neat, found a kernel panic in mac_do :-)

brb

ivy: quick fix it before anyone notices

kevans: this code looks surprisingly in depth so i am just going to make a pr :-p

trigged by this fwiw: sysctl security.max.do.rules='gid=5>uid=*'

triggered

so i made a fbsd jail to use as a "shell box" and it seems like sssd can't run because root is not root in the jail

Macer: that is not normal, sshd works fine in jails unless you've configured something oddly

sssd

i'm trying to join it to AD

oh, sssd. but still, that should also work in a jail

SSSD couldn't load the configuration database [1432158324]: File ownership and permissions check failed

although i have found sssd on freebsd rather... unreliable in the past

yeah i typically use samba and winbind

(for freebsd)

but i figured i'd give sssd a go.. but it seems to not agree with a jail. i wonder if there is an option for sssd.conf to turn that check off

i assume you checked the file permissions on sssd.conf etc.? does anything look strange there? root is still uid 0 in a jail, so it shouldn't be able to tell the difference

oh ok. that's my fault

i forgot to change nsswitch.conf

i guess that's kind of important lol

hm. ok.

so auth is telling me that the authorization was successful... but it's not letting me login still heh

authentication success... then pam error. wth

that didn't seem to work. let me try with samba/winbind

if i can unearth a blog on how to do that

worked

i think i know where i went wrong with sssd too

but i already have samba+winbindd working for it

belated: my sssd experience is entirely with Linux but over there it's kind of a pain if sssd isn't packaged right, you have to explicitly import sssd's pam modules or else absolutely no authentication will work no matter how many times the AD controller gives you the green

Looking at the issues you had here, Macer, it looks like that might have been the case

i've never actually got sssd working on freebsd, last time i tried it either wouldn't load a valid configuration or would randomly SEGV

but that was a while ago, maybe it's improved since then

yeah. i typically take the krb5/samba/winbind approach with fbsd.

now to find out why bastille won't bootstrap bookworm

i wanted to try out a linux jail

do people actually like sssd?

i still have nightmares from having to administer it in a past life

Last time we tested it at work it was two commands to setup.

kevans: on RHEL it works great, i have nothing against it

I heard people talking about sssd and I didn't think twice but ran away immediately. Not screaming but whimpering quietly.

rwp: you prefer winbind?

skered: yeah it's usually fairly simple in linux .. not so sure about fbsd.

although i think my last attempt i was just messing up the pam files

i think the sss.so should have been placed above unix.so

which i noticed when doing winbind

ivy, I prefer not dealing with ActiveDirectory. (shudder)

yo

wut is this traditional distribution sets vs packages in freebsd 15?

('^' )?

unwrapped_monad: Sets are part of the FreeBSD system, some of which are mandatory, others are optional. And packages are 3rd party (as in not maintained directly by the FreeBSD core dev team) software.

Different from Linux, where every piece of software is essencially a package.

ooh i see

Actually, in the case of FreeBSD, only "base" is mandatory, the rest is optional.

You can enable "ports" to also have a Gentoo-like experience in addition to a package manager, enable "kernel" and "src" if you want to have the full FreeBSD source code locally (for customization and tweaking if you really have to), "lib32" if you need 32-bit libraries, and "tests" for...I don't know.

unwrapped_monad, You are asking and so I will say that most likely you will install the FreeBSD base system in the /usr tree and then will use pkg to install precompiled binary pkgs to the /usr/local tree. Packages aka pkgs are precompiled "ports" and ports are source code for self compiled packages.

The base system (at this time) is upgraded with freebsd-update to upgrade the base system. Packages aka pkgs are upgraded using pkg upgrade. These are managed separately. This is good because the base system is a consistent thing and your system is almost always reliably able to boot. And then everything not in base is a port and installed on top of the reliable base system.

does anybody know how i create a helper for rclone for fbsd?

in linux you just ln clone to mount.rclone

linking it to mount_rclone doesn't seem to work in fbsd

Never heard of rclone before.

well then

got it. the md at the bottom of that did the trick

it has to be rclonefs linked in /usr/local/bin

i can mount it on the host just not in a jail. fuse still can't be used inside jails?

oh i guess you can.. not sure where to put this though

2/ws 11

so i managed to get mostly everything going. the only thing i'm hung up on is getting a jail to mount a smb share with rclone because it doesn't seem to want to listen to its own fstab

so when the jail starts it doesn't seem to want to auto mount it. even though i can just mount /mnt/dir as root for it

and i can't pass the user flag to rclone mounts because the jail requires that root mount fuse

native jails or using a helper? I've a love/hate relationship with bastille. have a rclone jail that does my backups via mounted dirs. works nicely

use a crypt ontop of b2

native jails

*jail

oh wait. i think i just realized why it's not working

ok. i guess not. i thought i didn't have auto as an option

i'm about to get filthy with this and use a root at boot cronjob for it

:/

what happens when you mount -a ? still doesn't mount this fstab entry?

