nprice (and .rtj i think ? my backlog doesnt go that far) for some reason my laptop was missing `[` but had `test`. I only have to compile world once for my project, so i'll use another, cleaner machine

ty both very much :D

hm

it it like impossible to run a samba domain controller in a jail?

after upgrading 14.2 to 14.3 i will have to install nvidia drivers again, etc.?

new version, new kernel, new drivers yet

last time i upgrade i dont remember if i had to install drivers again

you would

well then. i guess now i see why samba has them separate. samba419 worked just fine creating the dc in the jail

but 420 has some error when provisioning

*why pkg/ports has them separate

normally I go with the default set in bsd.default.versions

you can change it using some pkg maigc but samba is one of those "do I really need it"

now jails are cool but the more you have to enable in the jail the less secure it is and with thing like samba its a lot

on a side note I dont worry much about thing running locally i worry more about internet accesible things and msot of the time you dont have samaba accessible remotely only locally so I personally would not run it in a jail like I would say hiawatha or mysql

but then again people will argue ove that

cpet: yeah.. i'm just working on getting a dc going in a jail

i figured samba420 was rather tested by now but i guess not because it's impossible to provision. that was me testing in a jail but i'm suspecting it may fail on the host as well

i just didn't try

ports arent normally tested in every scenario

its more of a it compiles cool move on

well i know now to not use the latest samba. they have a long lifespan anyways but i've ran into deprecated samba in fbsd

where i had to bump the version

now i just need to sort out how to admin it without rsat :/

so i have to go down the samba-tool rabbit hole.. i need to see if there's an ncurses app i can use in the console for that

samba is pretty easy ive never used it as a DC as I normally just used Windows server for all that ;/

yeah it usually is. but this wasn't really samba's fault so much as some weird freebsd pkg bug related to python maybe

on a fresh network provisioning a domain controller takes 2 minutes :)

i want to use it for centralized auth

so i need to make users, groups, etc on the domain. i also need to use the internal dns so i don't have to maintain bind.

i maintain nsd

yo

o/ <3 :*

cpet: i'd rather stick with the samba internal dns if i can. that has always worked well for me in the past and i'm doing simple things.

i'll have to take a look and see if i can find maybe something that is better than using samba-tool

otherwise i'm going to wind up making a thousand scripts

that is cute

so i've been wanting to contribute to freebsd and saw that the package go-fuse needs porting so i installed freebsd in qemu and cloned the repo

and tried running the tests which shows the following errors such as

- fio needed from linux tools

- missing Allocate method

- syscall.Fallocate undefined

- unix.FALLOC_FL_KEEP_SIZE undefined

- Unimplemented opcode BMAP

- Unimplemented opcode BMAP

and more so i wanted to know how do others solve thes

do i remove/replace methods and reduce the functionalities or fork it or just create a new lib using libfuse?

so i've been wanting to contribute to freebsd and saw that the package go-fuse needs porting so i installed freebsd in qemu and cloned the repo

and tried running the tests which shows the following errors such as

- fio needed from linux tools

- missing Allocate method

- syscall.Fallocate undefined

- unix.FALLOC_FL_KEEP_SIZE undefined

- Unimplemented opcode BMAP

and more so i wanted to know how do others solve these

do i remove/replace methods and reduce the functionalities or fork it or just create a new lib using libfuse?

speaking of go: for me the kbfs-fuse module is broken in a very particular way (it's because of go-fuse's misbehaviour upon receiving a certain message)

fio is ported

/usr/ports/benchmarks/fio

well. i finally feel like i'm making progress with this

managed to get a dc jail and a 'shell box' jail going

mzar: lots of people seem to be noticing lol

pressure is building :/

im terrified, I have only planned it, not gathered some statistics I will need, and no slides are done yet

wow. i managed to get rclone to mount INSIDE the jail.. and have no idea how i did it lol

can i upgrade from 14.3 to 15.0

?

warsoul: yes

polarian i change 14.2 to 14.3 but was a mission i lost my desktop and to get it back i struggle a little bit

if i get "[zone: pf states] PF states limit reached" then i increase the limit options, for those to take effect do i only need to service pf reload pls?

is their anyway to upgrade without loosing nvidia drivers?

