14:13:49 "it must be around here ... somewhere" 14:14:51 where would you have expected to find this? in jail(2) or jail(3) ? 14:15:15 i think jail(2) or something Xreffed from there 14:16:07 momken: did you already try mac-portacl? what problems did you have? 14:16:14 i feel like it's (somehow) possible to get this information out of sysctl, which is how jail(3) does it, but the mechanism is unclear 14:18:50 nimaje I couldn't use mac-portal. Because I don't know how to configure it? 14:18:50 p.s. I am running gitea inside a jail over TrueNAS Core 14:19:30 momken: ok that would be something worth mentioning earlier 14:20:27 dch Running on TrueNAS core? Is it very different from FreeBSD? 14:20:42 in the same way you can have a car with an engine made by porsche 14:20:55 but you can put it in a truck or a car or a train 14:21:08 the config files are different, and in different places 14:21:17 the ease of tweaking stuff is different 14:22:34 dch I thought TrueNAS Core is only a FreeBSD using ZFS and iocage and having a decent web console 14:22:39 truenas is not really expecting you to change securelevels, or load kernel modules in general 14:22:57 momken: true in a very general sense, its a completely custom distribution of freebsd 14:22:59 no worries 14:23:36 so your best bet is to look on https://www.truenas.com/community for carry or haproxy. These days caddy is easier to get started with, but there might not be many posts for it 14:23:54 hm, not sure how well mac-portacl works with jails, you would need to load the kernel module on the host, but no idea if you can configure it to allow that bind and if so, if you would need to configure it on the host or if you have an additional sysctl namespace in the jail where you can configure it 14:24:12 nimaje: its a kernel module, you load & config it on the host 14:24:18 ideal for a jail :-) 14:25:18 momken: I skimmed the forums, https://www.truenas.com/community/threads/reverse-proxy-using-caddy-with-optional-automatic-tls.75978/ looks like a good place to start for you 14:25:27 dch Sorry for not telling that. 14:25:28 However TrueNAS (previous FreeNAS) is a very stable professional storage OS "out of the box" 14:25:40 momken: no worries :-) 14:26:55 ivy: oh, yeah, I forgot about that one 14:27:50 wg(8) is trivially broken with INET6-only by that, so we were going to switch it to just do what ifconfig(8) does since the exact family doesn't really matter for control operations 14:28:07 dch: this is only very basic and probably doesn't do what you want exactly, but: https://github.com/freebsd/freebsd-src/compare/main...llfw:freebsd-src:lf/dev/usrj 14:28:20 dch Whether using Gitea or ForgeJo, I guess I have to setup a reverseproxy anyway, because: 14:28:21 dch: as you are my #1 actual potential user, any feedback would be welcome :-) 14:28:21 1- I need to forward the traffic 80 -> 3000 14:28:21 2- I need to setup TLS (https) 14:41:15 ivy: seems nice, does the JAIL_ATTACH move the process into the created jail or how it the user session moved into it? what about ordering with other pam modules? 14:41:46 nimaje: yes, JAIL_ATTACH moves the calling process (the PAM user, e.g. sshd-session) into the jail. ordering i'm not sure, for testing i put it after pam_unix 14:44:20 as long as path=/, the attach operation is fairly benign (i think), using a different path will probably make it more complicated, but that's future work 14:44:23 especially if you want to allow restricting the filesystem it could be a problem if other pam modules assume to run in the context of the host or user 14:45:58 (i'm not convinced there's a huge benefit to using a non-root path compared to just running sshd in a jail, but perhaps someone has a reason to do that) 14:46:38 or maybe you would want to restrict the network for some user, but first do networked auth, but well auth would need to come before jailing anyway 14:47:06 yeah, this is a session module, so everything else should be done by then (... i think, i am far from an expert on pam) 15:34:21 kevans: ah yes. well, i've been running this in production for almost a year, so i guess it's safe to commit :-) although now i remember we had a problem where putting IPv4 addresses in AllowedIPs would crash on a non-INET kernel 15:35:21 yeah, that one I had a hackaround for and we were trying to convince someone to port OpenBSD's solution instead 15:35:37 https://reviews.freebsd.org/D46670 15:36:07 I didn't commit it because I had hoped someone else would find the time since it didn't look like a complicated exercise, but no bites 15:46:56 dch I tried installing "forgejo" in another TrueNAS jail and it also can not be started with 'service forgejo start' 15:47:17 It receives SIGINT like gitea 15:51:51 Because Forgejo is just a soft fork of Gitea, because the far leftists controlling Codeberg didn't like that Gitea wanted to make money. 15:52:53 If you're the owner of a project, the ability to make money is a right. 