Just a bump to see if my bug report can get anymore attention: bugs.freebsd.org/bugzilla/show_bug.cgi?id=289220

SponiX: Hrm. That's pretty strange. I don't have any clue what would be going on. However, I can attest my E5-2690 v4's work perfectly fine. :(

SponiX: the fact you can get it to boot after powering off from linux seems insane

that makes no sense :)

CPU: Intel(R) Xeon(R) CPU X5670 @ 2.93GHz (2933.51-MHz K8-class CPU) <- my xeons totally crush it :) lol

they're from the before time

hi hi hows it hanging

Hello, RosieMonad.

that's a stupid bug eh SponiX

i'll watch it :)

just too strange

it's crazy eh

ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss

ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

ah, computer eh?

excuse me

cat?

no, did something stupid while moving tha laptop

thought it was a snake

That's on vicious looking snake!

s/on /one /

in migrating to a new machine, in theory, I can just zfs send zroot/home | ssh zfs receive -f zroot/home and it will just replicate everything? that's not a real ssh command, but just for illustrative purposes

usually, i rsync to a local drive on source, move drive to target, rsync again

i'm trying to avoid the 8h rsync to portable drive

could compress it between systems

zfs send pool/dataset@snapshot | zstd -3 | ssh remote-host "zstd -d | zfs receive pool/dataset"

if network is the limiting factor

deimosBSD: As long as you're only trying to copy the /home dataset, that'll work.

it's either usb4 or 25gb fiber network

yeah, i only have enough space for one fs at a time

well, the portable drive only has enough space for one at a time

deimosBSD: I thought you were trying to avoid that?

yes, i am

Then a zfs send/recv from local source to remote target would be best.

25Gbps would be way quicker than USB.

my plan was basically: for fs in (zfs list); do zfs send $fs | ssh new-server "zfs receive -f $fs"; end

in theory, usb4 is 40gbps

Yeah. But, it requires manual intervention and additional possible failure points.

Direct with 25Gbps fiber would be quick.

we'll see

thanks for confirming my thoughts

zfs send|recv could be dangerous

Also, be careful what you zfs send/recv. Unless you're mirroring from one system to another (full zpool/dataset) you could overwrite some important stuff.

it's a new server and i'll put a fresh fbsd install, setup the filesystems the same way

If you're just doing zroot/home or whatever, that should be fine.

yeah

i thought about trying to do the whole pool at once, but zfs seems to really like operating at the individual fs level

i still rsync even when both are zfs and even local

that was my backup plan

portable drive was tertiary plan

yeah rsync can help you here

could also tar|tar

deimosBSD: You can do full pool-to-pool with zfs send/recv. Just gotta setup the partitions the same and boot live on the target.

or with cpdup i found

you can do recursive full send too

:p

deimosBSD: Very simple for both BIOS or UEFI: it-notes.dragas.net/2024/09/16/movi…ng-freebsd-installation-new-host-vm

ketas and his rsync! ;P

this is bare metal, but i see the point

deimosBSD: It works for bare metal or VM. Doesn't matter.

To/From either. It's just partition setup and zpool snapshot send/recv. OS doesn't care what it is.

indeed, thanks

i wanted to do a clean install on the new system, since the source is at least 8 years old

daemon: Yep. Totally doable.

Just send/recv or rsync or whatever you want. I'd do it directly before I did USB, though (if possible).

Less steps.

why age matters

it's not windows

:p

registry isn't getting full

Could be a lot of leftovers from upgrades and such, though. Nothing wrong with starting from scratch. I do it from time-to-time.

ek Macer : Yes, it is a very odd issue. The only way I can for sure boot normally is after a clean boot and "poweroff" from Linux. Even a clean shutdown from FreeBSD normally hangs the system on the next boot

SponiX: Yep. Very, very strange. I've never even heard of that before.

ketas: Yeah, it really doesn't make any sense. Why would a FreeBSD boot up fine after a Linux shutdown, but not do the same with a FreeBSD shutdown?

ek: well, you can see there was a similar issue for someone way back on like FreeBSD 10

I liked to that bug report

I have another X99 system up with an ASRock Motherboard instead of this Asus X99 Sabertooth. I'm debating on seeing if it will boot up consistently. And if so, I might swap my machines around OS wise

SponiX: Yeah. I saw that bug report. You can boot no matter or how you shutdown if you disable HT?

ek: at one point I thought that, and then it started to hang that way also

someone thought it could be memory related. But I swapped in a 128G kit and it still did the same thing

I haven't swapped processors between my systems yet. But that is another thing I plan to try when time permits

SponiX: Did you apply Jordan's patch before reporting the acpidump commands?

