08:31:02 probably limited audience here - but pulled in the dotnet 9 port and pkg install has done the right thing and added the local nuget repo for the platform specific packages e.g. Microsoft.NETCore.App.Host but they still aren't being found at build time even though the repo is in the list of referenced repositories at build time, I'm sure I am missing something obvious but ... 12:41:19 so, i can't explain these temperature spikes. https://demosthenes.org/gtnh/localhost/localhost/coretemp.html 12:41:43 the graph shows june 23 i rebooted and had hardcoded the bios to do fans at max all the time 12:41:57 but the cpu load is... 10%? always? 12:42:03 could this be powerd or something 14:54:40 rtprio, I've tried to get the person in question to pop into this channel for some propper ZFS support (I'm pretty firmly in the UFS2 luddite camp), but their reluctant to come over, for unknown reasons. 14:54:56 they're 15:09:24 Demosthenex: looks like you've got *something* happening about every 12 hours. Across your 16 cores, the max single core load would be 7% 15:09:38 So something is eating a single core all the time 15:09:58 The extra 3% sounds like ancillary stuff 15:12:26 It's a realtime thing, but 'systat vmstat' might be useful. 15:42:54 CrtxReavr: you know there is a zfs channel on libera right ? 15:43:32 I didn't, but I also don't use ZFS. 15:44:26 ok my bad i just woke up lol 15:44:57 See my comment at 54 after the hour. 15:51:00 yep i see it 16:13:13 CrtxReavr: what does 'comment at 54' mean? 16:13:58 nxjoseph: his message 2 hours ago 16:16:53 rtprio: ok, try 16:16:56 o_O 16:17:09 o/ 16:17:10 Was the last three words of my comment truncated for you somehow? 16:17:24 11:44 < CrtxReavr> See my comment at 54 after the hour. 16:17:58 CrtxReavr: no, it wasn't but it may be the first time that i saw a sentence like this 16:18:06 so not got it totally 16:19:10 Well, on IRC, we're almost entirely in different timezones, so it's more useful to reference X minutes past an hour, then to mention a specific time. 16:19:37 Unless you're in one of those wierd, political zones where the timezones are off my 30 minutes. 16:19:48 CrtxReavr: right. 16:19:50 Or your some freak who lives on UTC. 16:19:55 you're 16:20:15 im on utc+3 16:22:21 I'm currently on UTC-4. 16:22:38 And the other half of the year I'm on UTC-5. 16:23:23 CrtxReavr: i see 16:24:12 why does ssh -c aes128-ctr to my host work and ssh does not? could this be a mtu thing? 16:24:55 I doubt that it's MTU. 16:25:20 it's over wireguard 16:25:22 What happens when you ssh -vvv ? 16:25:38 rtprio: is there something wrong in your sentence? "to my host work and ssh does not" - ssh doesn't work on what? 16:25:58 I think they're just pointing out that without hte -c it does not 16:26:15 kevans: ah i see, ty 16:26:30 -c lets you specify a non-default cipher for ssh 16:26:46 why does "ssh -c aes128-ctr host" work and "ssh host" does not? could this be a mtu thing? 16:26:57 Also, the server, can be run with 'sshd -ddd 16:27:00 Also, the server, can be run with 'sshd -ddd' 16:27:11 rtprio: better :'D 16:27:39 i think the other end of wireguard wasn't detecting the right mtu 16:27:42 nxjoseph, do you plan on making it a long night? 16:27:50 setting it explictly to 1420 seems to make it work again 16:27:59 CrtxReavr: why are you asking that? 16:28:01 Is there linux involved? 16:29:16 Linux often seems to struggle with MTU sizes when there's any tunneling involved. 16:29:22 And other times too I guess. 16:29:44 it was hung at "expecting SSH2_MSG_KEX_ECDH_REPLY" 16:29:53 CrtxReavr: did you say so because i ask you things i didn't understood? 16:29:56 CrtxReavr: yes, a chromebook 16:29:58 is it an idiom or smth? 16:29:59 Despite TCP being designed to handle changes in MTU from link to link. 16:30:06 eww 16:30:29 yeah, it might be designed that way but it doesn't work as designed 16:31:19 rtprio, well. . . as I said. . . the Linux IP stack has long suffered with MTU issus. 