Hello! I'm trying to install Obsidian on FreeBSD using this article owlandrews.com/texts/obsidian-on-freebsd-with-google-drive. I already tried this one jrgsystems.com/posts/2023-01-03-installing-obsidian-on-freebsd but I couldn't get it to work. When I use `poudriere bulk -j 14amd64 -p HEAD -b latest -S textproc/obsidian` I get the following error message: `[00:00:02] Error: Nonexistent origin listed:

textproc/obsidian

[00:00:02] Error: Fatal errors encountered gathering initial ports metadata` and I have no clue what the problem could be. I looked at the /usr/ports in the jail and textproc/obsidian is there, so I don't understand why it can't be found

warsoul: you should be able to freebsd-update to 15.0 without issues

then you can choose to pkgbasify if you want to use pkgbase

polarian could you guide me?

wdym "losing nvidia drivers"?

the drivers are ports, not base

sorry no

the drm stuff is

how can i know if net.pf.request_maxcount needs to be increased pls?

not sure about the cards themself, but I assume so

kerneldove_: I dont think you ever need to increase this unless you are handling insane amounts of traffic

sorry no I confused it with the max entries

kerneldove_: are you importing rules to block vast number of IPs?

warsoul: freebsd-update -r 15.0-RELEASE upgrade

reboot

freebsd-update install

reboot

polarian, no i have 30 or so rules. i just keep hitting states limit

actualyl before the second reboot you should run pkg upgrade

which will pull in the drm stuff so shouldnt break desktop

so i'm increasing states, src-nodes, frags, and table0entries

hoping that fixes it

kerneldove_: how are you hitting states limit with 30 rules?!?!

how many connections are you getting

how can i see how many connections atm? i pass tons of udp packets to/from lots of diff hosts

kerneldove_: pfctl -s info

current entries field or others?

kerneldove_: wait what do you want to see

oh right current entries is the number of entries in the state table

on my router for example, which has servers and clients behind it I currently have 210 entries into the state table

204 searches per second, 4 inserts and removals a second

Yo

what does the "memory" field of pfctl -s info mean?

i have 175 million

Can vnet jails and bhyve vm's share the same bridge?

polarian: not any lol, but it's a good news !

mzar: good how? :p

kerneldove_: not sure, but that doesn't sound good

Afterglow: is the bhyve jail within the vnet jail?

if it is, then no

if it isn't then yes

add the tap interface to the bridge

I believe it should work

the vm will still need its own IP address though afaik

vnets and vms are 'next' to eachother, not in

how does the virtual switch fit in here? Or should I skip this?

then yes I see no reason you cant, but I dont see why you would do this

the whole idea of a vnet jail is to route it for additional security

if you simply bridge them with one another, then the vnet jails can talk to one another

my vnets _must_ talk to eachother

so you're saying that I should create a bridge for each and every jail?

I wouldn't bridge it I would route it

but if you dont want vnets talking to one another (as vnet jails arent meant to crosstalk) then yes you would need a bridge per vnet

if you want the jails to talk to one another then why did you vnet them in the first place?

> A FreeBSD VNET jail is a virtualized environment that allows for the isolation and control of network resources for processes running within it. It provides a high level of network segmentation and security by creating a separate network stack for processes within the jail, ensuring that network traffic within the jail is isolated from the host system and other jails.

