Folks, two SA have been released, a list of openssl vulnerabilities which seem to elude to a RCE

I havent looked into it yet take it as a pinch of salt

errr...

anyways also security patch to jail

please update! This affects all supported releases :)

im going to leave my buildworld going overnight :)

i can't to do working redmine with nginx passenger and postgresql radio.yapyap.life

someone could help me ?

by /usr/local/etc/nginx/nginx.conf and nginx/config.d/redmine.conf

my*

what's the problem?

see radio.yapyap.lfie

rtprio: sorry i was try some command but just loop

rtprio: see radio.yapyap.life

no web app availe

avaible

i so boring

i'd like it work

jack-sparrow: looks like you're almost there, is redmine configured correctly?

how looks like redminne configured correctly ?

redmine_plugins_directory ?

this really isn't a freebsd problem, can you ask in a redmine channel?

I have used rails with nginx+unicorn and with apache+phusion but not nginx+phusion but the errors say puma errors. And also undefined method `redmine_plugins_directory'. So seems there are multiple configuration errors.

i just use gitea/forgjo which is a single go binary and a lot easier to plop behind nginx

I invented a script machinery to have git generate dumb repos every time I push to my gitolite, and then use stagit to generate overviews of my smaller repos. It doesn't really scale well but w/e

random question and not specific to freebsd, but I thought it might be worth asking? Are there any applications (or ssh options) that'd run on the "server" and connect to a remote network endpoint and then expose that via stdio to the "client" where i'd be exposed as a local network port? does that make sense?

specifically I have a kubernetes cluster and a seperate db server not accessible publicly. ever now and then i'd like to be able to connect to the database server, but don't want to open it up, and I've been resisting setting up wiregaurd or openvpn on the cluster and having it run, though I don't have a great reason for not doing so...something about it feels like it has a smell? but I can't put my finger on it. I can't access the

nodes of the kubernetes cluster directly, I can only run containers on it.

ssh tunnels do exactly this

a package like autossh can ensure they connection stays up

mjp, I can't ssh into the machine, otherwise that'd be exactly what I need

how do you expect any solution to work if you dont have open ports or connectivity to services available?

mjp, I can run containers with stdin and stdout access and have just been avoidant of adding firewall exceptions. I was hoping that the proxying could be done via stdin and stdout

not sure i follow :) if you don't allow some kind of network connectivity you won't be able to connect

mjp well I was hoping i could have something connect from the container running in the cluster to the database, and something on my computer that'd expose a local network port, but that they could talk to each other via stdio instead of directly via networking

That description was pretty confusing to me too. I would always ensure I have ssh access available, possibly through a bastion host. If there isn't any ssh then that's beyond me.

How can stdin not be using networking? Isn't that the same thing?

rwp, they do use networking, but via whatever the kubectl command is doing. I can't ssh into the hosts directly. I can only run things via the kubernetes control plane.

I'm not expecting blazing performance or anything, fwiw :)

I am not a k8s person but that just sounds too limiting to me.

i would just open the ports required/expose the services that need to be exposed, use a firewall if required

How is it that you were wanting to "access" the database? For me that would be the command line "mysql" command. But were you thinking myphpadmin or something?

rwp: hello

Hello black. If you have a question just ask it. If you just want to chat then #freebsd-social is the chatting channel.

rwp, I am fine with the mysql and psql command line tools and running those in a container and connecting to the db is how I do anything I need to do. teammates like using fancy guis and stuff though, so... :-\

mjp, yeah, it's doable, but I'm just trying to avoid exposing stuff

exposing sdin is still exposing stuff btw

I would not expose anything that isn't meant to be exposed, such as ssh which is designed for it.

mjp, stdio is being proxied via the control plane inside of whatever connections k8s is using for client-server, not a direct connection to the interenet

gp5st, Do you have console access? You could then log into the console tty for it.

rwp, i'm pretty much doing that when I run mysql or psql in a container

So... Then that's available to you? And good enough?

I use the console routinely. So that's generally good enough. Though it is a little tedious that there is no SIGWINCH there and have to manually size terminals.

rwp, it's fine for me. like I said my coworkers like using guis for stuff. I like being in the terminal personally

I only use the command line but I have set up phpMyAdmin for coworkers before. That can be set up behind an http basic auth proxy to keep it secure. Perhaps you can create a k8s node for it?

