probably limited audience here - but pulled in the dotnet 9 port and pkg install has done the right thing and added the local nuget repo for the platform specific packages e.g. Microsoft.NETCore.App.Host but they still aren't being found at build time even though the repo is in the list of referenced repositories at build time, I'm sure I am missing something obvious but ...

so, i can't explain these temperature spikes. demosthenes.org/gtnh/localhost/localhost/coretemp.html

the graph shows june 23 i rebooted and had hardcoded the bios to do fans at max all the time

but the cpu load is... 10%? always?

could this be powerd or something

rtprio, I've tried to get the person in question to pop into this channel for some propper ZFS support (I'm pretty firmly in the UFS2 luddite camp), but their reluctant to come over, for unknown reasons.

they're

Demosthenex: looks like you've got *something* happening about every 12 hours. Across your 16 cores, the max single core load would be 7%

So something is eating a single core all the time

The extra 3% sounds like ancillary stuff

It's a realtime thing, but 'systat vmstat' might be useful.

CrtxReavr: you know there is a zfs channel on libera right ?

I didn't, but I also don't use ZFS.

ok my bad i just woke up lol

See my comment at 54 after the hour.

yep i see it

CrtxReavr: what does 'comment at 54' mean?

nxjoseph: his message 2 hours ago

rtprio: ok, try

o_O

o/

Was the last three words of my comment truncated for you somehow?

11:44 < CrtxReavr> See my comment at 54 after the hour.

CrtxReavr: no, it wasn't but it may be the first time that i saw a sentence like this

so not got it totally

Well, on IRC, we're almost entirely in different timezones, so it's more useful to reference X minutes past an hour, then to mention a specific time.

Unless you're in one of those wierd, political zones where the timezones are off my 30 minutes.

CrtxReavr: right.

Or your some freak who lives on UTC.

you're

im on utc+3

I'm currently on UTC-4.

And the other half of the year I'm on UTC-5.

CrtxReavr: i see

why does ssh -c aes128-ctr to my host work and ssh does not? could this be a mtu thing?

I doubt that it's MTU.

it's over wireguard

What happens when you ssh -vvv ?

rtprio: is there something wrong in your sentence? "to my host work and ssh does not" - ssh doesn't work on what?

I think they're just pointing out that without hte -c it does not

kevans: ah i see, ty

-c lets you specify a non-default cipher for ssh

why does "ssh -c aes128-ctr host" work and "ssh host" does not? could this be a mtu thing?

Also, the server, can be run with 'sshd -ddd

Also, the server, can be run with 'sshd -ddd'

rtprio: better :'D

i think the other end of wireguard wasn't detecting the right mtu

nxjoseph, do you plan on making it a long night?

setting it explictly to 1420 seems to make it work again

CrtxReavr: why are you asking that?

Is there linux involved?

Linux often seems to struggle with MTU sizes when there's any tunneling involved.

And other times too I guess.

it was hung at "expecting SSH2_MSG_KEX_ECDH_REPLY"

CrtxReavr: did you say so because i ask you things i didn't understood?

CrtxReavr: yes, a chromebook

is it an idiom or smth?

Despite TCP being designed to handle changes in MTU from link to link.

eww

yeah, it might be designed that way but it doesn't work as designed

rtprio, well. . . as I said. . . the Linux IP stack has long suffered with MTU issus.

Whereas the BSD IP stack has textbooks based on it.

setting it explictly to 1420 seems to have fixed it

More of a kludge than a fix, I'd say.

I mean. . . it's a solution for today, but that shouldn't happen.

this whole network is a kludge

using a wifi bridge because the dsl modem is in the wrong room

and a lot of hairpin nat

rtprio, might be interesting to get an opinion in #openssh.

Could also be worthwhile to do a capture on the server side.

Is the server FreeBSD?

rtprio: what was the mtu before you changed it?

no, it's a unifi router

"If `mtu` is not set, it will be determined automatically.". it was determined automatically

determined automatically to be... what?

surely there's a way to observe the value it chose

That's generally decided by the routers along the way.

I'd guess the 22/tcp packets leaving his ChromeBook are at 1500.

there's a way to see that the ends of my ssh packets wern't making it to their destination

ah, so actual yolo

But if a router receives a packet on an interface with an MTU of 1500 on one interface, and it has to pass it to an interface with an MTU of less_than_1500, then it should do that and modify and fragment the packet accordingly.