I can't tell by the replies. If so, great! Hopefully, they'll get back to you soon. If not, I would certainly suggest doing so.

yeah you can reinstall

and yes such hw bugs do happen

just very rarely

it's totally ridiculous if hw gets into that state

wait, is it cold boot as well?

or that worked?

that said, i don

Neither work.

don't know any specifics about it

machine gets into weird state even after a cold boot?

ketas: From the looks of the PR, yes.

:/

what battery does i wonder :p

it's weird

but then, nothing new eh in this world

Very strange issue.

tho it would be tempting to do what someone i heard did after he found that flow control was to blame why his usb-rs232 didn't work with that particular factory equipment... told that anvil is still intact

:)

Yessir!

SponiX: you don't see any issues at all running linux on it?

more nonprofessional stuff, some dell optiplex sff machines could drain cmos battery while on battery, and hp machines could just lose their internal nic if their battery runs out... those are things you don't even expect in humble desktop

that sounds like a hardware issue. the whole poweroff from linux then working for a little while then stopping on reboot or not booting on a cold boot. it seems rather apples and oranges

Macer: Nope, Fedora Linux runs perfect on it, and so does FreeBSD inside a virt-manager VM from Linux

i had an avoton board go bad and it would constantly reboot if the ipmi nic was connected to a switch lol

but worked just fine without it connected

were you able to connect it later?

no. once it was plugged in it would start rebooting

but yeah that's shot

it was one of those supermicro avoton boards with teh soldering thing

but i'm not sure if the two issues were related.. but it was well past warranty when i even realized that was a thing

which is a shame because it would make for an awesome router board now if it worked. no i'm using some celeron nuc as my router for opnsense

*now

which i guess nowadays is probably better than the avoton heh

my nas is running fbsd and is an ancient isilon that i yanked the jet engines out of and replaced with human hearing fans

i had to put cpu fans in it too since it used the jet engines and only had cpu heatsinks

reminds me how i was offered 48p switch for free, and i declined partially why he got rid of it, only web ui and to configure vlans you needed to click a matrix of checkboxes

:p

that's most of them nowadays

my ubiquity sfp+ switch does that... but i guess it does have ssh if you don't want to do that

yeat but you needed to click individual checkboxes with mouse

yup lol

can't recall if 48*48

that would be one bingo

i have to be picky on my vlans since my router is only 2x1gbit

vlan switch is godsend even home i quickly realized

SponiX: i wonder if linux added a hack

they do and sometimes they do it even worse than hw would require

i hear

but issue is in hw

with periph, one might not get things all up on boot

hw is fun

and i don't even understand all of it

i had to do some tomfoolery to get my old amd A10 5800K using debian .. where it would work find with ubuntu

i guess some amdgpu kernel flags

somehow ubuntu would just boot fine though.. but with debian i HAD to add the flags

Disk IO: 2359.9% read: 1.58GiB/s write: 172MiB/s

well.. i guess i should probably set up a cron job to scrub pools once a month... wonder how necessary that even is

i mean zfs does on the fly chksum checking doesn't it?

Macer, Turn on zfs scrubs in periodic.conf file: sysrc -f /etc/periodic.conf daily_scrub_zfs_enable=YES

It's a builtin capability in FreeBSD base but it does need to be enabled.

rwp: ah ok. thanks.

although making it daily seems a bit overzealous .. especially for the larger pools.. i'm scrubbing one now and it's taking 15 hours

maybe weekly?

gpt/R02-04_Seagate_BarraCuda_Zxxxxxx ONLINE 0 0 1 (repairing)

it did find that though

i want to pin a jail to only using 1 and only 1 core. anyone done that before? i read man.freebsd.org/cgi/man.cgi?query=c…ion=1&manpath=freebsd-release-ports but i still don't get it

i found cpuset.id on man.freebsd.org/cgi/man.cgi?query=j…path=FreeBSD+14.3-RELEASE+and+Ports but that's readonly

kerneldove: you need to set it from the parent / host, and it needs to be enabled first in loader.conf

klarasystems.com/articles/controlli…esource-limits-with-rctl-in-freebsd has a good overview

cpuset isn't on that page dch?

aah ok

so try this `exec.created = "cpuset -l 1 -j ${name}";` in the appropriate jail.conf

or just from the parent with `cpuset -l 1 -j <jid>`

ohhhh putting it in the jail.conf exec.created hook! is that documented anywhere or just expected ppl know that?

erm "just know" ?

most of the jail.conf things like rctl etc would go there

so all processes in the jail inherit it

buuut if you feel like adding an example to jail.conf and/or cpuset pages that would be an awesome contribution

omg that worked dch! i restarted jail then ssh into it, run sudo top, and i see every "C" is 1 now!

so then for next jail if i want to give it only 1 core too, i'd make its exec.created command be cpuset -l 2 -j ${name} ?