I don't see how a bridge (layer 2?) brings any change in that: it's just a layer between the jail (epaira/b) and the physical interface of the host. All IP's are on the same LAN anyway

Afterglow: switching happens on layer 2

what happens when you have devices all on the same switch?

the switch can switch packets between them

which is why vlans exist

the switch then knows not to pass packets to other devices which are not on the same vlan

Afterglow: if you want to bridge you should have one bridge per vnet jail

but this gets messy at scale

so I would always route them

I have different bridge devices for different vlans. Still not sure how a bridge would make a vnet jail more insecure

it allows vnet jails to pass packets between each one

vnet jails are meant to be isolated

if they all share one bridge, they all are able to pass packets

if you use one bridge per vnet jail then sure

you still have isolation

but I find this all really messy and I would rather handle it within pf

only pass the packets from these jails to the internet, not to the host, and not to other jails

and if you did need communcation, for say an email server needed a postgresql db within another jail, you could explicitly pass from one vnet jail to another on a specific port

neater, and more secure.

still not sure why share one bridge (= layer 2!) would make that more insecure than having one bridge per vnet, which is more of an administrative hassle. The only thing that happens is that inter-VNET traffic doesn't leave the machine

Afterglow: I just explained

imagine you have many devices all connected to the same switch

theres no isolation between devices

a switch is able to pass packets between them without passing back to the router

switching is layer 2

therefore theres no concept of IP addresses

its done purely on mac address

So? Each vnet has its own ip stack/ipfw. That isn't any different than having multiple physical machines on the same network (on a switch)

Afterglow: does that mean you should leave your gateway firewall open because devices behind it have their own firewall? security in layers.

you want them separated

and separate IP stacks mean nothing, its like having separate devices

Afterglow: if you want to see this, bridge as you said, ping one container from the other while tcpdumping that container

What exactly is your point here? the only thing my vnets share is the physical NIC on the host. There completely 'stand alone' hosts.

you should see an arp packet

if you see that arp packet, that means the two vnets can talk to one another

sure you have a firewall but the whole idea of vnet jails is to be separated

AGAIN: they should be able to talk to each other. That would be the same if they're physical machines. Please stop this nonsense discussion

they cant if you set it up properly

its like saying two devices on completely different switches could talk to each other without a router

they should because I set it up this way!

then go ahead...

you asked why its less secure, I told you

I dont see what you want here

You can link switches to eachother on the same lan.

You are missing the point

you asked me why its less secure, I told you

you then complain that this is nonsense

My original question was: can bhyve vm's and vnet jails share the same bridge device.

do not ask for answers, and then criticise them because you don't like the answer

ANd then you started a preach about how vnet s should not share the same bridge device.

Afterglow: yes there is no reason you can't add a tap to a bridge with what I assume is epairs within it

I already answered that question

a bridge is nothing more than a virtual dumb switch

duh, there we are. I was already telling you that from the beginning. VNETs on a bridge = physical machines on a switch. Exactly tthe same

I don't need any routing between my vnets, except for the ones on a different vlan

Afterglow: and I have been telling you that vnets are meant to be isolated thus not on the same bridge

if you want to do it that way, be my guest

now I am going out to buy some beer.

cya

enjoy

polarian, i increased limits then reset counters ill watch memory field now

Hello, all. After upgrading from 14.1 to 14.3, the geeque packages has stopped working. I have upgraded all I could, yet it fails because of broken dependencies: <paste.c-net.org/BossySeduce> . Can anyone on 14.3p5 test whether they are having the same error (so that I know if is my own problem).

ant-x: Looks like you might just need to re-install the dependencies as well. Just an old lib mix-up.

Are you using packages?

ek, I installed everying with pkg. Reinstall everything? Ought not `pkg upgrade' have done it?

* /to/ have done it (that is, fixed the dependencies).

ek, `pkg check' and `pkg check -d -a' do not report any problems.

ant-x: It kind of depends on the update process. It's pretty rare, but old .so version dependencies can lay around after a base upgrade.

ant-x: What if you do a 'pkg upgrade -f libavformat libffmpegtnailer geeqie' ?

Obviously, after a 'pkg update' just to make sure repo data is up-to-date.

Waity-minty.

ant-x: Also, which repo(s) are used?

ant-x: 'pkg delete pkg-name' will delete any dependencies that are no longer needed.

ek, repos -- the standard out-of-the-box ones: //pkg.FreeBSD.org/${ABI}/quarterly

Also, a 'pkg autoremove' will help with that as well.

Okay.

I will try pkg upgrade without removing anything, first.

ek, `pkg upgrade' sais neither of the lib packages are installed, probably because they are part of other packages.

i.e. there is no package named libavformat or libffmpegtnailer .