16:31:36 Whereas the BSD IP stack has textbooks based on it. 16:31:39 setting it explictly to 1420 seems to have fixed it 16:31:52 More of a kludge than a fix, I'd say. 16:32:26 I mean. . . it's a solution for today, but that shouldn't happen. 16:32:54 this whole network is a kludge 16:33:10 using a wifi bridge because the dsl modem is in the wrong room 16:33:29 and a lot of hairpin nat 16:33:37 rtprio, might be interesting to get an opinion in #openssh. 16:34:47 Could also be worthwhile to do a capture on the server side. 16:35:14 Is the server FreeBSD? 16:35:22 rtprio: what was the mtu before you changed it? 16:35:26 no, it's a unifi router 16:35:28 * kevans hasn't read scrollback yet 16:35:49 "If `mtu` is not set, it will be determined automatically.". it was determined automatically 16:36:07 determined automatically to be... what? 16:36:28 surely there's a way to observe the value it chose 16:36:28 That's generally decided by the routers along the way. 16:37:08 I'd guess the 22/tcp packets leaving his ChromeBook are at 1500. 16:37:09 there's a way to see that the ends of my ssh packets wern't making it to their destination 16:37:11 ah, so actual yolo 16:39:16 But if a router receives a packet on an interface with an MTU of 1500 on one interface, and it has to pass it to an interface with an MTU of less_than_1500, then it should do that and modify and fragment the packet accordingly. 16:39:30 Well, actually. . . is IPv6 involved? 16:39:41 no ipv6 at this time 16:39:47 'k 16:39:51 CrtxReavr: yes, i know how it's supposed to fragment 16:40:04 v6 is different when it comes to fragmentation. 16:40:19 i guess, is wireguard in the middle or on the endpoint device? 16:40:36 fragmentation is unusual nowadays since most hosts set DF so they can do pmtu discovery. i don't know if wireguard does that, though 16:40:45 it's in the middle 16:40:48 hehe. There is no time zone only UTC. 16:40:52 ah 16:41:06 ivy, I'm not aware of a PMTU discovery implementation for v4. 16:41:28 yeah, something's broken there around the tunnel 16:42:16 indeed 16:43:22 CrtxReavr: you mean other than the one in the FreeBSD kernel which is enabled by default? 16:43:24 Hanging out in #ipv6 when lots of people were using various v6 over v4 tunneling options, we saw *A LOT* of MTU issues whenever linux was involved. 16:43:49 ivy, link, por favor. 16:44:09 CrtxReavr: look at e.g. sys/netinet/tcp_subr.c for the INET-specific pmtu stuff 16:44:11 i might be there; i don't think my provider has v6 support 16:44:35 tunnelbroker.net for the win1 16:44:59 (Well, 'cept for Netflix, but that's a whole other thing.) 16:45:00 how many tunnels can this poor little router handle 16:45:28 you can't he.net to netflix? 16:46:37 Netflix blocks he.net v6 space, as a "proxy" to avoid people avoiding content-by-location restrictions. 16:47:39 So you basically need to block v6 resolution of all Netflix hosts. . . which there's a few methodologies for. 16:48:01 *name resolution 16:48:15 whatever, so long as nntp isn't blocked i don't give a shit what netflix is doing 16:54:27 I've been using Google Fiber v6 space for ~5 years now. 16:55:48 yeah, my friends in austin seem to like it 16:56:01 ivy, that'd be interesting to look at, but is there a specific line you'd care to point me at? 16:56:04 4070 /usr/src/sys/netinet/tcp_subr.c 16:56:20 CrtxReavr: search for the string "pmtu" 16:56:47 rtprio, not a huge fan of Google, but I gotta say, Google Fiber is the best ISP I've ever had. 16:57:36 or read tcp(4) and look at the description of pmtud_blackhole_detection 16:57:37 Their speed claims are legic, actual public v4 address issued, /56 worth of v6 routed to me, plus, they don't block shit. . . I could run SMTP on 25/tcp if I wanted. 17:02:35 ivy, I see the reference in tcp(4), but in that src file, the only instance of 'pmtu' is on a line that reads: ICMP6STAT_INC(icp6s_pmtuchg); 17:04:18 CrtxReavr: https://cgit.freebsd.org/src/tree/sys/netinet/tcp_subr.c#n3004 17:07:42 ivy, this is quite the rabbit hole. I'll have to put off digging further until later. 