Anyone has got FreeBSD booting and working from iPXE and a iSCSI volume? Or what's the best way to create a netboot freebsd installation what will work from iPXE?

in my head, cpuset requires rctl, but apparently that is not the case. it took me a while to find a box where its not enabled...

dch ty for reminding me i need rctl because i wanna limit ram too

sakura1312: I haven't done this but have 2 links gist.github.com/dch/9811e8ac2748d4b7bab875c3e6a74543 & antranigv.am/posts/2024/05/freebsd-vultr-ipxe-root-on-zfs should see you right

dch if i want each jail to have only 1 core, there any way to set it in jail.conf so it's only written once per jail?

right now i have to put the exec.created line in each jail's specific conf :/

IIRC you can just put it in /etc/jail.conf and it will apply to all of them

it won't assign core 1 to every jail?

hmm

so if im doing cpu pinning I'm going to have to have a manual map of jail <> cores, to avoid over-subscription

?

kerneldove: lets say you have 4 cores, 3 jails

you restrict jid 1,2,3 to cores 1,2,3

leaving core 0 entirely free for host, and host can also use all cores freely

now you add a 4th jail, what do you do?

i don't know but that won't happen on this box. i have 64 cores and i'm only creating 20 jails. i need each to have its own 1 core

for 20 jails I would use automation and let ansible or whatever do the math to pin jails->cores

dch: thanks :3

my point is, eventually you need to choose between either

- manually assigning cores & jails in your /etc/jail.conf.d/thing.conf

- using a generic policy to allow each jail to use max 1/64 of cpu resources

I'm not an expert in cpusets but look for policies like ft & rr in the manpage

they should allow you to do that

not having done this personally, I'd probably try first to limit *all* jails to 20/64 specific cores with a cpu-list

and then within that, use pcpu from rctl to constrain them, but not have to make a specific per-jail policy

I'll ask this in our next jails call and see if anybody else actually does this

I'd like to have a jailed bhyve for instance doing this

kerneldove: you could use a (ucl) variable in that command and set that variable for each jail instead, but if that is the only use for the variable it wouldn't save you much

dch nice, pls lemme know what they say

nimaje, ya that's what i was thinking

$cpucore = "1"; in jail1.conf, 2 in jail2.conf...

kerneldove: git.sr.ht/~dch/ansible-jails may be of use

(shameless self-promotion)

ty

hi. does the MAC address persist for tap(4) ? if the freebsd host reboots? Asking here if anyone might know because rebooting the server is non-trivial

Hi

f451: it will persist, unless you change hostuuid

I think I broke my Pulseaudio :P

mzar: hostuuid of the server?

sorry if this is a dumb q

np

heh i seem to have got layer2 filtering working in pf :D

and what is going on with AI

crawl bots

Macer: the periodic script runs daily, but it only checks if scrub is needed. I think that by default it scrubs the pool every 35 days. And iirc this period configurable.

My website got attacked by them this month with +1000,000,000 requests

and the phpbb forum got dead now..

*is

There post out there from years, the last month was just 100 view, and now 363789

My hosting gives free 1TB bandwidth every month, and my website size is just under 50KB.. but now I pay them more for extra one :P

main page is just 2Kb

I also read that Freshports website is also under attack, It will be really really sad if it closed :(

mosaid: isnt there an addon thing for the webserver that quenches ai scrapers

It's used JS

Very heavy really on it

anubis it's in the ports

And my website is for non-js and old machines

f451: anubis, I can bypass it easily, but I don't want to post that trick online; those spammers will surly use it

And that trick will no more work

I use it for my non-js browsing

theres others in ports

AI is pushing the web to use js and other bloated more and more

f451: they relay on other modern stuff

dch: possibly relevant to your interests as you know you have something similar for OCI: reviews.freebsd.org/D52412

ivy: this looks like a fantastic feature

I just gave up on having publicly visible servers when I wasn't able to make pf happy with large tables, even having 64GB of RAM.

we'd definitely want to use this instead of maintaining a manual set of lists

I never found out the magic combination of sysctl flags or values to make it stop complaining.

kwak kwak

Is there any world where "pkg: An error occurred while fetching package: No error" does not poison what remains of my week-end?