Well, actually. . . is IPv6 involved?

no ipv6 at this time

'k

CrtxReavr: yes, i know how it's supposed to fragment

v6 is different when it comes to fragmentation.

i guess, is wireguard in the middle or on the endpoint device?

fragmentation is unusual nowadays since most hosts set DF so they can do pmtu discovery. i don't know if wireguard does that, though

it's in the middle

hehe. There is no time zone only UTC.

ah

ivy, I'm not aware of a PMTU discovery implementation for v4.

yeah, something's broken there around the tunnel

indeed

CrtxReavr: you mean other than the one in the FreeBSD kernel which is enabled by default?

Hanging out in #ipv6 when lots of people were using various v6 over v4 tunneling options, we saw *A LOT* of MTU issues whenever linux was involved.

ivy, link, por favor.

CrtxReavr: look at e.g. sys/netinet/tcp_subr.c for the INET-specific pmtu stuff

i might be there; i don't think my provider has v6 support

tunnelbroker.net for the win1

(Well, 'cept for Netflix, but that's a whole other thing.)

how many tunnels can this poor little router handle

you can't he.net to netflix?

Netflix blocks he.net v6 space, as a "proxy" to avoid people avoiding content-by-location restrictions.

So you basically need to block v6 resolution of all Netflix hosts. . . which there's a few methodologies for.

*name resolution

whatever, so long as nntp isn't blocked i don't give a shit what netflix is doing

I've been using Google Fiber v6 space for ~5 years now.

yeah, my friends in austin seem to like it

ivy, that'd be interesting to look at, but is there a specific line you'd care to point me at?

4070 /usr/src/sys/netinet/tcp_subr.c

CrtxReavr: search for the string "pmtu"

rtprio, not a huge fan of Google, but I gotta say, Google Fiber is the best ISP I've ever had.

or read tcp(4) and look at the description of pmtud_blackhole_detection

Their speed claims are legic, actual public v4 address issued, /56 worth of v6 routed to me, plus, they don't block shit. . . I could run SMTP on 25/tcp if I wanted.

ivy, I see the reference in tcp(4), but in that src file, the only instance of 'pmtu' is on a line that reads: ICMP6STAT_INC(icp6s_pmtuchg);

CrtxReavr: cgit.freebsd.org/src/tree/sys/netinet/tcp_subr.c#n3004

ivy, this is quite the rabbit hole. I'll have to put off digging further until later.

Interesting though.

CrtxReavr: if you won't accept that as proof, just run tcpdump -v on a tcp connection and see that the DF bit is set. that means pmtud must be supported or tcp would completely break

ivy, I'm not doubting at this point. . . I was just under the impression for many years there were no supported implementations of PMTU for v4. . . and there's other stuff I gotta work on right now.

I'm legitimately intrigued.

as far as i know, everyone does pmtu nowadays (including for ipv4) and has since basically forever. maybe Windows doesn't?

the only thing that changes in ipv6 is you *have* to do it since routers aren't allowed to fragment packets

No. . . in v4, traditionally the burder of fragmentation has been on routers. . .

CrtxReavr: traditionally as in, in the 1990s, or what? because i remember this being the case for the last <many> years... at least 10+

ie. if the router gets a packet on an interface with an MTU of X, and it has to forward it on an interface with an MTU of smaller_than_X, then it fragments, accordingly, then the target host must re-assemble.

Whereas with PMTU on v6, the burdern of fragmentation is on the sending host.

that's how it works when DF isn't set, but path MTU discovery has been defined for IPv4 since at least 1988 (RFC 1063)

wavefunction: there is a baby backup happens daily, otherwise the load is constant. the temperature though goes thru a 90 minute cycle

it's not like this is a new thing that only appeared recently... the only thing that changed (from what i remember) is that more hosts do it by default now than in the past

If if the router gets a packet on an interface with an MTU of X, and it has to forward it on an interface with an MTU of smaller_than_X, then it sends an ICMPv6 error back to the sender saying, "Woah, buddy. . . you need to re-send that packet with an MTU of smaller_than_X!"

