00:35:07 voy4g3r2: The joke is I don't like fonts with ligatures. 00:42:50 You never know when typing in hieroglyphs will be required. 01:59:44 nullfs looks like just a symlink, but i'm sure i'm wrong so how pls? 02:14:07 kerneldove: it is _similar_ to a symlink. There are use cases where a symlink wouldn't work, like creating a jail and sharing a host path into the jail. 02:14:36 so it's like symlink + fs emulation in a way 02:15:25 does it pass through quota stuff? like if i root a nullfs in a dir on the host system and it has a quota limiting it to 1GB, will inside the jail see that as a 1GB disk? 02:15:26 realpath on a symlink'd path will resolve to the full path while a nullfs mount won't, which has uses 02:15:28 disk/fs 02:15:58 a UFS fs? 02:16:08 *shrug* 02:17:04 I expect quotas to still be enforced but I don't know that it could be seen and it probably depends on other things 02:17:04 voy4g3r2, how'd you get sound to work through rdp? using xrdp or? 02:17:15 hm ok 02:31:52 kerneldove: I have sound working with xrdp. 02:32:14 how? 02:39:58 in https://docs.freebsd.org/en/books/handbook/jails/#creating-thin-jail-openzfs-snapshots it says `# tar -xf /usr/local/jails/media/14.2-RELEASE-base.txz -C /usr/local/jails/templates/14.2-RELEASE --unlink` but what's --unlink needed for? i read its doc in man tar but still don't get it 02:41:03 kerneldove: I installed audio/pulseaudio-module-xrdp 02:42:23 on host or vm? 02:46:17 kerneldove: VM 02:46:31 ek any config required or just install pkg? 02:51:45 Just install the package. 02:51:54 man that's cool 02:59:16 Yep. I rarely use it, but last it did it seemed to work pretty solidly. 03:00:23 Apparently, there's a Pipewire xrdp module as well (audio/pipewire-module-xrdp). I haven't used this one, though. 03:01:34 kerneldove: i installed the pulseaudio module 03:01:44 sorry for delay.. was at the black crowes concert 03:01:57 and it just "worked" unlike the linux-browser-installer 03:36:39 im experimenting with the most minimal thin jail i can make to learn how stuff works. i have ip4 set to inherit and now i can resolve domains to ip, but how? i didn't make an /etc/resolv.conf yet 03:59:26 your jails keeps the hosts /etc/resolve.conf 04:05:53 that's empty tho 04:06:27 i verify that with sudo jexec -l test vi /etc/resolv.conf 04:08:06 jail conf has host.hostname, path, exec.clean, exec.consolelog, exec.start, exec.stop, ip4 (inherit), mount.devfs (zfs vol) 04:08:39 untar'd base into it. didn't even set timezone because it defaults to host (UTC) 04:09:12 so how tf can the jail resolv domains? sudo jexec -l test host www.freebsd.org 09:25:57 anyone know? 09:40:05 without an /etc/resolv.conf (inside the jail) the stub resolver will attempt to query 127.0.0.1 (the ipv4 loopback) 09:40:31 so dns will only work if you have a local dns resolver bound to the loopback address 09:41:10 ah it 'inherits' the host system, just like tz. ty! 09:41:34 the ip4=inherit setting makes the jail inherit the host network stack 09:41:50 i would recommend adding ip6=inherit as well for IPv6 09:42:20 even if the host system doesn't have ipv6 setup or used? 09:42:46 yes, because it's not really disabled it's just not configured by default 09:43:00 ok i'll add that ty 09:43:30 so a jail can have several different basic networking configuration types 09:45:35 a jail can have its network access disabled, inherit the host network access (minus raw and bpf sockets), or restricted to a subset of the host ip addresses (called alias networking because the ip addresses given to the jail are normally aliases) 09:46:01 or the jail can have it's own network stack call vnet jails or VIMAGE after the kernel configuration to enable it 09:47:19 the easiest to use is ip4=inherit and ip6=inherit 09:47:45 then there's also netgraph networking right? 