I opened bugs.freebsd.org/bugzilla/show_bug.cgi?id=289357

but really it's just depressing

dch: that's what i was thinking :-) but we should see if my list of sets/packages works for you or what we want to change (for example i'm wonderinging if we want a version of "minimal" that doesn't include hardware/networking stuff not needed in jails/containers...)

i actually would have done that already except i'm not sure what to call it

dch: this should also simplify the installer a lot, but since i don't know anything about that i punted it to isaac :-d

ivy: :-)

ivy: I still can't find a good name for everything-except-the-compiler

dango: in pf, what did you have 'set limit table-entries' set to?

by default it's ISTR 65536 but for a few things thats too small. on a busy firewall with huge tables i had mine set to 400000. in /etc/sysctl.conf theres net.pf.request_maxcount=400000

Hecate: whats pkg version ?

pkg -v

f451: It was a while ago so unfortunately I don't remember what things I tried. I might as well try again and ask here with specific questions and error messages if I run into issues again.

for huge tables, you def deed to increase it. i was using blocklists

s/deed/need/g

mosaid: this is the one i was thinking of: www/iocaine - not installed it/tried it though

doesn't appear to be in the tree yet though

Nice

f451: 2.2.2

Macer, +1 what divlamir said. It enables periodic to run /etc/periodic/daily/800.scrub-zfs daily but the zfs scrub runs every daily_scrub_zfs_default_threshold="35" days. You can read about periodic in the Handbook: docs.freebsd.org/en/books/handbook/config/#cron-periodic

Hecate: hmm. ive seen this in a poudriere context but not youre exact one. hte problem went away after replacing my poudriere-devel with github.com/dsh2dsh/poudriere.git. But poudriere-dsh2dsh is in the ports tree now

rwp: yeah i'll have to look at that.. i haven't ran it in months :)

but again i'm still curious if scrub does things the on the fly chksum doesn't do

so for instance i have a drive with a chksum error using scrub that i didn't see prior to scrub. so if it tried to access the data wouldn't the chksum come up and be corrected?

If you only have ONE device and it fails a checksum then that data is lost. If you have REDUNDANT devices then the redundant storage with correct checksums will be used and the blocks with failing checksums will be "healed".

Macer: normal disk access will repair checksum errors, the purpose of scrub is to detect checksum errors in infrequently-accessed files. that avoids, say, both copies of a data block on a mirror going bad without anyone noticing

yeah. i was disconnected from libera :/ i mean tto say raidz2

is that possible?

well.. i guess for sure it is. heh

well, it also avoids say, a block going bad on one side of a mirror, then the other side of the mirror failing completely, then you replace the disk but you can't recover the data

i guess it makes more sense using it for mirros or maybe even raidz1 but when you have raidz2/3 then don't you already have 2 disks of redundant data to chksum during normal operations?

along with plenty of other bitrot situations which definitely happen in real life

ah ok

ok. that makes a lot more sense. i always just looked at it as zfs will fix everything on the fly. but the mirroring example is probably the best one with regard to scrubbing.

it can also matter for raidz2, let's say you have a failing cable or controller that causes some proportion of newly written data to be corrupted, eventually, you'll corrupt all redundant data of the same block

i guss you want to make sure that data is repaired prior to the 2nd disk dying

and you might not notice that if you aren't reading the data that often after writing it (think archive, logs, backups...)

it's true that the chance of scrub avoid data loss goes down as redundant increases, but it's always still helpful, i would never not scrub zfs pools

s/redundant/redundancy

yeah it sounds like it's the thing to do

i'll set it up when i have a chance today and just let it do its thing once a week or something

the default of every 35 days is probably fine, especially on raidz2. although it doesn't hurt to run it more often if you want

one of my pools takes 12 hours to scrub though

speaking which.. that's about to finish. and it did find 1 bad chksum on a disk

12K repaired, 93.33% done, 00:50:50 to go

smartmontools is your friend ;)

i've been slowly but surely replacing cheap barracudas i bought years ago ... i think i'm down to 6 of 12 of them lol

ah. i guess 7 of them left. 5 died so far. although i think that may have been due to heat which was sort of my fault.