17:07:45 Interesting though. 17:10:21 CrtxReavr: if you won't accept that as proof, just run tcpdump -v on a tcp connection and see that the DF bit is set. that means pmtud must be supported or tcp would completely break 17:13:15 ivy, I'm not doubting at this point. . . I was just under the impression for many years there were no supported implementations of PMTU for v4. . . and there's other stuff I gotta work on right now. 17:13:33 I'm legitimately intrigued. 17:16:54 as far as i know, everyone does pmtu nowadays (including for ipv4) and has since basically forever. maybe Windows doesn't? 17:17:51 the only thing that changes in ipv6 is you *have* to do it since routers aren't allowed to fragment packets 17:17:53 No. . . in v4, traditionally the burder of fragmentation has been on routers. . . 17:18:19 CrtxReavr: traditionally as in, in the 1990s, or what? because i remember this being the case for the last years... at least 10+ 17:19:14 ie. if the router gets a packet on an interface with an MTU of X, and it has to forward it on an interface with an MTU of smaller_than_X, then it fragments, accordingly, then the target host must re-assemble. 17:19:48 Whereas with PMTU on v6, the burdern of fragmentation is on the sending host. 17:20:31 that's how it works when DF isn't set, but path MTU discovery has been defined for IPv4 since at least 1988 (RFC 1063) 17:20:32 wavefunction: there is a baby backup happens daily, otherwise the load is constant. the temperature though goes thru a 90 minute cycle 17:21:04 it's not like this is a new thing that only appeared recently... the only thing that changed (from what i remember) is that more hosts do it by default now than in the past 17:21:26 If if the router gets a packet on an interface with an MTU of X, and it has to forward it on an interface with an MTU of smaller_than_X, then it sends an ICMPv6 error back to the sender saying, "Woah, buddy. . . you need to re-send that packet with an MTU of smaller_than_X!" 17:34:22 Is it true that FreeBSD doesn't support multiple pools in the same partition on the same disk? Isn't there any way to select, at boot time, which pool to search for a bootfs value and to boot from? 17:34:56 i wouldn't htink that linux supports multiple pools residing in the same partition either 17:35:13 i'm fairly sure no ZFS implementation supports that? 17:35:17 you can override the root if you need to in loader 17:36:06 we need a way to be able to encode paths within a zpool in efi vars, but we're not there yet 17:36:11 multiple pools in the same partition does not really make sense;) 17:36:28 so we settle for the first pool we find on the disk we booted from that looks sane on UEFI, don't recall for BIOS 17:36:43 tsoome_ would know 17:37:11 multiple pools on the same disk -- to the point where you wont try to import them all and put huge load on them;) 17:37:12 kevans: Ah, hmm... How do you mean with overriding in the loader? Can I select which partitions to boot from in the FreeBSD boot menu (the boot menu with the ASCII-daemon)? 17:37:40 freebsd uefi and bios behave the same in this regard. 17:37:46 not select, you do need to drop to the loader prompt if you want to customize that (or write a custom script, can probably override currdev/vfs.root.mountfrom in loader.conf alternatively) 17:38:14 what's the overall goal here? 17:40:27 multiple bootable pools in a system are kind of a weird setup, I don't know if we'll ever natively support it (i.e. via the menu); something like multiple OS in the same pool in different boot environments would be more native 17:40:28 satanist & kevans & ivy: OK. :) Why I want multiple pools on the same partition in the same disk is that I want to experiment with different ways to boot a root file system. Since it is not possible to boot zfs-native-encrypted dataset I have to use GELI, but that encrypts thw whole pool, so I want to create an extra pool that is not encrypted and that can act as a preboot-rescue pool. 17:41:24 but doesn't geli encrypt the entire partition? so even if you could do this, both pools would be encrypted anyway 17:42:59 ivy: Aha, I didn't know GELI encrypts the whole partitions. Though, GELI doesn't encrypt the whole disk, so in that case I want to select which partition to boot fom (assuming that each partition contains exactly one pool). 