00:01:20 nprice (and .rtj i think ? my backlog doesnt go that far) for some reason my laptop was missing `[` but had `test`. I only have to compile world once for my project, so i'll use another, cleaner machine 00:01:28 ty both very much :D 00:01:49 hm 00:01:59 it it like impossible to run a samba domain controller in a jail? 00:12:50 after upgrading 14.2 to 14.3 i will have to install nvidia drivers again, etc.? 00:18:18 new version, new kernel, new drivers yet 00:19:52 last time i upgrade i dont remember if i had to install drivers again 00:33:10 you would 05:29:59 well then. i guess now i see why samba has them separate. samba419 worked just fine creating the dc in the jail 05:30:05 but 420 has some error when provisioning 05:30:25 *why pkg/ports has them separate 05:46:48 normally I go with the default set in bsd.default.versions 05:48:35 you can change it using some pkg maigc but samba is one of those "do I really need it" 05:49:15 now jails are cool but the more you have to enable in the jail the less secure it is and with thing like samba its a lot 05:51:58 on a side note I dont worry much about thing running locally i worry more about internet accesible things and msot of the time you dont have samaba accessible remotely only locally so I personally would not run it in a jail like I would say hiawatha or mysql 05:52:22 but then again people will argue ove that 05:55:03 cpet: yeah.. i'm just working on getting a dc going in a jail 05:55:37 i figured samba420 was rather tested by now but i guess not because it's impossible to provision. that was me testing in a jail but i'm suspecting it may fail on the host as well 05:55:44 i just didn't try 05:55:57 ports arent normally tested in every scenario 05:56:11 its more of a it compiles cool move on 05:56:52 well i know now to not use the latest samba. they have a long lifespan anyways but i've ran into deprecated samba in fbsd 05:56:57 where i had to bump the version 05:57:29 now i just need to sort out how to admin it without rsat :/ 05:57:51 so i have to go down the samba-tool rabbit hole.. i need to see if there's an ncurses app i can use in the console for that 05:58:50 samba is pretty easy ive never used it as a DC as I normally just used Windows server for all that ;/ 05:59:24 yeah it usually is. but this wasn't really samba's fault so much as some weird freebsd pkg bug related to python maybe 05:59:50 on a fresh network provisioning a domain controller takes 2 minutes :) 06:00:10 i want to use it for centralized auth 06:00:56 so i need to make users, groups, etc on the domain. i also need to use the internal dns so i don't have to maintain bind. 06:01:23 i maintain nsd 06:17:34 yo 06:17:47 o/ <3 :* 06:26:21 cpet: i'd rather stick with the samba internal dns if i can. that has always worked well for me in the past and i'm doing simple things. 06:27:02 i'll have to take a look and see if i can find maybe something that is better than using samba-tool 06:27:21 otherwise i'm going to wind up making a thousand scripts 08:22:00 that is cute 09:47:32 so i've been wanting to contribute to freebsd and saw that the package go-fuse needs porting so i installed freebsd in qemu and cloned the repo 09:47:32 and tried running the tests which shows the following errors such as 09:47:33 - fio needed from linux tools 09:47:33 - missing Allocate method 09:47:34 - syscall.Fallocate undefined 09:47:34 - unix.FALLOC_FL_KEEP_SIZE undefined 09:47:35 - Unimplemented opcode BMAP 09:47:35 - Unimplemented opcode BMAP 09:47:36 and more so i wanted to know how do others solve thes 09:47:36 do i remove/replace methods and reduce the functionalities or fork it or just create a new lib using libfuse? 09:49:35 so i've been wanting to contribute to freebsd and saw that the package go-fuse needs porting so i installed freebsd in qemu and cloned the repo 09:49:36 and tried running the tests which shows the following errors such as 09:49:36 - fio needed from linux tools 09:49:37 - missing Allocate method 09:49:37 - syscall.Fallocate undefined 09:49:38 - unix.FALLOC_FL_KEEP_SIZE undefined 09:49:38 - Unimplemented opcode BMAP 09:49:39 and more so i wanted to know how do others solve these 09:49:39 do i remove/replace methods and reduce the functionalities or fork it or just create a new lib using libfuse? 