8x4tb seagate constellations in raidz2 here

scrub can take 6-12 hrs. frequency is 7 days

meanwhile... my hgst drives...

9 Power_On_Hours 0x0012 087 087 000 Old_age Always - 91024

those things are such troopers

yeah? not used those before

too bad WD owns them now :(

it's like when oracle bought sun

ive not had good experiences with wd either

anyone played with the podman work from dch et al? I feel like I'm doing something wrong in my pf.conf, because when I'm trying to use it the jails can't successfully make outbound network calls

josephholsten: heya, try it in a minimal pf.conf, with `block log ..` everywhere, run `service pflog onestart`, and see what `tcp -vvveni pflog0` tells you is blocking it

dch: I'm just using the minimal nat pf from /usr/local/etc/containers/pf.conf.sample and vtnet0, pastebin.com/gWHWkfDP

I'd like to find some time to play with podman on FreeBSD too, this autumn..

Tables should be declared after the macros, non ?

It doesn't have any blocks, so tcpdumping the pflog isn't helping. But I hadn't tried just tcpdumping the whole vtnet, lets see

I thought order of statements matter

Ah, I am wrong: "With the exception of macros and tables: says the man page

f451: in my case I think I'm just shit out of luck because pkg does not want to reveal its secrets

hrm, I'm seeing domain packets, but not what I'd expect. I wonder if the podman jail doesn't have a sane resolver

(and the base image doesn't have host or drill, and needs a shared lib libprivateldns.so.5 if I just mount in the host's /usr/bin)

it's not just using its /etc/resolv.conf like a regular jail?

I was wondering if the /etc/resolv.conf was broken, but no it's fine. And after fixing the /usr/lib volume for the needful .so I got drill working.

but it's now saying it got 0 bytes rcvd, and "error sending query: Could not send or receive, because of network error"

So a NAT issue? Who populates this cni-nat table?

Should it be persistent prolly?

Hecate: what i'd do in your position is to manually build and install pkg from a new ports tree. I dunno if it would fix the problem though. But it's what i'd do. I saw that error in pkg v2.2.0 & 2.2.1. but it's 2.2.2 here and no error

Hecate: what fo you have in /etc/pkg?

pkg repos -le

might be relevant: i'm running 14-stable here

Hecate: also see bugs.freebsd.org/bugzilla/show_bug.cgi?id=286532

divlamir: that's a good question, I'll dig into that

f451: I have FreeBSD

FreeBSD-kmods

f451: that TLS thing is peculiar because `fetch` is more than happy to work on pkg.freebsd.org/FreeBSD:14:amd64/latest/data.pkg

that jail is 14.3-RELEASE

f451: also, pardon my ignorance but I have not used port trees in 10 years. What's the current accepted way to do such a thing?

You can get away with an old school `make install` in the case of pkg. No dependencies to build

josephholsten: heres what I would try

make the container, try the following in it

`fetch -v 1.1.1.1`

given you're using a fresh vm afaict and a vanilla pf it will probably work

then check whats in /etc/resolv.conf and I'm guessing it will either be missing or not appropriate for the container

e.g. on my prod systems, raw dns is only allowed from jail -> locked down local resolver on the jail host

`fetch: 1.1.1.1: Address family for host not supported`

oho thats weird

it's making me want to just run a debugger to see what call is failing.

Nice, those meta-package sets of ivy! I can make use of some very minimal jails

Where can I read more about these upcoming pkg groups? In a mailing list archive maybe, whicj one?

i don't know if that is documented anywhere other than bapt's head :-)

Patience then, the time will come :)

package sets might not be what you want for a minimal jail, the "minimal" is already quite large, you can create minimal jails by just installing some packages by hand

although as i was saying earlier, it would be nice to have some sort of minimal-jail set, i'm just not sure what to call it or how to organise it...