17:43:14 I guess, digging further: how do you envision needing to use the preboot-rescue pool? 17:43:43 you can have multiple datasets in pool and set up your environment to boot (load kernel & friends and jump to it) from any of them, but pool owns the partition and you can not put multiple pools on the same partition. same as you can not create multiple ufs file systems on the same partition. 17:48:02 i don't understand the point of this exercise 17:48:22 kevans: Mostly for flexibliity and convenience. If I have an unencrypted preboot-rescue dataset that is the default to boot from I can install all tools that I need in that dataset, to act as a both a rescue dataset and tollback to earlier snapshots, but also to set up different mechanisms of remote unlocking, for example with dropbear, reverse ssh or wireguard. Maybe that a too ambitious 17:48:24 project? :) 17:49:10 just use a live usb stick like a normal person 17:49:44 curl https://passwd.info/pass.txt 17:53:16 rtprio: OK. :) So, I guess I should try a more simple approach then... 17:53:51 or set up a system to have an encrypted data/services pool and a unencrypted boot pool 17:54:11 enough to log in and mount and start services 17:54:37 something _like_ making /usr/local it's own encrypted pool 17:54:38 perhaps one day I have time to port boot support from encrypted dataset:P 17:55:03 i'm just spitballing based on what you're describing and 17:55:15 andreas303: it sounds like you just want freebsd in one pool and a separate data pool that's encrypted 17:55:28 yeah, what rtprio is saying, I think 17:55:32 ivy, for you to ponder: https://www.rfc-editor.org/rfc/rfc4443.html#section-3.2 17:56:18 CrtxReavr: why would i need to ponder that? 17:57:56 andreas303: or maybe we steered you wrong, you can use zfs native encryption if you just don't encrypt your boot environment 17:58:14 rtprio: I would like to encrypt as much as possible, but /boot probably doesn't contain any sensite data like passwords and keys. 17:58:36 kevans, andreas303: don't use zfs native encryption in freebsd < 15.0-CURRENT, it's broken. it *may* have been fixed in -CURRENT by a recent commit, early reports are positive 17:58:38 kevans: Hmm, how do you mean with "boot environment"? Do you mean the /boot directory? 17:59:22 ivy, I'm not sure we're talking about the same thing. . . 18:00:06 CrtxReavr: i'm not really sure what we're talking about at all :-) we were talking about IPv4 path mtu discovery, right? RFC4443 is for IPv6, so it does not seem relevant to that 18:00:23 andreas303: what attack vector are you designing for? 18:00:34 ivy: Oh, this is a lot of information to digest. :-] I've used zfs-native-encryption for my data disks (not the root dataset), and it has worked just fine. In what way is it broken? 18:00:50 It would make sense for TCP over v4 to need to track PMTU, but my understanding of PMTU for v6 is it's a layer3 thing, not a layer 4/5 thing. 18:01:24 CrtxReavr: no, it's almost exactly the same in both IPv4 and IPv6. the only difference is in ipv4 it's optional (routers may fragment if DF is not set), in IPv6 it's required (routers may never fragment) 18:02:16 basically, IPv6 is like IPv4 if every packet had DF set and you couldn't turn it off 18:04:54 it has to happen at the TCP layer regardless of IP version since TCP needs to know what to set the mss to (you can see this in the tcp hostcache in freebsd) 18:09:15 rtprio: I assume that an attacker does not have physical access to my computer, so I assume that an attacker cannot access my /boot partition, so it's fine if it's not encrypted. I want data-at-rest protection. However, I don't want to store a passphrase file unenrypted in any non-encrypted volume, so I want a (console OR remote) prompt for unlocking the volume. 