dogg0, that has nothing to do with your shell or term, I can reproduce exactly this behaviour by pressing ': <alt>-a' in vi (not sure why I press this, but sometimes happens). You can simply exit this state with ':q'

this doesn't happing in vim though; must be another key combo there

<ctrl>-w, s actually splits the screen in vim, vi probably has similar functionality. Anyhow, ':q' solves your 'problem' dogg0

so i'm trying to work out getting my nvidia P400 into a jail and i'm working on seeing if it works at all on the host and got this... his.macer.life/@macer/115785009424595380

fatal trap

vkarlsen, Stuck in the middle with you -- got it.

Macer: you already tried to use it directly and it works like that? I have no idea what a jail should make diffrent there so that it leads to a trap in kernel

nimaje: i didn't even get to the jail part yet. i was just seeing if nvidia-smi worked on the host

i'm not sure how important it is to do nowadays but i vaguely remember having to put it in persistent mode to get it working with plex or jellyfin. but maybe i'm wrong. i just finished getting jellyfin running in a jail so i'll have to test it out

ok, yeah no idea about nvidia, you writing jail in that message made it seem like it was jail-specific and I wanted to confirm that

I'm currently testing FreeBSD 15.0 and I tried the auto-installer with ZFS. According to the handbook I should use twice the sice of RAM for swap. So since my vm has 4G RAM I expect swap to be 8G but the installer suggested 2G. Is that just the installer default or did something change here?

that is the installer default, but well, you don't need as much swap anymore, for kernel crash dumps it would be good to have the same amount of swap as ram, but else you need less and less swap as you increase ram, not sure where the 1:1 ram:swap suggestion lays, I think it was with 1G ram and with 16G I think the suggestion was 2:1, but not sure about those numbers

Okay, I guess for my 8G machine I will just use 8G of swap then.

Liaf: if you plan to use poudriere (you probably don't) and you have less than 64 GB RAM with 8+ cores, you might want 32 GB of swap space just in case

Remilia: I won't use it. I currently just test 15.0 a bit on my local hypervisor to get a feeling for what I want when I migrate my mail and nextcloud server :-D

I was thinking today about freebsd supply chain attacks, if I remember correctly the port mirrors are not signed but anything...

My two largest struggles at the moment are a) switching from UFS to ZFS which I haven't used since 12.x I think and b) if I want geli encryption on a remote server or if the hassle isn't worth it :-D

would be cool if we could embed signify into pkg and the releases

polarian: isn't there a checksum on the ports git? I thought that gets verified but I never checked

Liaf: a checksum isn't the same as cryptographic verification, and I dont know anything about this

GNU Privacy Guard supports cryptographic signatures, but it has the wrong license...

polarian: what do you mean by cryptographic verification?

Liaf, IMHO, is the processess whereby the author signs a file with his public key, so that the receiver can verify its authentity.

ant-x: you sign it with your private key. the reciever can then verify the signature using your public key

or decrypt if needed

of cause you then need the recievers public key to encrypt

ant-x: ah, got it.

BarnabasDK, yes, but there's also clearsigning, where the paylod is not encrypted, if I am not in error.

ant-x: yes.

the reciever still needs your public key to verify

Yes, I never said he did not. Bu this is /exactly/ the same as with checksums: you need the checksum to verify.

Liaf: I don't know any published checksums of the ports tree, the individual ports contain checksums for most stuff that gets downloaded, to ensure that it is exactly what was expected, but that doesn't mean the sources the ports maintainer write into the port are what was released by the upstream maintainer and that also that doesn't mean anything for the resulting pkg, but the resulting pkg repo

should be signed by the builder (see signature_type in the repo config, but not sure what guaranties the default of fingerprints gives)

well a checksum has not got anything to do with authentication, just verification of the file contents imho

which may be all you need

nimaje: yea, I was thinking the threat model was that someone takes over a mirror. Then the checksum would be enough to verify that it differs from the original file. If we talk about someone compromising the whole "update" of a port then yes, the checksum is not enough.