I need somehow to find out which packages install those libs, first.

pkg which to the resque.

ant-x: What about just a 'pkg upgrade -f geeqie' ?

That *SHOULD* pull in all dependencies.

ek, I have found it: `pkg upgrade ffmpegthumbnailer ffmpeg' -- says all is up to date. Will try -f

ek, `pkg upgrade -f geeqie' did not help, but `pkg upgrade -f ffmpegthumbnailer ffmpeg' has! Thanks.

ant-x: Excellent!

Indeed.

Can you tell me about the effect of `pkg upgrade'? A couple of weeks ago it broke my 14.1 system, so I /had/ to upgrade to 14.3 to fix it. I thought it would either refuse to upgrade, or it successfully, but not break it.

I was following the upgrade procedure described in the Handbook, which did not mention the -f option. Something must have gone wrong.

ant-x: It's difficult to say exactly what went wrong. But, it looks like a dependency was either upgraded or not upgraded while the primary application was not.

If you're using packages, it's usually a good idea to do a "pkg upgrade -f" to force all packages to upgrade after a FBSD version upgrade (although, generally not needed with minor version upgrades).

It also may have just been a glitch in the repos where a package dependency was upgraded before the primary package (in this case, geeqie) and you just happened upon it with unfortunate luck.

After reading the man page, I don't understand why `pkg upgrade -f geeqie' did not update the dependencies.

ant-x: I'm guessing because the dependencies were already up-to-date with their version, but something happened during the previous 'pkg upgrade' where a library was lost or skipped somehow. Maybe something errored out and was resumed and it caused a problem?

It's hard to say.

707 packages will be upgraded

It'll be fine. It'll just re-install all your currently up-to-date packages. But, it will, with all likelihood, repair any other missing or out-of-date libs that may remain.

I hope so!

You can always run a "pkg prime-origins" and save that output in case something goes wrong.

prime-origins? Not listed in PKG(8) .

It's an alias to "pkg query -e '%a = 0' '%o'". You can check your aliases in /usr/local/etc/pkg.conf

or with `pkg alias`

Thanks. Will have to learn the syntax of ``pkg query'' first.

I see: `%a = 0' for root packages (not installed as dependencies), and %o for origin.

angry_vincent: Yeah. I probably should've worded that better. More along the lines of: Aliases are configured in the /usr/local/etc/pkg.conf file.

...and listed by `pkg alias'

ant-x: Yep. It'll give you a list of root packages that are installed. So, if you need to re-install your root packages for some reason (like a fresh start), you can use that list to get back to where you were.

Shall I have to process the output with SED or AWK, before feeding it to pkg via xargs?

Nope. You don't even need that.

Can be fed directly to pkg?

'pkg prime-origins > ~/root-pkgs.txt' and then to use it 'pkg install $(cat ~/root-pkgs.txt)' (or however you'd like to parse the pkg data to "pkg")

parse -> pass (I hope)

Yes. Sorry. I'm doing like 4 things at once. :)

Remember: you have but two hemispheres.

Thanks for the help!

I think I have less than that. You're very welcome.

Hi all! Had a quick question. Finally got around to upgrading to 15.0. I have two encrypted ZFS datasets, one that uses keyfiles and the other that requires a prompt. Since upgrade, entire boot sequence is held up by passphrase prompt for that ZFS dataset. I do have zfskeys_enable=YES in my rc.conf, but I only want the keys loaded for the dataset that uses a keyfile. Any help would be appreciated!

ant-x: having two is nice, I only have one functioning hahaha

Remilia, one is functioning, the other is for appreciation of all things beautoful.

...In the meantime, `pkg -f upgrade' has completed.

And I do not see any regessions.

Unfortunately, it has not fixed a Subversion bug whereby it hangs forever: <marc.info/?l=subversion-users&m=176635088823880&w=2> .

.dot files? That's a tautology.

ant-x: Does "git svn clone" work?

I haven't used subversion in a long, long while. But, I have cloned using "git svn" a few times in the somewhat recent past.