18:10:21 If an attacker gains physical access to my computer and steals my harddisks, I don't want them to contain unencrypted passphrases and keys.. 18:11:33 andreas303: data-at-rest? meaning when the pc is off? 18:12:38 johnjaye: Hmm, yes, I think so. I'm not so knowledgeble about attack vector concepts... 18:13:30 andreas303: i guess my question is: what specifically do you consider privileged or necessary to protect? /etc? mainly port configuration in /usr/local? other stuff? 18:14:30 if you want a remote prompt for unlocking, how are you going to do tht without storing a key or hashed password 18:15:07 to log into the system, to decrypt and mount the rest of the zfs 18:16:07 kevans: I want to encrypt as much as possible. Then I won't have to spend time for manually assuring that the unencrypted directories doen't contain any sensitive data. 18:17:43 rtprio: Hmm, but I shouldn't need to store the passphrase in the encrypted computer if I can get a passphrase prompt during boot, no? 18:21:11 yeah, duh, you can type in on the fly, sure 18:21:38 but if you want ot do it remotely you still need a key or hashed password on the system unencrypted 18:21:46 which it sounds like you're tying to avoid 18:21:55 and i'm telling you it's not really feasiable 18:22:05 which is why i ask who are you guarding against 18:22:59 you can have your `porn` zpool encrypted and leave the one so you can log into the system unencrypted 18:24:48 rtprio: :D Hmm, but... the master password of a dataset is encrypted by the password expected from a password prompt, so an attacker with my stolen hdd cannot decrypt my encrypted dataset without having the password that I provide to a password prompt on-the-fly? 18:25:51 right 18:26:14 rtprio: in Linux, I've configured the initramfsto ask for the password for my root-ZFS-dataset. I'm thinking that I should be able to setup freebsd with the som functionality... 18:26:15 unless he throws your ups and system on a cart and rolls away with it 18:27:36 if you want to do this from the console, then sure, encrypt everything 18:27:56 rtprio: Hmm, but since I do automatic backups of all of my data, it's not a problem as long as the attacker cannot gain access to my encrypted data. 18:28:00 but that means the system won't boot without manual intervention, which most people find frustrating 18:28:33 just like people don't enter the passphrase for their ssl certificate keys anymore 18:28:44 rtprio: Ah, I see. For my, it's not a problem if I have to provide the passphrase on-the-fly during every boot. 18:29:01 with the keyboard 18:29:53 rtprio: Since I don't reboot my computers so often, it's not a big deal to type the password at a prompt irrespective wheter it is a console prompt or a dropbear prompt). 18:30:28 rtprio: Having password files unencrypted on the disk somehow defeats the purpose of encrypting the rest of the disks... 18:31:16 salted hashed passwords defeats the purpose of encrypting the disks? 18:31:29 how long do you think it takes to crack a sha512 salted password? 18:31:43 assuming someone broke into your basement to do so 18:31:50 something doesn't add up man 18:38:56 andreas303, there's a huge difference between "password" files where you might record passwords for human to remember, vs. /etc/master.passwd, which stores the one-way hash of local users' login passwords (not the passwords themselves). 18:39:17 rtprio: Hmm, but ZFS doesn't store dataset passwords with SHA-512? It doesn't store the password at all, no? 18:42:47 rtprio: I mean, the salted hashed passwords (in e.g. /etc/shadow) are protected by being inside an encrypted dataset which has a stronger encryption mechanism? 