hm. i managed to get the nvidia driver installed but it doesn't seem to want to work for a jail

On my test system I've added a user and set the home directory to be encrypted with ZFS. I set a passphrase and rebooted the system. However, the system decrypts the home directory during boot but I cannot find where it stores the key. Any idea where to look?

hm, the pam module responsible for unlocking is named pam_zfs_key, but it seems like it is missing documentation, iiuc it uses the password of your user in some way for unlocking

latest firefox-esr-140.6.0_1,2, youtube can play anything but live streams

I have to say that v15.0 is really nice. Also first interaction with packages instead of distribution sets.

I didn't try the packages yet but I guess I'll reinstall it later anyway :-)

hm

./nv-freebsd.h:17:2: error: This driver does not support FreeBSD-CURRENT!

and i'm running RELEASE

kind of odd

blah. i'm at a loss here. i really don't know where to even look

Hello everyone, I would like to talk about (kinda ask for advices) setting FreeBSD. I have been running freebsd 15 stable, no problem with the system. Everything works fine, I wonder, how do you guys manage to upgrade systems... Let me explain, I'm thinking to switch to freebsd current, but I would need to save my gpg keys and all config files. Do you guys keep one system with a stable release and another

one to run test (like current, or openBSD, netBSD, etc...)?

you know that current and stable are development branches? But you should be able to just upgrade without losing what you have saved on the system as long as there is no bug that deletes random user data. So you should keep backups anyway, as bugs happen

I didn't know that both are dev branches. I will do some research about how to upgrade. I'm still learning more about FreeBSD

But yeah, I will do backups before trying to update

if you're a new user, i don't know why you would want to use current

if you use zfs, you can use bectl(8) to make a copy of the current system before upgrading

"stable" in the freebsd version means the ABI (and KBI I think) stays stable and is the branch to develop the next minor release, stuff from current can get merged in there as long as it doesn't change ABI

ok. i'm at a loss with this :/

i guess maybe native fbsd nvidia driver doesn't come with cuda?

I don't know but I wouldn't count on it

and the actual nvidia one thinks i'm running CURRENT heh

sigh

otherwise jellyfin seems to run great

hrm, my jellyfin does fine with software

are you doing much transcoding for your media?

if it's for jellyfin, don't you only need NVENC, not CUDA?

rtprio: I'm trying to learn to contribute to FreeBSD, so using current seemed to me like a good option.

nimaje: What ABI and KBI stands for ?

uh

Never mind, just googled it. Silly question

ivy: not sure heh

either way i can't get ffmpeg to use it on the host either

guess i'll have to do it the ugly way and use a VM and pass the gpu through

that kind of sucks. i sure wish i could sort out how to get this nvidia P400 working in a jail properly

crap. i really should have used beadm for this

i totally forgot to snapshot the boot env so now i'm sure i have proprietary nvidia module stuff everywhere and that didn't work anyways

think i'll just go ahead and start over and start with the gpu

Sounds like my way of working, Macer, I always think of taking snapshots after tthe harm has been done

yeah

because now i'd have to hunt down wherever it pu tthem

let me look at the install script and hunt it all down manually

Macer: can the host not keep up without acceleration?

rtprio: probably.. but why do that when i can use the lower powered P400

it's a ryzen 3700x so i'm not sure where that would top out at

i had nvidia-smi working .. .other than it causing a reboot when trying to put it in persistent mode

but i couldn't get it working on the host with ffmpeg or in a jail with either ffmpeg or jellyfin

so i tried the proprietary drivers and those didn't even work with nvidia-smi

my jellyfin is a vm on a E5620 and it does fine for less than 4k

ok.. i managed to get it back to the state it was in prior to using the stuff FROM nvidia

pfew

although i think i'm at the point where i'm about to just pass it through to a vm

this seems impossible. i can't really find much information on how to do it either

you're a pioneer, our Columbus

Macer: at some point this was just broken, not sure if/when it was fixed, you might want to search bugzilla

ivy: what was?