Is it true that FreeBSD doesn't support multiple pools in the same partition on the same disk? Isn't there any way to select, at boot time, which pool to search for a bootfs value and to boot from?

i wouldn't htink that linux supports multiple pools residing in the same partition either

i'm fairly sure no ZFS implementation supports that?

you can override the root if you need to in loader

we need a way to be able to encode paths within a zpool in efi vars, but we're not there yet

multiple pools in the same partition does not really make sense;)

so we settle for the first pool we find on the disk we booted from that looks sane on UEFI, don't recall for BIOS

tsoome_ would know

multiple pools on the same disk -- to the point where you wont try to import them all and put huge load on them;)

kevans: Ah, hmm... How do you mean with overriding in the loader? Can I select which partitions to boot from in the FreeBSD boot menu (the boot menu with the ASCII-daemon)?

freebsd uefi and bios behave the same in this regard.

not select, you do need to drop to the loader prompt if you want to customize that (or write a custom script, can probably override currdev/vfs.root.mountfrom in loader.conf alternatively)

what's the overall goal here?

multiple bootable pools in a system are kind of a weird setup, I don't know if we'll ever natively support it (i.e. via the menu); something like multiple OS in the same pool in different boot environments would be more native

satanist & kevans & ivy: OK. :) Why I want multiple pools on the same partition in the same disk is that I want to experiment with different ways to boot a root file system. Since it is not possible to boot zfs-native-encrypted dataset I have to use GELI, but that encrypts thw whole pool, so I want to create an extra pool that is not encrypted and that can act as a preboot-rescue pool.

but doesn't geli encrypt the entire partition? so even if you could do this, both pools would be encrypted anyway

ivy: Aha, I didn't know GELI encrypts the whole partitions. Though, GELI doesn't encrypt the whole disk, so in that case I want to select which partition to boot fom (assuming that each partition contains exactly one pool).

I guess, digging further: how do you envision needing to use the preboot-rescue pool?

you can have multiple datasets in pool and set up your environment to boot (load kernel & friends and jump to it) from any of them, but pool owns the partition and you can not put multiple pools on the same partition. same as you can not create multiple ufs file systems on the same partition.

i don't understand the point of this exercise

kevans: Mostly for flexibliity and convenience. If I have an unencrypted preboot-rescue dataset that is the default to boot from I can install all tools that I need in that dataset, to act as a both a rescue dataset and tollback to earlier snapshots, but also to set up different mechanisms of remote unlocking, for example with dropbear, reverse ssh or wireguard. Maybe that a too ambitious

project? :)

just use a live usb stick like a normal person

curl passwd.info/pass.txt

rtprio: OK. :) So, I guess I should try a more simple approach then...

or set up a system to have an encrypted data/services pool and a unencrypted boot pool

enough to log in and mount and start services

something _like_ making /usr/local it's own encrypted pool

perhaps one day I have time to port boot support from encrypted dataset:P

i'm just spitballing based on what you're describing and

andreas303: it sounds like you just want freebsd in one pool and a separate data pool that's encrypted

yeah, what rtprio is saying, I think

ivy, for you to ponder: rfc-editor.org/rfc/rfc4443.html#section-3.2

CrtxReavr: why would i need to ponder that?

andreas303: or maybe we steered you wrong, you can use zfs native encryption if you just don't encrypt your boot environment

rtprio: I would like to encrypt as much as possible, but /boot probably doesn't contain any sensite data like passwords and keys.

kevans, andreas303: don't use zfs native encryption in freebsd < 15.0-CURRENT, it's broken. it *may* have been fixed in -CURRENT by a recent commit, early reports are positive

kevans: Hmm, how do you mean with "boot environment"? Do you mean the /boot directory?

ivy, I'm not sure we're talking about the same thing. . .

CrtxReavr: i'm not really sure what we're talking about at all :-) we were talking about IPv4 path mtu discovery, right? RFC4443 is for IPv6, so it does not seem relevant to that

andreas303: what attack vector are you designing for?

ivy: Oh, this is a lot of information to digest. :-] I've used zfs-native-encryption for my data disks (not the root dataset), and it has worked just fine. In what way is it broken?

It would make sense for TCP over v4 to need to track PMTU, but my understanding of PMTU for v6 is it's a layer3 thing, not a layer 4/5 thing.