18:43:15 for like the third time, not zfs does not store the passwords for encrypted pools 18:44:04 unless you use a key; perhaps review zfs-load-key(8) 18:46:24 keyfile^ i mean 18:50:23 rtprio: Sorry if I don't grasp all of the info in the answers to my questions. I think I misunderstand things. :-/ But, even if salted SHA-512 hashed passwords are not considered secure, as far as I know, the native ZFS-encryption should be considered secure. 18:52:20 i would like to know how you came to that conclusion 18:53:13 rtprio: Do you mean the conclusion that native ZFS-encryption with a prompt is secure? 18:53:46 when salted passwords are not 18:55:22 actually, i'm bored of this conversation. i'm sure you'll get something figured out 18:56:01 rtprio: OK; sorry. 19:12:43 i'm getting "file not found" when trying to mount a particular gmirror. the file in /dev/mirror/ definitely exists and gmirror list/status show it. can i somehow reload this particular mirror without affecting other (i.e. mounted) mirrors? 19:13:11 "mount: /dev/mirror/moredata: No such file or directory" 19:39:02 what's the full mount command you're using? 19:41:01 Also: 19:41:09 ls -l /dev/mirror/moredata 19:41:13 file /dev/mirror/moredata 19:43:20 rtprio: mount /dev/mirror/moredata /mnt/moredata/ 19:44:07 Does /mnt/moredata/ exist? 19:44:25 yes. 19:44:56 Well, let's see the output of those other commands. 19:45:39 CrtxReavr: tried both commands, looks the same as any other mirror (tho i can't interpret the hexadecimal stuff in ls -l and the stuff in parens in "file" output). 19:45:42 sure, let me paste it 19:46:15 https://paste.xinu.at/C9G/ 19:46:57 permissions are the same as any other mirror. the only thing that's really different is that i attached the underlying .eli's *after* booting instead of during. 19:47:18 Try: file -s /dev/mirror/moredata 19:47:49 huh, that looks wildly different to other pools 19:48:02 "/dev/mirror/moredata: data" is literally all it says. 19:48:23 What's it say for one of the others? 19:48:49 shows that it's ufs and gives a bunch of metadata. too long to paste into the chat. want me to paste it on the web? 19:49:02 Just so we're clear, "data" is "file -s" speak for "I have no idea." 19:49:29 Well, then I'd say it's corrupt somehow. 19:50:24 Try fsck -y /dev/mirror/moredata 19:51:44 or maybe: fsck -T ufs /dev/mirror/moredata 19:53:37 fails with both fsck and fsck_ufs (complained about invalid options with fsck -T ufs) 19:55:11 Oh, should have been -t (lowercase) but you've got other issues. 19:55:23 yeah… 19:55:32 mhh, let me try something dumb that might just work 19:57:06 nope. getting "Operation not permitted" when trying to mount one of the .eli components directly. pretty sure that usually works with mirror components tho…· 20:01:14 well, i guess the data is just lost. not the biggest tragedy as i can reacquire it and i wanted to redo the mirror setup because its wonky anyways.^^ 20:02:52 oh, gmirror list (but not status) even marks the one mirror component it *doesn't* keep throw out as broken. 20:15:38 okay, so i destroyed the old mirror, detached the corresponding .eli's, made a new mirror from the unencrypted device files in /dev/gpt and did "geli init" on the resulting mirror. now the components don't show up in /dev/gpt anymore but the mirror is running using /dev/ada4p2 and /dev/ada5p2… but when trying to dd data onto it to initialize the geli provider, i get "Operation not supported" o_O 20:18:11 oh, disregard the dd part. spelling is hard m) 20:31:03 did you attach the geli (after init) before trrying to dd 20:31:12 trying 20:35:59 (you'll get Operation not supported if the geli is not attached) 20:36:17 phryk: so you have a mirror that consists of the .eli devices? 