Macer: nvidia passthrough

oh. for bhyve?

yes

well.. it seems broken altogether for me right now :)

like i don't understand how you're supposed to get it working

i almost feel like tossing my arc in it but the arc probably has worse support than the nvidia

what is arc

intel discrete gpu

i've thought about slapping a gpu in my r710 bhyve host

[hevc_nvenc @ 0x32774cc1b500] Cannot load libcuda.so.1

but without gpu passthru what's the point

blah

yeah heh.. using proxmox all you have to do is ckick and add render128 to a container and it "just works" (tm) ... the arc at least

*click

this is more of a personal project to see if i can find parity between proxmox and freebsd ... i sort of figured i'd have a huge hangup with this part

i don't need/want the clicky proxmox; just need to wait until some patches land for bhvye

saw a usb passthru is in the phrabicrator

i sort of expected it to work in a jail fairly easily .. but i can't even get the transcoding working properly on the host .. let alone a jail

i guess the nvidia stuff is only meant for using a desktop maybe and just isn't built for this stuff for fbsd?

it should still transcode, without the video card

oh. sure. i can do it on the cpu.. but.... :/

that just isn't efficient nowadays

and i mean... my P400 absolutely crushes the cpu transcoding .. and that thing is ancient.. my arc absolutely crushes the P400 :)

those intel arc cards are something special

(for this use case)

i mean, the P400 is almost 10 years old :-) but yes, Intel does provide quite decent encoding hardware, i think those even have AV1 support

they do

my ryzen 3700x that i'm doing this on is rather old too.

i thought about putting one in here, but i already have 2 x8 cards (nic, hba) so i'd have to file off one of the x4 slots to fit the gpu in

i actually replaced it with a 1u supermicro that has an arc in it for proxmox just for this

yeah i had the same problem. i was going to use an arc in an ancient 1u i had but it doesn't have pcie notches

notches should be standard :/

they probably omit them deliberately for market segmentation

yeah but the 1u is a server board lol

it's kind of rare to see the notches though. i guess maybe some boards have them.. like back in the day i'm sure there were plenty of boards with 8 pcie x1 slots with notches

i think then people were actually cabling them into cages or something. blame matt damon.

why do you want to transcode those videos? isn't the result of that mostly quality loss?

nimaje: imagine you have a library of high quality (4K) HEVC/AV1/whatever movies, and you want to play them on some old streaming stick that only does AVC, or only can decode 1080p, so you have to transcode it

yes, it reduces quality, but it's not really noticable for casual viewing

most people prefer to transcode on the fly rather than keep 2+ encodes of everything around permanently

also tonemapping HDR movies for SDR playback, although i'm not sure if hardware encoding actually helps with that...

I am still confused about my encrypted test home dir.

I have checked that zroot/home/test is encrypted with a passphrase and the keylocation is "prompt".

I found that in /etc/rc.d/zfskeys somehow the keys are loaded but somehow the system manages to decrypt the dataset without me entering a passphrase.

iiuc the password is the same as for your user and pam_zfs_key suplies it when you login for the first time (but currently misses unmounting the dataset when you log out of all your sessions, so it will remain readable until reboot)

I mean it's readable after reboot as well. I rebooted the system. Logged in as root via console and accessed the home dir.

No password or passphrase of user 'test' required

I mean it's pretty convenient but I would like to understand what happens :-D

ah, wait, did you add that user with encrypted home in the installer or manually after the fact? What I wrote should apply to the first case, but I only read a bit about it, I didn't play around with it yet; if you do it manually you can many things

rc.d/zfskeys should only apply if you have zfskeys_datasets in rc.conf (and maybe zfskeys_enable)

I added the user with the adduser command afterwards

I also checked and zfskeys is disabled so that wasn't doing the trick anyway

The key is also unavailable the whole time.