it does mount it when i use mount after boot

it just wont auto mount it when the jail starts from fstab

any error in your jail console log?

i'm trying to find something

possibly related to network config not yet present if it's a remote filesystem?

if so you might see no route to host or similar in your console log

got it!

there are some things there that aren't really intuitive with rclone mounting

i had to put that on my soon to be abandoned for years blog crazy.macer.life/freebsd-jails-rclone-mounting

i know 5 years from now i'll be doing it all over again. talk about frustrating :)

hah, know the feeling all too well. even 6 months later and i have almost no idea how i did a thing

well i finally got it and that was one of those dealbreaker ones

i needed to be able to automount smb into a jail with a particular gid/uid

quite the learning curve coming form proxmox to jails on fbsd.. i still need to figure out a lot of things but i think by this point i'm going to wind up editing jail.conf files more than anything. i guess you have to do the same to lxc conatainer configs too even on proxmox

Macer: Are you not using anything like iocage or ezjail?

Macer actually jails are easier than proxmox, coming from someone who's been using jails for 10 years

Macer have a look at jailer.dev, it's a small tool I built, which generates the jail.conf for you

Yep. Jails with a little management help are super easy.

I just hate that most jail managers run as a service, which I just needed helper scripts, so I've been super happy with jailer

doing something like `jailer init bridge` will setup a bridge, or `jailer init dhcp` will setup OpenBSD's dhcpd in a second, etc.

I agree. I like the simplest solutions.

Sounds a little like the vm-bhyve helper (which I also like.) I'll have to check it out. Thanks!

very much inspired by it!

(even the ZFS code is a copy-paste from their code)

Perfect!

ek: i'm using bastille

antranigv: No interest in getting this added to the ports tree?

Macer: Ah, okay.

iocage doesn't get developed anymore does it? it also uses zfs settings?

ek not yet. there are some bugs that affect me personally (I run a very large jails fleet), polish and then submit to ports

iocage is still being developed, as far as I know. At least, there have been recent changes.

bastille is pretty decent as far as making using jails a little easier. i tried cbsd but that porridge was too hot

antranigv: Sounds good.

and clonos is not far along

Macer yeah if I have to recommend, I can only see jailer and bastille staying around for long, everything else seems to complex :(

or too... investing?

bastille isn't bad at all

i was just hoping to find something for fbsd that is like promxmox with the weeb ui. i think there are a couple but i haven't looked at them too hard. i decided to stick with bastille just as a test bed to make sure jails can do what i need.

mounting smb is a big one

yeah, when I first started developing jailer, bastille wasn't around, but the design is very similar. I think a major difference is that Jailer forces you to use ZFS.

oh the web UI thing...

i don't think that fbsd mount_smbfs even does > smb1 still

I developed one couple of years ago

so you HAVE to use rclone

well.. either that or allow the older smb protocol

for jailer + vm-bhyve + zfs + DTrace, all in a nice GUI. but I haven't open sourced it yet.

ah. that would be nice to have

cbsd has a lot of stuff that i don't need like the xen and virtualbox stuff. and i didn't try hard enough to get rid of it from the help menu

the help menu winds up being too long and you wind up scrolling up and down nonstop to find what you're looking for

i'm about to test what happens when i try to backup this jail live with the smb mount in it

in proxmox i use fusefs for a couple unprivileged containers and found that snapshot backups while they're live freeze the host .. i haven't checked to see if that's been fixed

i'm feeling pretty ballsy doing a live export of the jail while in the jail.

Just snapshot the jail and do whatever you want.

that's what it does with bastille export

snapshot to tgz

in $bastille/backups

Yeah. Completely normal to do live snaps to .tgz with a jail. Shouldn't be a problem at all.

i doubt i'll be coming off of proxmox any time soon but i really wanted to see what i can do with fbsd with jails and vms so i dusted off my old supermicro dual xeon x5660 and spun it up

yeah i was just curious how well it handles the fuse mount inside the jail .. i'm sure it just ignores it. proxmox on the other hand... freezes the host. lol. they probably fixed that by now. that was over a year ago.

same method. using rclone... i may try to do a live backup to see what happens.

I can't speak for the fuse mounts since I don't use them. But, I haven't seen or heard of anything like that happening with FBSD.

i'm about to test it out in a minute just to see what happens with proxmox

fuse requires loading fusefs kld module, you can do it from the host, not from the jail

allowing jail mounts should be sufficient for jail, if the device is exposed to jail

kernel: pid 49921 (smbd), jid 0, uid 0, was killed: failed to reclaim memory

hm

i didn't have any swap turned on so maybe that. but that caused the proxmox backup to fail

i'll wait for it to finish and try it again. i'm only doing it to test the backups. guess i'll probably go back to using nfs for it

kind of weird too because most of the memory was being used by arc so that should have let off the pedal and freed something up so that wouldn't happen?

i wound up setting an arc max in sysctl.conf

I: Checking component main on deb.debian.org/debian...

E: Couldn't find these debs: usr-is-merged

hm