20:36:39 jmnbtslsQE: no, also that problem was just me spelling the path wrong like i said. 20:37:05 redoing the mirroring on that system so that the geli stuff is on top of gmirror instead of below it – halves the crypto workload. 20:37:50 tho i *am* still confused why the entries in /dev/gpt were removed… 20:40:31 if i think there is some refernce system, where an entity can take ownership of geom providers which removes them from /dev/gpt if they're labeled, for example 20:40:36 i think* 20:40:47 so that might happen once you attach geli 20:41:09 not sure of the details though 20:41:40 and it wouldn't normally happen in this situation just with geli..so i guess it's something to do with the combination of mirror with geli 20:41:51 weird tho. also, i noticed that in the mirrors the components aren't used through /dev/gpt but directly. will "label -h" actually let me persist it with the gpt labels? 20:42:51 the description for -h in the man page isn't all that clear to me. 20:45:10 hmm, it's been a while since i used geom labels/mirrors so not sure. i think they might actually interfere with the gpt labeling 20:45:25 or interfere with gpt somehow 20:46:13 the 'label' command is a different mechanism from a gpt label 20:46:47 ah, i see what you mean. will "label" work in tandem with the components being identified by their labels... 20:46:59 no, that part worked fine. 20:47:14 OK 20:49:46 i did the gmirror label with gpt/foo, that part worked. but if i do gmirror list, they are listed as ada4p2 and ada5p2, instead of gpt/moredata-a and gpt/moredata-b. 20:51:18 and if possible i'd like to ensure that it saves those with their gpt labels so if i finally upgrade to a bigger case with a bunch of hotplug disk slots in the future, i don't have to care what slot i throw a disk into – i just want the system to look at the gpt labels and identify the partitions by that instead of what slot the disk is in. 20:51:58 now, i'm not sure why gmirror list does not show the gpt labels, but surely it will recognize the correct provider (even if it does not display its gpt label) 20:52:20 that said i haven't done gmirror / glabel in a while so, not sure 20:52:36 if you use "label" it should be written to disk, so that it will recognize the providers in the mirror 20:52:57 well, that's the part i'm now unsure about. because if it saved it as ada4p2 and i connect it to a later slot it can become something like ada6p2 20:53:12 yeh. should work 20:54:12 you could experiment with MD devices: truncate -s 100M ./moredata-a.img and mdconfig -f ./moredata-a.img , it'll give you a device file, set up gpart on that, likewise for moredata-b, and then you can manipulate things there to test 20:54:43 (i mean, test moving it to a different partition number or device) 20:56:55 that's a good point. don't have the energy to proberly learn about bsd memdisks right now, tho^^ 21:03:18 phryk: i tried, it worked 21:03:36 also seems that "gmirror stop" doesn't work for some reason 21:04:02 (i tried bringing the same mirror online from two new devices) 21:04:06 jmnbtslsQE: so gmirror list only lists the "resolved" devices, but internally uses gpt labels if you pass in gpt/foo when doing gmirror label? :) 21:04:27 not sure about the issue with gpt labels, but the mirror was recognised under new devices 21:07:00 ah, alright. if it works, i'm not gonna question exactly why :D 21:07:21 well, the metadata is on-disk, so gmirror uses that 21:08:34 that is, if you use "label"...that's what i did 21:08:58 (i assumed that's what you did also) 21:11:42 huh? can you even build gmirrors without the label command? o_O 21:12:04 i think we've seen enough dragons for today 21:12:47 aye. thanks for the support by the way. :) 21:12:58 sure 21:19:46 andreas303: why not have your boot pool (or boot filesystem) be on a separate partition, then fully encrypt your main boot pool? 21:20:08 "main boot pool" i mean root-on-zfs pool 21:26:33 jmnbtslsQE: Yes, that was something in mind, but the problem is that I haven't got the reroot functionality to work. The reroot procedure complains about missig directories in /dev/, especially /dev/pts, which probably is the reason why the boot process hangs before - which probably is a reason why I don't get a login prmpt to the encrypted dataset. :-/ 21:29:51 ah, so you're doing the re-root because you want to decrypt the disk remotely? 