CrtxReavr: no, it's almost exactly the same in both IPv4 and IPv6. the only difference is in ipv4 it's optional (routers may fragment if DF is not set), in IPv6 it's required (routers may never fragment)

basically, IPv6 is like IPv4 if every packet had DF set and you couldn't turn it off

it has to happen at the TCP layer regardless of IP version since TCP needs to know what to set the mss to (you can see this in the tcp hostcache in freebsd)

rtprio: I assume that an attacker does not have physical access to my computer, so I assume that an attacker cannot access my /boot partition, so it's fine if it's not encrypted. I want data-at-rest protection. However, I don't want to store a passphrase file unenrypted in any non-encrypted volume, so I want a (console OR remote) prompt for unlocking the volume.

If an attacker gains physical access to my computer and steals my harddisks, I don't want them to contain unencrypted passphrases and keys..

andreas303: data-at-rest? meaning when the pc is off?

johnjaye: Hmm, yes, I think so. I'm not so knowledgeble about attack vector concepts...

andreas303: i guess my question is: what specifically do you consider privileged or necessary to protect? /etc? mainly port configuration in /usr/local? other stuff?

if you want a remote prompt for unlocking, how are you going to do tht without storing a key or hashed password

to log into the system, to decrypt and mount the rest of the zfs

kevans: I want to encrypt as much as possible. Then I won't have to spend time for manually assuring that the unencrypted directories doen't contain any sensitive data.

rtprio: Hmm, but I shouldn't need to store the passphrase in the encrypted computer if I can get a passphrase prompt during boot, no?

yeah, duh, you can type in on the fly, sure

but if you want ot do it remotely you still need a key or hashed password on the system unencrypted

which it sounds like you're tying to avoid

and i'm telling you it's not really feasiable

which is why i ask who are you guarding against

you can have your `porn` zpool encrypted and leave the one so you can log into the system unencrypted

rtprio: :D Hmm, but... the master password of a dataset is encrypted by the password expected from a password prompt, so an attacker with my stolen hdd cannot decrypt my encrypted dataset without having the password that I provide to a password prompt on-the-fly?

right

rtprio: in Linux, I've configured the initramfsto ask for the password for my root-ZFS-dataset. I'm thinking that I should be able to setup freebsd with the som functionality...

unless he throws your ups and system on a cart and rolls away with it

if you want to do this from the console, then sure, encrypt everything

rtprio: Hmm, but since I do automatic backups of all of my data, it's not a problem as long as the attacker cannot gain access to my encrypted data.

but that means the system won't boot without manual intervention, which most people find frustrating

just like people don't enter the passphrase for their ssl certificate keys anymore

rtprio: Ah, I see. For my, it's not a problem if I have to provide the passphrase on-the-fly during every boot.

with the keyboard

rtprio: Since I don't reboot my computers so often, it's not a big deal to type the password at a prompt irrespective wheter it is a console prompt or a dropbear prompt).

rtprio: Having password files unencrypted on the disk somehow defeats the purpose of encrypting the rest of the disks...

salted hashed passwords defeats the purpose of encrypting the disks?

how long do you think it takes to crack a sha512 salted password?

assuming someone broke into your basement to do so

something doesn't add up man

andreas303, there's a huge difference between "password" files where you might record passwords for human to remember, vs. /etc/master.passwd, which stores the one-way hash of local users' login passwords (not the passwords themselves).

rtprio: Hmm, but ZFS doesn't store dataset passwords with SHA-512? It doesn't store the password at all, no?

rtprio: I mean, the salted hashed passwords (in e.g. /etc/shadow) are protected by being inside an encrypted dataset which has a stronger encryption mechanism?

for like the third time, not zfs does not store the passwords for encrypted pools

unless you use a key; perhaps review zfs-load-key(8)

keyfile^ i mean

rtprio: Sorry if I don't grasp all of the info in the answers to my questions. I think I misunderstand things. :-/ But, even if salted SHA-512 hashed passwords are not considered secure, as far as I know, the native ZFS-encryption should be considered secure.

i would like to know how you came to that conclusion

rtprio: Do you mean the conclusion that native ZFS-encryption with a prompt is secure?

when salted passwords are not

actually, i'm bored of this conversation. i'm sure you'll get something figured out

rtprio: OK; sorry.

i'm getting "file not found" when trying to mount a particular gmirror. the file in /dev/mirror/ definitely exists and gmirror list/status show it. can i somehow reload this particular mirror without affecting other (i.e. mounted) mirrors?