09:47:55 netgraph is it's own thing 09:48:17 it can be combined with jails but it's not directly tied into jails 09:49:42 if you use inherited networking for jails the network services must be configured not to clash (don't bind tcp port 22 on the any address for ssh) 09:50:44 the traditional way to do sane secure jail deployments is alias jails 09:51:09 you configure the host to explicitly bind only on addresses not exposed to the jails 09:51:29 e.g. don't bind services like ssh and syslog to the any address on the host 09:51:54 then you add alias ips to your network interface (with /32 or /128 prefix length) 09:52:13 and allow the jail to use these alias ips 09:52:43 you need a /etc/resolv.conf inside the jail for dns to work 09:54:13 if you want to you can copy with an exec.created = "cat /etc/resolv.conf | jexec $name dd of=/etc/resolv.conf"; 09:55:07 i wouldn't recommend just using cp because in theory the jail could contain a dangerous symlink that the hook running on the host would follow overwriting a file outside of the jail root 09:57:27 or if you network is static (enough) you can copy the resolv.conf once during jail creation out of trusted sources 10:01:57 ok that's really cool, giving an ip to the host but reserving aliases for jails. iirc that's covered in the chapter on jails but it's not explicit. https://docs.freebsd.org/en/books/handbook/jails/#jails-networking ya it's not. imho that would be a great addition. host network + ip aliases 10:02:25 i'll use inherit host networking when the box only has 1 ip, and ip alias host networking when it has >1 ip 10:02:42 tyvm crest really helpful 10:06:20 with alias jails, can the jail bind to any port even tho it's not using its own net stack, because it has its own ip? 10:29:11 yes 10:30:07 you can bind ports < 1024 as long as you're root inside the jail or if the mac_portacl(4) kernel module has been loaded and configured 10:30:35 e.g. to allow ntpd to bind port 123 without starting as root 10:30:53 or keeping a process running as root around to bind new sockets 10:55:12 how can i see everything running in a jail? just jexec -l test ps -aux? i know i can't use service -e because that's not necessarily all that's running 11:27:03 do i have thin jail user mgmt right? host system gets user added to it for each jail. then to manage jail, user ssh into host and somehow has access to jail's files? 12:52:39 on my thick jails where jail runs sshd and has its own user that i ssh into and manage files, how do i do that with thin jails? ssh user for jail host, but user ssh in then how manages files? files are in /var/jail/jails/test but how do i bridge the divide? 12:53:52 i guess for thin jails it might be ok to have less jail isolation, and use 1 host ssh user to manage files of all thin jails? 13:11:01 pgrep can filter by jail 13:31:49 ok and what's the right way to create users for thin jails and allow them to manage the jail? (its files mostly but also service(s)) 13:47:33 I would think you would use adduser(8) inside the thin jail to add the users you want in the jail 13:49:25 but what good is that? do you ssh into that? 13:49:46 ssh/sftp is how i transfer app files into servers and it's always through a user account 13:52:37 Maybe I'm misunderstanding what you're asking for. You want users inside the thin jail who can then manage the jail? Or you want users on the host that can manage the thin jails from the host? 13:53:25 My needs are different and I don't ssh into the jails at the moment. 13:54:01 that's what i'm asking. like i said, my thick jail model is simple: jails have their own vnet, their own ip, run their own sshd, have their own internal jail user that you ssh into to transfer files into the jail and manage the service. but thin jails, using host networking, i'm not sure how to transfer files into jail 13:55:30 you can use thin jails with vnet and their own ip, run sshd inside and so on. 13:56:21 ah ok i'll say it another way. with inherit networking jails, how to handle transferring files into them and managing them? 13:56:39 inherit networking meaning jail shares host's net stack, ip, and sshd only runs on host 13:56:54 you could also use nullfs mounts inside the thinjail, then you can "transfer" the files by just sftp/scp/ssh to the right location on the host, no need to be inside the jail 13:58:04 ok so i ssh into either 1 user on jail host, or 1 user per jail. regardless, i'm connecting to user on jail host. then what, i have a dir from within that user account that's mapped into the jail or? 13:58:42 with inherited networking, based on my limited knowledge, nullfs mounts seems to be the best way to transfer files to the thinjail. I use that right now for my web service. 