Liaf: maybe it's not encrypted ?

zroot/home/test encryption aes-256-gcm -

It should be but I just saw that if I execute mount the dataset does not show up. Only zroot/home shows uop

OK

so you have to decrypt it on login

do you have the password aka key set ?

A passphrase, yes

does it match user password ?

No

But I think adduser created the directory and uses it though there is an unmounted dataset

if it doesn't match user's password, you will not be able to unlock it with pam module

can you load the key ?

zfs load-key -a

I can

And I just figured it out

It's like I said. adduser creates the directory and afterwards it creates the dataset

do you want to unlock it by hand from root's account ?

OK

So after reboot there's an empty "home" that is accessible but the real "home" is unmounted

I deleted /home/test loaded the key and zfs mount zroot/home/test

Now it's not only there but all the .files are also in the directory.

do you want to poke it with each reboot ?

Well I would like for it to be encrypted and get decrypted at login (gonna test this now with a new testuser and passphrase == passowrd as you mentioned).

I'm just happy I figured out that I had "two" directories and one wasn't the dataset

Liaf: when dataset name will match username and dataset password will match userpassword, and user needs password for logging in, you can use pam module for automation

but if for example your user logs in via ssh it will not work

but you can still add extra, encrypted dataset for this user and use pam module

Okay, for now I am very happy I figured out what I did wrong :-D

Now the next step is to figure out if I want full disc encrpytion with geli and if I want ZFS encrypted home on a remote server. Both I have to decrypt everytime first :-D

boom.. ffmpeg works.. now to sort out how to get jellyfin to use it lol

i wonder if i can just use an alias for it somehow.. is there a way to make global aliases?

Macer: just create a wrapper?

cyric: hm

is that something that can be done in jail.conf?

i just need the jail to use nv-sglrun ffmpeg instead of just ffmpeg

unfortunately jellyfin for fbsd doesn't let you change this

i wonder if the linux ver does

guess not. it only has the path

experience*

is there some universal way to force ffmpeg to run as 'nv-sglrun ffmpeg' in freebsd?

this seems pretty hard coded in jellyfin

so using gpu passthrough to bhyve doesn't work. using an ubuntu jail isn't too practical because you don't get vnet... and i can't sort out how to force ffmpeg to use nv-sglrun. so looks like i hit a brick wall with hw accel for jellyfin. i'll leave it alone for the rest of the day.

what about the wrapper script suggestion? and what problem did you have with a vnet jail?

nimaje: i don't think linux jails support vnet.. only alias. at least bastille doesn't do it

nimaje: as for a wrapper script. i wouldn't know where to start there .. mostly because even if i did make the script how would i get jellyfin to use it when it seems to only want to use the ffmpeg bin heh

i tried making a basic script and moving ffmpeg to ffmpeg.bin .. that didn't work. i think jellyfin is actually hard coded to check for a ffmpeg bin.. but their matrix bridge is down now because of the earlier tomfoolery

crazy.macer.life/moving-to-freebsd-…lyfin-in-a-jail-with-hw-transcoding <- this is what i'm trying to do. ... but i need a timeout. :)

I don't see why linux jails wouldn't support vnet, but maybe the linux userland doesn't have the tools to configure interfaces on freebsd, then you would need to configure it from the host, most commands have a -j <jail id> option for that

Is lang/erlang broken with ODBC enabled?

why do you ask? at least it is not marked as such

Macer: yeah, afik jellyfin uses it's own bundled ffmpeg

Macer: could you relocate that ffmpeg.bin to a shell script that calls "nv-sglrun ffmpeg.h0h0 $@"

This may be a bit dense, but I'm using "cp -a" and getting a bunch of chflag errors saying that the operation isn't supported. I'm trying to copy from a local pool to a NFS mount. All files are 755 and chown'ed to my current user. I've also set the same permissions on the mount point on both ends.