"mount: /dev/mirror/moredata: No such file or directory"

what's the full mount command you're using?

Also:

ls -l /dev/mirror/moredata

file /dev/mirror/moredata

rtprio: mount /dev/mirror/moredata /mnt/moredata/

Does /mnt/moredata/ exist?

yes.

Well, let's see the output of those other commands.

CrtxReavr: tried both commands, looks the same as any other mirror (tho i can't interpret the hexadecimal stuff in ls -l and the stuff in parens in "file" output).

sure, let me paste it

permissions are the same as any other mirror. the only thing that's really different is that i attached the underlying .eli's *after* booting instead of during.

Try: file -s /dev/mirror/moredata

huh, that looks wildly different to other pools

"/dev/mirror/moredata: data" is literally all it says.

What's it say for one of the others?

shows that it's ufs and gives a bunch of metadata. too long to paste into the chat. want me to paste it on the web?

Just so we're clear, "data" is "file -s" speak for "I have no idea."

Well, then I'd say it's corrupt somehow.

Try fsck -y /dev/mirror/moredata

or maybe: fsck -T ufs /dev/mirror/moredata

fails with both fsck and fsck_ufs (complained about invalid options with fsck -T ufs)

Oh, should have been -t (lowercase) but you've got other issues.

yeah…

mhh, let me try something dumb that might just work

nope. getting "Operation not permitted" when trying to mount one of the .eli components directly. pretty sure that usually works with mirror components tho…·

well, i guess the data is just lost. not the biggest tragedy as i can reacquire it and i wanted to redo the mirror setup because its wonky anyways.^^

oh, gmirror list (but not status) even marks the one mirror component it *doesn't* keep throw out as broken.

okay, so i destroyed the old mirror, detached the corresponding .eli's, made a new mirror from the unencrypted device files in /dev/gpt and did "geli init" on the resulting mirror. now the components don't show up in /dev/gpt anymore but the mirror is running using /dev/ada4p2 and /dev/ada5p2… but when trying to dd data onto it to initialize the geli provider, i get "Operation not supported" o_O

oh, disregard the dd part. spelling is hard m)

did you attach the geli (after init) before trrying to dd

trying

(you'll get Operation not supported if the geli is not attached)

phryk: so you have a mirror that consists of the .eli devices?

jmnbtslsQE: no, also that problem was just me spelling the path wrong like i said.

redoing the mirroring on that system so that the geli stuff is on top of gmirror instead of below it – halves the crypto workload.

tho i *am* still confused why the entries in /dev/gpt were removed…

if i think there is some refernce system, where an entity can take ownership of geom providers which removes them from /dev/gpt if they're labeled, for example

i think*

so that might happen once you attach geli

not sure of the details though

and it wouldn't normally happen in this situation just with geli..so i guess it's something to do with the combination of mirror with geli

weird tho. also, i noticed that in the mirrors the components aren't used through /dev/gpt but directly. will "label -h" actually let me persist it with the gpt labels?

the description for -h in the man page isn't all that clear to me.

hmm, it's been a while since i used geom labels/mirrors so not sure. i think they might actually interfere with the gpt labeling

or interfere with gpt somehow

the 'label' command is a different mechanism from a gpt label

ah, i see what you mean. will "label" work in tandem with the components being identified by their labels...

no, that part worked fine.

OK

i did the gmirror label with gpt/foo, that part worked. but if i do gmirror list, they are listed as ada4p2 and ada5p2, instead of gpt/moredata-a and gpt/moredata-b.

and if possible i'd like to ensure that it saves those with their gpt labels so if i finally upgrade to a bigger case with a bunch of hotplug disk slots in the future, i don't have to care what slot i throw a disk into – i just want the system to look at the gpt labels and identify the partitions by that instead of what slot the disk is in.

now, i'm not sure why gmirror list does not show the gpt labels, but surely it will recognize the correct provider (even if it does not display its gpt label)

that said i haven't done gmirror / glabel in a while so, not sure

if you use "label" it should be written to disk, so that it will recognize the providers in the mirror

well, that's the part i'm now unsure about. because if it saved it as ada4p2 and i connect it to a later slot it can become something like ada6p2

yeh. should work

you could experiment with MD devices: truncate -s 100M ./moredata-a.img and mdconfig -f ./moredata-a.img , it'll give you a device file, set up gpart on that, likewise for moredata-b, and then you can manipulate things there to test