14:00:38 do you run zfs on jail host and in the jail? 14:00:40 kerneldove: yes. I have /usr/local/www mounted inside the thinjail as a nullfs mount. All my users on the jail host write to /usr/local/www which is available to the web server running inside the jail. No one needs to ssh into the jail at all. Don't need to do user management or have duplicates of files, etc. 14:00:56 kerneldove: yes, I use ZFS. 14:01:09 I don't have any other filesystem being ussed on my system. 14:01:40 ok sounds like what i want. do you put jails in /var/jail or what's your jail base dir 14:02:42 I put them in /usr/local/jail but I have /jail and /usr/jail symlinked to /usr/local/jail so if I'm copying and pasting in commands, they'll still work :-) 14:03:04 I followed the Handbook chapter on Jails and set things up accordingly. 14:03:40 mind if i ask what your config is to set up the nullfs map from /usr/local/www into the /usr/local/jail/... dir? 14:06:24 kerneldove: https://docs.freebsd.org/en/books/handbook/jails/#thin-jail section 17.5.2, at the end has the config that I based mine from 14:08:04 that section talks about "skeleton" but wtf is that? it's not explained 14:08:16 i already have the zfs dirs made like media, templates, jails 14:09:16 What you are interested in is the mount.fstab entry that is there in the config file and the the fstab file shown after the jail.conf file at the end of the section. 14:10:43 I haven't done the skeleton setup. I'll get to that at some point, but don't need it at the moment. Right now, just using simple thin jails with nullfs and ZFS 14:13:16 good to know. that skeleton stuff should be broken out into its own section it makes nullfs setup look like a messy pain 14:13:28 should be in a 'best practices' kinda section or smth dunno 14:14:22 Maybe 14:14:36 all the fstab stuff uses /usr/local/jails/ so i can't make out what's what side of the mapping 14:15:37 kerneldove: you should use jailed = on for the dataset and use exec.created = zfs jail ... in jail.conf 14:16:01 the you can manage the dataset in the jail 14:16:38 what's the benefit to that? 14:17:12 well, you asked for "user to manage zfs in the jail ..?" 14:17:24 files 14:17:29 ah 14:17:39 that's the nullfs stuff im trying to figure out 14:17:58 2 pages down from https://docs.freebsd.org/en/books/handbook/jails/#creating-thin-jail-nullfs 14:18:09 yeah, I'm using plenty of nullfs mounts at $work 14:18:15 kerneldove: the first entry is the filepath on the host, the second is the jail path from the perspective of the host 14:19:06 so path = "/usr/local/jails/${name}-nullfs-base"; says that's where the jail fs is based? what's the .fstab file there saying? i can't make it out 14:19:19 I suggest to avoid creating jails with nullfs-based mounts 14:19:44 why? 14:20:05 if you have dozen of jails it's a hell to maintain 14:20:23 ok so then how do i manage the files and services inside each jail? 14:20:26 (just my humble opinion) 14:21:09 I'm managing everything in Saltstack 14:21:28 ok but what's the actual layout of the freebsd system 14:21:33 kerneldove: path says that is where the jail is located. The mount.fstab entry points to where the fstab file is that will be used to process the nullfs mounts. 14:22:27 the .fstab file is shown right below the jail.conf file 14:22:48 the best way to have something maintainable is to create a separate data partition for each jail and a reproductible installation with a CMS like Ansible or Salstack 14:23:07 ya, i see it, i just can't decipher it and especially in the context of this infinite sequence of base dir, template dir, skeleton dir, then fstabs referencing all those 14:23:11 fucking convoluted 14:24:06 IMHO thick jails > thin jails, especially with ZFS 14:24:50 why 14:25:15 because of independance and isolation 14:25:46 ya well i got a working thick jail setup. i'm trying now to figure out thin jails 14:25:54 mage: if you have several jails, aren't thin jails easier to manage and maintain than thick jails? 14:25:56 i think they can have a purpose 14:27:11 mns: yes if you don't use a CMS, but with a CMS it's about the same 14:28:23 especially with a separate data-like partition 14:28:33 kerneldove: the handbook has the information you need, you don't have to use the example as given, you can fine tune it the way you want. to keep it simple, all you need is the mount.fstab entry in your jail.conf and then provide the fstab file in the location you specify for the mount.fstab entry. 