10:09:43 speaking of go: for me the kbfs-fuse module is broken in a very particular way (it's because of go-fuse's misbehaviour upon receiving a certain message) 12:03:07 fio is ported 12:03:35 /usr/ports/benchmarks/fio 13:12:40 well. i finally feel like i'm making progress with this 13:12:48 managed to get a dc jail and a 'shell box' jail going 14:17:55 mzar: lots of people seem to be noticing lol 14:18:03 pressure is building :/ 14:18:38 im terrified, I have only planned it, not gathered some statistics I will need, and no slides are done yet 14:50:27 wow. i managed to get rclone to mount INSIDE the jail.. and have no idea how i did it lol 15:14:23 can i upgrade from 14.3 to 15.0 15:14:24 ? 15:17:22 warsoul: yes 15:20:04 polarian i change 14.2 to 14.3 but was a mission i lost my desktop and to get it back i struggle a little bit 15:20:13 if i get "[zone: pf states] PF states limit reached" then i increase the limit options, for those to take effect do i only need to service pf reload pls? 15:20:17 is their anyway to upgrade without loosing nvidia drivers? 15:29:53 Hello! I'm trying to install Obsidian on FreeBSD using this article https://owlandrews.com/texts/obsidian-on-freebsd-with-google-drive. I already tried this one https://jrgsystems.com/posts/2023-01-03-installing-obsidian-on-freebsd/ but I couldn't get it to work. When I use `poudriere bulk -j 14amd64 -p HEAD -b latest -S textproc/obsidian` I get the following error message: `[00:00:02] Error: Nonexistent origin listed: 15:29:53 textproc/obsidian 15:29:53 [00:00:02] Error: Fatal errors encountered gathering initial ports metadata` and I have no clue what the problem could be. I looked at the /usr/ports in the jail and textproc/obsidian is there, so I don't understand why it can't be found 15:30:09 warsoul: you should be able to freebsd-update to 15.0 without issues 15:30:15 then you can choose to pkgbasify if you want to use pkgbase 15:30:34 polarian could you guide me? 15:30:44 wdym "losing nvidia drivers"? 15:30:52 the drivers are ports, not base 15:30:57 sorry no 15:31:00 the drm stuff is 15:31:12 how can i know if net.pf.request_maxcount needs to be increased pls? 15:31:13 not sure about the cards themself, but I assume so 15:31:37 kerneldove_: I dont think you ever need to increase this unless you are handling insane amounts of traffic 15:34:50 sorry no I confused it with the max entries 15:35:04 kerneldove_: are you importing rules to block vast number of IPs? 15:35:32 warsoul: freebsd-update -r 15.0-RELEASE upgrade 15:35:38 reboot 15:35:45 freebsd-update install 15:35:47 reboot 15:36:08 polarian, no i have 30 or so rules. i just keep hitting states limit 15:36:10 actualyl before the second reboot you should run pkg upgrade 15:36:16 which will pull in the drm stuff so shouldnt break desktop 15:36:18 so i'm increasing states, src-nodes, frags, and table0entries 15:36:21 hoping that fixes it 15:36:38 kerneldove_: how are you hitting states limit with 30 rules?!?! 15:36:47 how many connections are you getting 15:37:14 how can i see how many connections atm? i pass tons of udp packets to/from lots of diff hosts 15:56:07 kerneldove_: pfctl -s info 15:59:16 current entries field or others? 16:04:33 kerneldove_: wait what do you want to see 16:04:52 oh right current entries is the number of entries in the state table 16:05:59 on my router for example, which has servers and clients behind it I currently have 210 entries into the state table 16:06:23 204 searches per second, 4 inserts and removals a second 16:26:07 Yo 16:31:25 what does the "memory" field of pfctl -s info mean? 16:31:42 i have 175 million 16:36:29 Can vnet jails and bhyve vm's share the same bridge? 16:43:51 polarian: not any lol, but it's a good news ! 