15:58:18 momken, did you look around /var/log ? i seem to remember something similar happening, and I found the error in the logs 16:00:38 this comment in a bug thread helped me too: Try running gitea in the foreground: 16:00:39 `/usr/bin/env -i 'GITEA_WORK_DIR=/usr/local/share/gitea' 'GITEA_CUSTOM=/usr/local/etc/gitea' 'HOME=/usr/local/git' 'PATH=/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin' 'USER=git' /usr/local/sbin/gitea web` 16:03:00 scoobybejesus Here is output of cat /var/log/gitea/gitea.log 16:03:01 https://paste.debian.net/1364585/ 16:09:57 scoobybejesus Actually gitea was not run as service recently. Becuase now is 19:39 in Tehran and the last log line was for 17:03:43 16:18:29 is anything in /var/log/messages? i found there why it was panicking for me, which happened to be because it couldn't create a sublogger 16:23:45 There are some log lines in /var/log/messages but not related to gitea 16:46:25 I couldn't run gitea as a service. I must sleep a little. I will continue debugging when I am awake 17:53:40 momken: here's my app.ini (chowned to git user) with secrets removed https://paste.debian.net/1364608/, and you already have my rc script, and this is a caddyfile snippet if you choose that route https://paste.debian.net/1364610/ 18:03:05 My home lab in the basement has somePv6 network problems. hosts can ping each other. hosts can't ping the gateway. gateway can't ping the hosts. When pinging the gateway, I can see the incoming "neighbor solicitation" requests on the gateway, I don't see any replies. Getting lost there. 18:10:03 dvl: show ifconfig from the gateway and one of the affected hosts? 18:10:37 also show the tcpdump output with the NS queries, there's one particular non-obvious behaviour here that depends on a sysctl i'd have to look up the name of 18:14:05 ivy: see https://dpaste.com/7A9D8SLKA for the first request 18:14:38 ivy: for the tcpdump https://dpaste.com/3BR3CNGUA 18:17:52 ivy: Some of the IPv6 addresses are prefixlen 64, some 128 I see. Many of those are jails. 18:18:02 dvl: because your hosts are sending NS from a GUA, try setting net.inet6.icmp6.nd6_onlink_ns_rfc4861=1 on the gateway and see if it makes a difference. i don't remember what exactly triggers that behaviour; might be related to the fact that you're using the subnet all-routers anycast address as the gateway address 18:18:20 A GUA? 18:18:37 global unicast address, i.e. not a link local address 18:19:19 the IPv6 spec says you're allowed to send such packets but FreeBSD drops them by default because they can be a security risk (since you now have routable NS/ND packets which is a bit weird) 18:20:22 ivy: done, seems to have no affect. 18:20:39 On the ping, checking tcpdump 18:21:27 dvl: next thing i would is using ::1 instead of ::0 for the gateway address (you could add it as an alias just to test), i don't know if that'll make a difference but the ::0 address is special 18:21:35 s/i would is/i would try it/ 18:21:58 i assume you checked pf already and it's allowing NS/ND on the gateway :-) 18:22:19 ivy: OK, and for what it's worth, I'm copying this config based on another host, which was working just fine. 18:22:55 ivy: I've been checking pflog0 for blocks, nothing, and I've been dumping other nics too, in case of a mis-route issue. Nothing. 18:23:28 if neither of those things work i'm not sure what else to suggest, it seems weird :-/ 18:25:31 ivy: ::1 added and tested: https://dpaste.com/HFAPE7FRC 18:26:01 00:00:00.015219 20:7c:14:f5:8e:53 > 33:33:ff:00:00:00, ethertype IPv6 (0x86dd), length 86: 2001:470:8abf:7055:: > ff02::1:ff00:0: ICMP6, neighbor solicitation, who has 2001:470:8abf:7055::, length 32 18:26:04 what? 18:26:23 oh, maybe that's DAD 18:26:24 Very interesting. 18:26:32 DAD sounds familar 18:29:39 ivy: dest unreachable on lo0 (first time I bothered to look at that nic): https://dpaste.com/FH4RPYBDF 18:30:15 uhm 18:30:22 dvl: what's in netstat -finet6 -rn ? 18:30:33 on the gateway 18:30:50 ivy: https://dpaste.com/FHD6X8K28 18:31:47 and, FWIW, the gateway can ping6 google.ca, and others. 18:31:48 2001:470:8abf:7055::/64 2001:470:8abf:7055:: UGS vlan7 18:31:53 that doesn't look right 18:32:04 it should be a link route 18:32:08 That might have been my manual attempts 18:32:39 [18:31 gw01 dvl ~] % sudo route -6 delete 2001:470:8abf:7055::/64 18:32:40 delete net 2001:470:8abf:7055::/64 18:33:22 ivy: what is meant by a `link route`? 18:33:29 you may need to remove/re-add the IPs on that interface to get the normal link route back, i'm not sure what the kernel does there 18:33:36 dvl: like this one: 2001:470:8abf:1055::/64 link#4 U igc3 18:33:43 oh 18:34:40 so an [18:34 gw01 dvl ~] % sudo route -6 add 2001:470:8abf:7055::/64 -iface vlan7 18:34:40 add net 2001:470:8abf:7055::/64: gateway vlan7 18:34:56 i strongly suggest letting the kernel add it rather than doing it by hand, just to be sure 18:35:36 [18:35 gw01 dvl ~] % sudo route -6 delete 2001:470:8abf:7055::/64 18:35:36 delete net 2001:470:8abf:7055::/64 18:39:40 I am seeing some "neighbor advertisement, tgt is fe80::" replies. 18:54:52 At one time since the last gateway reboot, this was working for a bit, I think. It may be time to reboot it and start from a known good configuration. 19:24:11 ivy: ironic, these started about 50 minutes ago. Mar 22 18:32:44 gw01 kernel: Limiting ICMPv6 neighbor discovery redirect output from 119 to 105 packets/sec 19:24:58 dvl: i don't even know what a neighbour discovery redirect is, but it does not sound like something normal :-) at this point i'd probably redo from start... 19:25:22 (as in start with one IP address on everything and make sure that works) 19:25:51 ivy: yeah, I'm sure something else I was working on earlier this week has had unintended consequences. 19:29:53 removed: sudo ifconfig vlan7 inet6 2001:470:8abf:7055::1 -alias 19:35:56 you know, one thing i really miss from VAX C is that you could write something like &JAIL_SYS_NEW to take the address of a literal value, which saved creating some temporary variable for it 20:47:20 ifconfig add inet 234.242.243.234/24 doesnt work 22:36:12 yamada: That's supposed to be an interface name, that second word there. 22:41:14 eh freebsd doesnt have electricsheep nomore ? 22:41:47 in pkg at least 22:41:50 i wonder why 22:50:21 btw is there a way to restart OSS service ? 22:50:32 or restart audio service completely ?