Some "minimal" default is already nice to have. As you said in the review, those who need more, I mean less, can do it pkg by pkg

No default suits everyone, but as long it's a sensible one, it works

so, first pkgbase tests have been completed

that's a nice way

are you switching to pkgbase ketas ?

not yet

OK

i'll do some embedded image generation via that at first

i could run all that via poudriere too after it would actually run like i want

is there no way to set a jail to use 1 core, rather than how cpuset works which requires that i set a jail to use 1 SPECIFIC core? the difference is how cpuset works requires me to add a unique command for each jail cpusetting it a specific core, instead of just telling all jails to take 1 core each

kerneldove: rctl can do that, but don't ask me how, i've never actually used it

ya it seems the rctl method isn't as smooth as handing out dedicated cores

with rctl you set the percentage, so set it to 100% for each jail you want to limit, is exactly what you ask for

ya true but like it said it seems the cpu throttling isn't smooth from what i've read

I noticed 15 aplhpa dropped.

why? it gives you what you ask for

alpha ;/ coffee

it's not throttling, it cuts you off at the limit you give

divlamir, do you know how much drift there is between what it can burst to and the limit set?

how much is it?

ya like could the jail use 125% cpu before the limiter kicks in?

you mean it down't kick in fast enough?

kinda but more how persistent is the limit

idk the implementation details, but it's the closest thing you describe

according to the docs, the system would just deny more cpu time than permitted

interesting discovery: buildah/podman-build jails seem to have no ip address according to `jls -h` and so apparently I don't truly know anything about jails

jail(8) says ips are mandatory, ocijail laughs in my face

kerneldove: see here: github.com/freebsd/freebsd-src/blob…main/sys/kern/kern_rctl.c#L418-L445

"This makes %cpu throttling more aggressive and lets us act sooner than the limits are already exceeded."

There is some sort of heuristic, to act before the limit is actually reached

hahaHAHAhahehe oh. $ ifconfig vnet38718f1c; description: associated with jail: buildah-buildah2100252023 as nic: eth0

oh podman, I don't have an eth0, buddy. This is a vm.

All a jail needs is an ip and a hostname.

hrm, cigarettes too

i don't think a jail actually requires an ip address

although now i think about it, i've never tested that

You can use a "shared" ip from the host. It still counts as one.

i know, but i mean it shouldn't require an IP address at all... perhaps this is enforced for historical reasons though

divlamir, ok i'll try pcpu

what about the new service jails, why would they requier an ip?

svcjs require an ip address because (iirc) there's no way to configure them not to have one

ivy: I was thinking peerhaps the same thing. I'm no expert far from it. I was looking at jail.c.

i forget though, perhaps some combination of svcj_options would provide an svcj without an ip address

kerneldove: my .conf for service jail has ip4 = inherit

I don't have a single jail without some kind of networked service, so I've never asked myself if a jail w/o an ip is a possibility

rj1: i believe kerneldove is talking about the svcj feature in rc(8) which runs a service in a jail automatically (without using jail.conf)

(this is new in 15.0)

ya

Oh ok my bad guys. I have not tested 15 any or kept up. Thanks for info sounds cool!

I was looking at a service jail on 14.3

it's still a little half baked, so the answer to "why can't i do X with svcj?" is probably that no one implemented it yet

aren't we all

oooh, magic service jails sounds fancy.

i got racct enabled in loader.conf and rebooted, and now i see i set limits in /etc/rctl.conf. wish we could set them right in the jail's .conf file no?

oh no. the buildah gives the right interface when I RUN /sbin/route get 1.1.1.1; but it still refuses RUN /usr/bin/fetch 1.1.1.1

or maybe i can? like in exec.created = "rctl -a jail:${name}:pcpu:deny=80"; ?

that shoud work too

ill try it now

and maybe rctl -r ... when you stop it

ya i was wondering that. gonna test and see if it's needed

can we enable racct at runtime like 'sysctl kern.racct.enable=1' ?

wdym? it's enabled in rc.conf, rctl_enable

wtf? klarasystems.com/articles/controlli…esource-limits-with-rctl-in-freebsd says to use the sysctl

ah, you mean loader.conf. you can try, but then you can't enable the service in rc.conf as it won't be available at boot time

what's the point btw? you either want/need it or noe

if you want to unload all rules at runtime: `rctl -r :`

can't use sysctl kern.racct.enabled=1 at runtime it seems

seems to require being in loader.conf so it's there at boot, damn

why is it a problem?

well i like when i can enable stuff at runtime

don't enable the service then, it won't load any rules

no dude what i'm saying is i was hoping i could sysctl kern.racct.enable=1 then service jail start testjail with rctl -a commands in its conf file

you can do just that, no need for the sysctl call

nah i just tested it

try it yourself

with kern.racct.enable=1 in loader.conf, it should work

and is that what i said? no

whatever, i used the handbook when i played it, so loader.conf it is

what i was saying is, it's not doing anything until you load some rules i.e. enable it as you say

where's userlanddove

and other system animals

be the userland dove you want to see in the world