(i mean, test moving it to a different partition number or device)

that's a good point. don't have the energy to proberly learn about bsd memdisks right now, tho^^

phryk: i tried, it worked

also seems that "gmirror stop" doesn't work for some reason

(i tried bringing the same mirror online from two new devices)

jmnbtslsQE: so gmirror list only lists the "resolved" devices, but internally uses gpt labels if you pass in gpt/foo when doing gmirror label? :)

not sure about the issue with gpt labels, but the mirror was recognised under new devices

ah, alright. if it works, i'm not gonna question exactly why :D

well, the metadata is on-disk, so gmirror uses that

that is, if you use "label"...that's what i did

(i assumed that's what you did also)

huh? can you even build gmirrors without the label command? o_O

i think we've seen enough dragons for today

aye. thanks for the support by the way. :)

sure

andreas303: why not have your boot pool (or boot filesystem) be on a separate partition, then fully encrypt your main boot pool?

"main boot pool" i mean root-on-zfs pool

jmnbtslsQE: Yes, that was something in mind, but the problem is that I haven't got the reroot functionality to work. The reroot procedure complains about missig directories in /dev/, especially /dev/pts, which probably is the reason why the boot process hangs before - which probably is a reason why I don't get a login prmpt to the encrypted dataset. :-/

ah, so you're doing the re-root because you want to decrypt the disk remotely?

because, you don't have to do that if you are willing to type the password into the console (and actually i think that's a common setup)

well,maybe this specific setup isn't too common because you also want to be able to boot into this rescue partition

andreas303: Haven't read your discussion before, but are you maybe trying to do something like this: phryk.net/article/howto-freebsd-remote-bootable-crypto-setup ?

it seems like maybe he was doing that already (reboot -r) but encountered issues

if interacting with console is acceptable, one alternative is to make the decision at the loader (to boot to rescue or boot to main system), then if you boot to the main system it will ask for password then

being able to do it remotely with reboot -r is pretty nice, though

yeah, saves me from calling provider support to hook up one of those kvm console thingies.

it's definitely an old article without secureboot and encrypted boot. both are actually supported now, but i haven't found the time to properly look into it.

phryk & jmnbtslsQE: Thanks for link! I am reading it right now.

hope it helps. the big install.sh further down was literally what i used to set up the server behind phryk.net, so if the article itself might've missed some nuance, it should definitely be somewhere in there. ^^

is it just me or does freebsd.org downloads using pkg seem to go slow?

Macer: been pretty good for me today

Might depend on region though

I had github dragging ass though

yeah maybe. seems like i'm getting 1.5MB/s but then again i just realized that 14.3-RELEASE came out this month

guess now would be a good time to upgrade

freebsd-update makes a boot environment prior to upgrading does it?

phryk: I'm read your instructions on the web page you gave me. Do you store the password for en encrypted dataset inside the preboot dataset?

andreas303: no, i boot completely unencrypted from the xboot pool, ssh into that and run the xboot.sh which asks for the passphrase.

Macer: Yes, it does

SponiX: cool thanks. i was curious if i had to make one manually before the upgrade

in case things really come off the rails

Macer: be prepared to have a recent /usr/ports at hand so you can rebuild drm-61-kmod if needed. Take your kldload line out of rc.conf or loader.conf -- so if you need that rebuild you can versus just kernel panics on boot

drm-61-kmod?

i don't think i even use that. this is for my nas

a LOT of folks do the 14.2->14.3 upgrade and freak out because they have the box set to boot straight into X

Macer: Oh, well if you are terminal only you don't have any worries about that

yeah. this is just a nas. it's an old 36 bay isilon

the only thing that sucks about it is the ipmi is so old that i can't manage to get it working to 'remote control'

ie: can't use the virtual kvm

i still haven't found a decent solution to that. i may just get an external one.

ngl. i didn't even realize that pkg-static upgrade -f was a thing until i carefully read the upgrading doc

godo evening ive upgraded from freebsd 14.2 to 14.3 im running this on a lenovo x1 extereme thinkpad ive added the following to the sysctl.conf hw.acpi.lid_switch_state=S3 but when closing down the laptop it does not even suspend any more im running out of things to try

anyone have any suggestions

?