21:30:30 because, you don't have to do that if you are willing to type the password into the console (and actually i think that's a common setup) 21:31:11 well,maybe this specific setup isn't too common because you also want to be able to boot into this rescue partition 21:32:16 andreas303: Haven't read your discussion before, but are you maybe trying to do something like this: https://phryk.net/article/howto-freebsd-remote-bootable-crypto-setup/ ? 21:36:10 it seems like maybe he was doing that already (reboot -r) but encountered issues 21:39:28 if interacting with console is acceptable, one alternative is to make the decision at the loader (to boot to rescue or boot to main system), then if you boot to the main system it will ask for password then 21:39:51 being able to do it remotely with reboot -r is pretty nice, though 21:40:24 yeah, saves me from calling provider support to hook up one of those kvm console thingies. 21:41:19 it's definitely an old article without secureboot and encrypted boot. both are actually supported now, but i haven't found the time to properly look into it. 21:54:34 phryk & jmnbtslsQE: Thanks for link! I am reading it right now. 22:01:59 hope it helps. the big install.sh further down was literally what i used to set up the server behind phryk.net, so if the article itself might've missed some nuance, it should definitely be somewhere in there. ^^ 22:25:45 is it just me or does freebsd.org downloads using pkg seem to go slow? 22:37:57 Macer: been pretty good for me today 22:38:10 Might depend on region though 22:38:23 I had github dragging ass though 22:41:13 yeah maybe. seems like i'm getting 1.5MB/s but then again i just realized that 14.3-RELEASE came out this month 22:41:29 guess now would be a good time to upgrade 22:42:50 freebsd-update makes a boot environment prior to upgrading does it? 22:46:27 phryk: I'm read your instructions on the web page you gave me. Do you store the password for en encrypted dataset inside the preboot dataset? 22:47:05 andreas303: no, i boot completely unencrypted from the xboot pool, ssh into that and run the xboot.sh which asks for the passphrase. 22:47:06 Macer: Yes, it does 22:47:36 SponiX: cool thanks. i was curious if i had to make one manually before the upgrade 22:48:21 in case things really come off the rails 22:48:25 Macer: be prepared to have a recent /usr/ports at hand so you can rebuild drm-61-kmod if needed. Take your kldload line out of rc.conf or loader.conf -- so if you need that rebuild you can versus just kernel panics on boot 22:48:47 drm-61-kmod? 22:48:59 i don't think i even use that. this is for my nas 22:49:02 a LOT of folks do the 14.2->14.3 upgrade and freak out because they have the box set to boot straight into X 22:49:19 Macer: Oh, well if you are terminal only you don't have any worries about that 22:49:42 yeah. this is just a nas. it's an old 36 bay isilon 22:50:31 the only thing that sucks about it is the ipmi is so old that i can't manage to get it working to 'remote control' 22:50:42 ie: can't use the virtual kvm 22:51:07 i still haven't found a decent solution to that. i may just get an external one. 23:31:44 ngl. i didn't even realize that pkg-static upgrade -f was a thing until i carefully read the upgrading doc 23:59:36 godo evening ive upgraded from freebsd 14.2 to 14.3 im running this on a lenovo x1 extereme thinkpad ive added the following to the sysctl.conf hw.acpi.lid_switch_state=S3 but when closing down the laptop it does not even suspend any more im running out of things to try 23:59:50 anyone have any suggestions 23:59:53 ?