14:29:06 (that's my point of view and years of experience with FreeBSD and many jails at $work) 14:29:10 mage: even when you have a single host at home with a few jails? 14:29:33 of course not :) 14:29:47 mns well ya but i'm wondering, why even both using the nullfs map instead of managing files directly through the jail's dir? 14:29:49 mine is more limited experience and at $home. 14:30:13 kerneldove: both? 14:30:22 like why bother with /usr/local/jails/thinjail-nullfs-base/skeleton when it just maps directly to /usr/local/jails/containers/thinjail ? 14:30:28 bother* 14:30:59 Why is freebsd "Free" if it has built-in "jails"? 14:31:42 the nullfs mounts are for you to "transfer" files into your jail. skeleton is more about how to setup the jail 14:31:55 having jails doe not make anyone closed;) 14:31:58 like are you saying change fstab to "/usr/local/jails/containers/thinjail /home/jailadmin/jailroot nullfs rw 0 0"? then use jailadmin user to sftp files into the jail? 14:33:11 also, now that PKGBASE will soon be the default upgrade path (I hope) it would be even faster to update thick jails and don't bother with freebsd-update 14:33:49 as freebsd-update is painfully slow with many jails 14:36:05 kerneldove: "/usr/local/fubar /usr/local/jails/webserver/opt/fubar nullfs rw 0 0" will mount the hosts /usr/local/fubar directory inside the jail called "webserver" at its /opt/fubar directory. Users can put files in /usr/local/fubar and they will show up in /opt/fubar inside the jail. No one has to ssh/scp/sftp into the jail. 14:37:39 the mount.fstab entry uses a standard fstab file format, nothing specialised about it. 14:37:57 even if the jail is running, as soon as user on host makes file changes at /usr/local/fubar, from within the jail's perspective the changes at /opt/fubar reflect that? 14:38:09 yes 14:38:32 has anybody been able to escape from a "jail"? 14:38:45 <[tj]> yes 14:38:55 so why not have host users directly modify files via /usr/local/jails/webserver/ ? 14:38:58 scottpedia: there are CVEs for jails, so that would count as escaping, yes? 14:39:15 okay yes I think that counts 14:39:18 kerneldove: that would mean giving them root access, which I'm sure you dont want to do 14:39:50 ahh ok so the nullfs mapping gives you an entity that limited privs can be bound to 14:39:55 that makes sense 14:40:38 it's a permissions pinhole 14:40:46 has anybody here ever spent time in a "jail"? 14:40:51 /usr/local/jails/webserver also has etc/ usr/ var/ boot/ dev/ lib/ libexec/ etc. underneath it, and you wouldn't want anyone modifying those files. 14:42:16 mage: how do you find saltstack compared to ansible, since you've used both 14:42:36 I've not used Ansible, only Saltstack 14:45:52 and I think that if I had to do it again I would probably have choosen Ansible 14:46:36 oh, why? 14:46:54 ya why lol 14:48:15 Saltstack has bugs and the code of some modules/states is really dirty 14:49:00 same with ansible 14:49:06 and, when you have many jails, running a salt-minion in each of them consumes some CPU 14:50:01 kerneldove: really? 14:50:14 ya i've run into a few over the years 14:50:56 The problem with Saltstack is that they've been buyed by Vmware, now owned by Broadcom 14:51:14 ouch 14:51:42 development stalled for several months 14:52:39 broadcom is the more serious bug 14:53:37 haahaa I still have broadcom shudders from 20+ years ago.... 14:54:10 and if we know anything about a configuration management company getting bought out... it's not great 14:54:28 hmm so seems like the package to install is py311-ansible to get ansible running. Will be a good learning experience, even if everything is on the same host :-) 14:55:38 rtprio: that depends on the company doing the buying. Ansible -> RedHat -> IBM vs Saltstack -> VMware -> Broadcom vs Puppet -> Perforce 14:57:54 I'll have to look at how to use Ansible to manage jails, will be a good way to learn ansible which we're moving to at work. 14:59:02 I've written a formula for Saltstack if you are interrested https://github.com/silenius/jails-formula 15:01:58 Nice, I'll take a look it 15:02:02 Thanks mage 15:04:02 mns: If you get into Ansible, you can also think about running your own git instance of some sort (Gitea here) and then driving Ansible with Gitea Actions, or the equivalent for whichever you choose. 