16:52:04 mzar: good how? :p 16:52:53 kerneldove_: not sure, but that doesn't sound good 16:53:37 Afterglow: is the bhyve jail within the vnet jail? 16:53:40 if it is, then no 16:53:43 if it isn't then yes 16:53:53 add the tap interface to the bridge 16:54:16 I believe it should work 16:54:30 the vm will still need its own IP address though afaik 16:54:34 vnets and vms are 'next' to eachother, not in 16:55:03 how does the virtual switch fit in here? Or should I skip this? 16:55:07 then yes I see no reason you cant, but I dont see why you would do this 16:55:19 the whole idea of a vnet jail is to route it for additional security 16:55:31 if you simply bridge them with one another, then the vnet jails can talk to one another 16:56:00 my vnets _must_ talk to eachother 16:56:58 * Afterglow is confused now 16:57:20 so you're saying that I should create a bridge for each and every jail? 17:00:23 I wouldn't bridge it I would route it 17:00:46 but if you dont want vnets talking to one another (as vnet jails arent meant to crosstalk) then yes you would need a bridge per vnet 17:01:11 if you want the jails to talk to one another then why did you vnet them in the first place? 17:02:09 > A FreeBSD VNET jail is a virtualized environment that allows for the isolation and control of network resources for processes running within it. It provides a high level of network segmentation and security by creating a separate network stack for processes within the jail, ensuring that network traffic within the jail is isolated from the host system and other jails. 17:02:11 https://docs.freebsd.org/en/books/handbook/jails/ 17:04:26 I don't see how a bridge (layer 2?) brings any change in that: it's just a layer between the jail (epaira/b) and the physical interface of the host. All IP's are on the same LAN anyway 17:05:13 Afterglow: switching happens on layer 2 17:05:22 what happens when you have devices all on the same switch? 17:05:48 the switch can switch packets between them 17:06:14 which is why vlans exist 17:06:32 the switch then knows not to pass packets to other devices which are not on the same vlan 17:07:44 Afterglow: if you want to bridge you should have one bridge per vnet jail 17:08:02 but this gets messy at scale 17:08:05 so I would always route them 17:08:08 I have different bridge devices for different vlans. Still not sure how a bridge would make a vnet jail more insecure 17:08:39 it allows vnet jails to pass packets between each one 17:08:44 vnet jails are meant to be isolated 17:09:01 if they all share one bridge, they all are able to pass packets 17:09:11 if you use one bridge per vnet jail then sure 17:09:15 you still have isolation 17:09:25 but I find this all really messy and I would rather handle it within pf 17:09:59 only pass the packets from these jails to the internet, not to the host, and not to other jails 17:10:30 and if you did need communcation, for say an email server needed a postgresql db within another jail, you could explicitly pass from one vnet jail to another on a specific port 17:10:39 neater, and more secure. 17:12:58 still not sure why share one bridge (= layer 2!) would make that more insecure than having one bridge per vnet, which is more of an administrative hassle. The only thing that happens is that inter-VNET traffic doesn't leave the machine 17:13:31 Afterglow: I just explained 17:13:38 imagine you have many devices all connected to the same switch 17:13:49 theres no isolation between devices 17:13:59 a switch is able to pass packets between them without passing back to the router 17:14:24 switching is layer 2 17:14:29 therefore theres no concept of IP addresses 17:14:38 its done purely on mac address 17:15:47 So? Each vnet has its own ip stack/ipfw. That isn't any different than having multiple physical machines on the same network (on a switch) 17:17:14 Afterglow: does that mean you should leave your gateway firewall open because devices behind it have their own firewall? security in layers. 17:17:23 you want them separated 17:17:31 and separate IP stacks mean nothing, its like having separate devices 17:19:21 Afterglow: if you want to see this, bridge as you said, ping one container from the other while tcpdumping that container 17:19:23 What exactly is your point here? the only thing my vnets share is the physical NIC on the host. There completely 'stand alone' hosts. 