wipt: my first guess would be that files on your local system have some sort of ACLs enabled that the NFS mount isn't configured to support and so cp fails to set the mode on them

wipt: I might try rsync instead of cp because I believe you can have it do things like drop ACLs when you copy files

nprice: shouldn't be any ACLs set. Pretty simple set up for a family server.

wipt: what happens if you try cp -R instead of cp -a?

wipt: also maybe the NFS service doesn't have the rights to set the permissions on the target files

nprice: -R is clean, it's the -p flag that's doing it. I don't think I have this issue within the same pool.

maybe the uid is different across the systems -_-

wipt: that'd probably do it

wipt: have you tried to chown/chmod things over the NFS mount

same uid...

which files?

same group id and groups exist on both?

gid is different across systems, 1001 vs 0, both should have the user in the wheel group.

right, but cp -a is the same as cp -RpP and -p is trying to preserve the group id which doesn't match

its trying to preserve a lot of things, but thats the one that has bit me in the ass before, so maybe a place to look at

dkeav: but the cp man page says that if the uid "and" gid can not be persevered, no error is printed. Is that an inclusive "and"?

see if you can chgrp a file over nfs to 0 (or 1001)

wipt: i think that may refer to copying within the same filesystem, not to NFS

It looks like Jellyfin for FreeBSD just uses the ffmpeg in pkg / ports

rtprio: I tried that.

It still didn’t work. I tried moving ffmpeg to ffmpeg.bin and making a script called ffmpeg to “trick” jellyfin but it didn’t work.

Does $@ accept everything after as input? Maybe that’s where I went wrong.

$@ does not accept anything. It expands into the arguments, so that "$@" is reusable in invocations.

This may be the way subcommands such as "pkg install" may be implemented in shell: analyse the first argument, shift, use "$@" for the handler.

ant-x: ah that's what i meant.

essentially takes all the --settings for ffmpeg

rtprio: thank you so much. that did it

If you passed them.

let me double check that it's using the card

Macer, you can always debug your scrits, e.g. with echo commands to STDOUT or a log file.

oh wait. no it didn't heh.. i disabled nvenc in jellyfin. let me try again

| 0 N/A N/A 42485 C ffmpeg.bin 54MiB |

SWEET thanks!

probably going to be problematic when ffmpeg gets updated in pkg heh

Macer, observe that $PATH is search left-to-right. Put your overrides on the left.

Macer: you can do `chattr schg` to it to prevent pkg from clobbering it lol

lol

pkg will be unhappy but ffmpeg won't

nprice: it's a simple script. i just didn't know there was a $@ option

nprice: yeah :/

it's a terrible way to do it

the only other option would be if there was a different dep with a differnet pkg for jellyfin on fbsd

that does this for you

#!/bin/sh

nv-sglrun ffmpeg.bin "$@"

just a 2liner heh

yeah

Macer: so does that work?

ill be damned

yo're welcome

Hello! I just changed my email address on bugzilla and it said I should get a confirmation mail where I can verify the new email address but I haven't received on yet. In the account information tab the new address is displayed as pending. Do I have to wait longer (waiting currently about 10mins) or is this process not automated?

yeah. i tried that but didn't realize i needed a $@ lol

one more thing down i guess. but that's going to be an issue unless i find a better way to do it lol.. i might have to script pkg upgrades

something that moves ffmpeg back and forth

you're using an external script to call ffmpeg right?

yes

but it has to be called ffmpeg

why does it need to be in the /usr/local/bin path, just put it in a non conflicting path and adjust your script to its new discrete path

pkg can update ffmpeg all it wants, your binary is safe over there and the script is still calling it

hm. i can try that out

i'm not sure how jellyfin searches for ffmpeg but hopefully it's from PATH

for now i'm going to work on adding libraries to it now that it's working. i still have to move onto the apache2 jail

FreeBSD people are moving from jail to jail.