15:05:41 "Your own git" to .... run post-receive hooks? 15:06:36 wavefunction: Specifically Actions, but essentially. 15:07:08 I haven't done enough with commit hooks in git to know just what the difference would be. I was a Subversion user up until a couple years ago. 15:08:56 But an example... I want to change something in my local DNS, so I make the change in my local check-out, commit, push, and my Gitea server then communicates with the appropriate Action Runner which pulls the appropriate repo(s) and runs ansible-playbook as needed, updating zone or config files and running the appropriate commands. 15:20:52 mns: well perforce totally pissed on the puppet community 15:22:50 I feel like Red Hat has done okay with Ansible. There's stuff that's been open-sourced that wasn't previously. 15:23:34 Like, https://github.com/ansible/awx for instance. That was proprietary before the acquisition, if I'm not mistaken. 15:32:02 mason: https://git-scm.com/docs/githooks the post-receive hook runs server-side after receiving a push 15:32:43 wavefunction: Cool, thank you. 15:33:30 (I get worried when complicated, third-party solutions are promoted when the native solution does the job, especially at smaller scales) :) 15:33:41 wavefunction: Understood and agreed. 15:37:05 wavefunction: On the other end, lately I've been managing some web stuff with bare denyCurrentBranch = updateInstead 15:39:51 mason: That is one of the goals, to setup a local git instance and use that. But that will be later, since I just have a single mini-pc running FreeBSD. I'll need to get some network storage first, then can work setting up a few services I want. 15:40:36 rtprio: I totally agree, perforce messed up a bunch of their aquisitions. 15:40:46 damn the heimdal to mit kerberos migration causes a lot of fallout right now *sigh* 15:40:59 (only relevant if you're following -current) 15:41:23 crest: What's happening? 15:41:55 well libcurl doesn't work because the kerberos libc in base changed their name 15:42:11 Ooh, that's a bit more dramatic than canonicalization issues. 15:42:21 But more easily fixed. 15:42:23 which means a lot of stuff is unhappy unless you go over the flag date in one step 15:42:55 but the package base repos haven't been updated since 2025-07-21 15:43:21 so ports and base packages for current are right now incompatible 15:43:42 I wonder what the legal situation is that allows this change now. 15:44:00 Is MIT Kerberos no longer export controlled or something? 15:44:06 mason: hasn't been for years 15:44:10 beacuse the crypto wars of the 1990s are over 15:44:13 *because 15:44:32 our base system heimdal has been very out of date 15:44:48 also it's still broken in main because of the libgss thing, D51601 is supposed to fix that 15:44:55 the real mess is that kerberos and openssl have to either both be from base or from ports 15:44:58 D51661 i mean 15:45:11 is that the story where some dude took a plane to sweden just to re-write the code so it's not export controlled and then flew back home? 15:45:16 because kerberos (doesn't matter if MIT or Heimdal) use ciphers from openssl 15:45:34 which is an unholy mess because PAM and NSS load modules via dlopen 15:46:23 so you can end up with a process that attempts to combine openssl from base and ports in a single process -> processes explode unless the versions happen to be compatible at the moment (by pure chance) 15:48:16 oh and for some reason libutils latest bump wasn't correctly tracked by make update-packages?!? 15:48:59 i'll run make packages and pkg upgrade -yf FreeBSD-base from my own packages 16:04:17 dumbbell: sorry to ping you directly, but is drm-kmod doing okay? far as i can tell on gh, you're the only one who worked on it in the last two months. my current gpu seems to be dying so i'm thinking of getting a 9070 and i'm trying to figure out how long it'd take for drm-kmod>=6.11 to happen. 19:26:47 mzar: possibly relevant to you: https://cgit.freebsd.org/src/commit/?id=7d99569d40510b627f0790c2b9630b5903e926b9 20:18:16 ivy: thank you!