17:19:32 you should see an arp packet 17:19:53 if you see that arp packet, that means the two vnets can talk to one another 17:20:21 sure you have a firewall but the whole idea of vnet jails is to be separated 17:20:42 AGAIN: they should be able to talk to each other. That would be the same if they're physical machines. Please stop this nonsense discussion 17:21:05 they cant if you set it up properly 17:21:24 its like saying two devices on completely different switches could talk to each other without a router 17:21:26 they should because I set it up this way! 17:21:34 then go ahead... 17:21:41 you asked why its less secure, I told you 17:21:45 I dont see what you want here 17:21:51 You can link switches to eachother on the same lan. 17:21:58 You are missing the point 17:22:12 you asked me why its less secure, I told you 17:22:17 you then complain that this is nonsense 17:22:20 My original question was: can bhyve vm's and vnet jails share the same bridge device. 17:22:25 do not ask for answers, and then criticise them because you don't like the answer 17:23:08 ANd then you started a preach about how vnet s should not share the same bridge device. 17:23:25 Afterglow: yes there is no reason you can't add a tap to a bridge with what I assume is epairs within it 17:23:32 I already answered that question 17:23:45 a bridge is nothing more than a virtual dumb switch 17:24:31 duh, there we are. I was already telling you that from the beginning. VNETs on a bridge = physical machines on a switch. Exactly tthe same 17:25:00 I don't need any routing between my vnets, except for the ones on a different vlan 17:25:13 Afterglow: and I have been telling you that vnets are meant to be isolated thus not on the same bridge 17:25:19 if you want to do it that way, be my guest 17:26:45 now I am going out to buy some beer. 17:26:48 cya 17:28:07 enjoy 17:41:04 polarian, i increased limits then reset counters ill watch memory field now 20:31:41 Hello, all. After upgrading from 14.1 to 14.3, the geeque packages has stopped working. I have upgraded all I could, yet it fails because of broken dependencies: . Can anyone on 14.3p5 test whether they are having the same error (so that I know if is my own problem). 21:12:10 ant-x: Looks like you might just need to re-install the dependencies as well. Just an old lib mix-up. 21:12:29 Are you using packages? 21:13:16 ek, I installed everying with pkg. Reinstall everything? Ought not `pkg upgrade' have done it? 21:14:18 * /to/ have done it (that is, fixed the dependencies). 21:15:27 ek, `pkg check' and `pkg check -d -a' do not report any problems. 21:15:29 ant-x: It kind of depends on the update process. It's pretty rare, but old .so version dependencies can lay around after a base upgrade. 21:16:56 ant-x: What if you do a 'pkg upgrade -f libavformat libffmpegtnailer geeqie' ? 21:17:24 Obviously, after a 'pkg update' just to make sure repo data is up-to-date. 21:17:25 * ant-x was looking for a way to uninstall a package with dependencies. 21:17:30 Waity-minty. 21:17:40 ant-x: Also, which repo(s) are used? 21:18:08 ant-x: 'pkg delete pkg-name' will delete any dependencies that are no longer needed. 21:18:19 ek, repos -- the standard out-of-the-box ones: //pkg.FreeBSD.org/${ABI}/quarterly 21:18:19 Also, a 'pkg autoremove' will help with that as well. 21:18:26 Okay. 21:18:51 I will try pkg upgrade without removing anything, first. 21:20:58 ek, `pkg upgrade' sais neither of the lib packages are installed, probably because they are part of other packages. 21:21:23 i.e. there is no package named libavformat or libffmpegtnailer . 21:23:16 I need somehow to find out which packages install those libs, first. 21:26:00 pkg which to the resque. 21:26:33 ant-x: What about just a 'pkg upgrade -f geeqie' ? 21:26:43 That *SHOULD* pull in all dependencies. 21:27:35 ek, I have found it: `pkg upgrade ffmpegthumbnailer ffmpeg' -- says all is up to date. Will try -f 21:29:14 ek, `pkg upgrade -f geeqie' did not help, but `pkg upgrade -f ffmpegthumbnailer ffmpeg' has! Thanks. 21:29:39 ant-x: Excellent! 21:30:36 Indeed. 21:32:28 Can you tell me about the effect of `pkg upgrade'? A couple of weeks ago it broke my 14.1 system, so I /had/ to upgrade to 14.3 to fix it. I thought it would either refuse to upgrade, or it successfully, but not break it. 21:35:51 I was following the upgrade procedure described in the Handbook, which did not mention the -f option. Something must have gone wrong. 21:50:04 ant-x: It's difficult to say exactly what went wrong. But, it looks like a dependency was either upgraded or not upgraded while the primary application was not. 21:50:54 If you're using packages, it's usually a good idea to do a "pkg upgrade -f" to force all packages to upgrade after a FBSD version upgrade (although, generally not needed with minor version upgrades). 21:52:15 It also may have just been a glitch in the repos where a package dependency was upgraded before the primary package (in this case, geeqie) and you just happened upon it with unfortunate luck. 21:53:32 After reading the man page, I don't understand why `pkg upgrade -f geeqie' did not update the dependencies. 21:56:19 ant-x: I'm guessing because the dependencies were already up-to-date with their version, but something happened during the previous 'pkg upgrade' where a library was lost or skipped somehow. Maybe something errored out and was resumed and it caused a problem? 21:56:23 It's hard to say. 21:56:50 * ant-x is doing pkg -f upgrade, but feels uneasy about it... 21:57:10 707 packages will be upgraded 21:58:01 It'll be fine. It'll just re-install all your currently up-to-date packages. But, it will, with all likelihood, repair any other missing or out-of-date libs that may remain. 21:58:44 I hope so! 21:59:43 You can always run a "pkg prime-origins" and save that output in case something goes wrong. 22:01:41 prime-origins? Not listed in PKG(8) . 22:02:44 It's an alias to "pkg query -e '%a = 0' '%o'". You can check your aliases in /usr/local/etc/pkg.conf 22:03:22 or with `pkg alias` 22:03:51 Thanks. Will have to learn the syntax of ``pkg query'' first. 22:06:06 I see: `%a = 0' for root packages (not installed as dependencies), and %o for origin. 22:06:53 angry_vincent: Yeah. I probably should've worded that better. More along the lines of: Aliases are configured in the /usr/local/etc/pkg.conf file. 22:07:51 ...and listed by `pkg alias' 22:08:31 ant-x: Yep. It'll give you a list of root packages that are installed. So, if you need to re-install your root packages for some reason (like a fresh start), you can use that list to get back to where you were. 22:09:21 Shall I have to process the output with SED or AWK, before feeding it to pkg via xargs? 22:11:38 Nope. You don't even need that. 22:12:34 Can be fed directly to pkg? 22:12:41 'pkg prime-origins > ~/root-pkgs.txt' and then to use it 'pkg install $(cat ~/root-pkgs.txt)' (or however you'd like to parse the pkg data to "pkg") 22:13:05 parse -> pass (I hope) 22:13:28 Yes. Sorry. I'm doing like 4 things at once. :) 22:15:27 Remember: you have but two hemispheres. 22:15:45 Thanks for the help! 22:23:20 I think I have less than that. You're very welcome. 22:29:11 <_0xdd> Hi all! Had a quick question. Finally got around to upgrading to 15.0. I have two encrypted ZFS datasets, one that uses keyfiles and the other that requires a prompt. Since upgrade, entire boot sequence is held up by passphrase prompt for that ZFS dataset. I do have zfskeys_enable=YES in my rc.conf, but I only want the keys loaded for the dataset that uses a keyfile. Any help would be appreciated! 22:29:15 ant-x: having two is nice, I only have one functioning hahaha 22:34:08 Remilia, one is functioning, the other is for appreciation of all things beautoful. 22:34:24 ...In the meantime, `pkg -f upgrade' has completed. 22:34:44 And I do not see any regessions. 22:36:14 Unfortunately, it has not fixed a Subversion bug whereby it hangs forever: . 22:42:12 * ant-x keeps his .dot files in a Subversion repository, so a broken svn is a nuisance! 22:42:27 .dot files? That's a tautology. 22:52:17 ant-x: Does "git svn clone" work? 22:52:56 I haven't used subversion in a long, long while. But, I have cloned using "git svn" a few times in the somewhat recent past.