Of course my assumption that it is MariaDB will offend sensible people using Postgresql. But statistically speaking it is probably MariaDB so...

it's both. they like their desktop apps

i figured it was worth an ask at any rate

Kubernetes environments are pretty specialized-weird environments. Things are done differently there. And it always feels very bizarre to those of us not working in it.

it's not that bad tbh. we made a concious choice to use a hosted service to run the cluster (AWS EKS) and to choose that we don't want to be able to ssh into the boxes so that they stay "stock" and can be upgraded without issue via the service

Okay so it is AWS. Then can you set up a (bastion host) node that can access the database and use it to provide whatever access you need? You don't need to actually log into the database host itself.

we're primarily using it for basic "HA" and as an organization medium for small apps. It works pretty well for us.

There is no problem that can't be solved by adding another layer. Except for the problem of having too many layers.

I could set up a bastion. I was just hoping to not have an extra thing to manage

This is a very stupid thing to do, I know, but if I setup 15.0 with pkgbase and `pkg delete -a` it leaves the system un-bootable, even if you remove all the required packages.

kind of expectable.... but it's a different behavior than what would happen before.

I mean even if you answer "Y" every time pkg prompts you to remove a required package. Obviously, it doesn't include all the required packages.

freebsd-update(8) IDS reports that my timezone file is broken (SHA mismatch): how do I fix it?

exact message: /usr/share/zoneinfo/Europe/Paris has SHA256 hash 963879dc1b49a414519cf17ef85fe7bf314611b52169d7f37aa56d4b79b622b8, but should have SHA256 hash ab77a1488a2dd4667a4f23072236e0d2845fe208405eec1b4834985629ba7af8.

Mine is ab77a1488a2dd4667a4f23072236e0d2845fe208405eec1b4834985629ba7af8 (15.0p1, FreeBSD-zoneinfo-15.0)

hey can anyone tell me if/when wow64 support will be enabled in wine? wine_devel 11.0 has it disabled: github.com/freebsd/freebsd-ports/bl…ators/wine-devel/Makefile#L157-L160

guess what idiot left make buildworld going overnight but forgot to pass the -j flag

10 hours wasted using only a single core

fuck!

bloody hell.. shoot me now.. one of the other sysadmins at $day_job is using Gemini to update PHP code *facepalm*

polarian: At least the power consumption was low :D

pertho: well, old wow64 is supported, the hack where you install a 32bit version of wine into your users $HOME, new wow64 isn't supported yet where wine is build with support for both 64bit and 32bit, sadly neither the commit message nor the problem report updating wine-devel to 11.0 say why it isn't supported or what the current plan is, maybe you just have to enable it when building

vkarlsen: lol

nimaje: yeah it doesn't seem complete, and I can't find any messages on any of the FreeBSD mailing lists from a "monwarez⊙mo" (the maintainer according to the Makefile)

pertho: bugs.freebsd.org/bugzilla/show_bug.cgi?id=291328#c17

nimaje: ahh didn't think to check bugs.. cheers

I followed everything in rtw89(4), but it still doesn't appear when I run ifconfig, am I missing something?

what does: sysctl net.wlan.devices

contain

net.wlan.devices: rtw890

ifconfig wlan create wlandev rtw890

it works, I thought there was a mistake, but I could have just continued with the handbook instructions, thanks [tj]

no worries, it is not obvious if you don't come at it from the right angle

Any iocage users around? I've borked a jail: I interrupted by mistake "iocage update $jail" and then it wouldn't complete, so I tried to restart it. It wouldn't shutdown so I used iocage stop --force . Now when I try to restart it I get: + Executing exec_poststart FAILED

Script is not executable!

I've tried reverting to earlier snapshots create by iocage before update and none of them work

I'm on FreeBSD 14.3

polarian, if you ^c out of the build and re-run, the already built components should be fine.

(re-run with -jX I mean)

(I have the best luck with 1.5 * Cores. . . cores, not hyper-threads.)

CrtxReavr: I am aware :)

its still annoying

because I woke up to realise it wasnt done compiling... 10 hours wasted

it takes 6-7 hours to compile base and kernel

old laptop :p

but yeah after backing out and doing -j4 it compiled an hour or two later, and that was hours ago now

:)

For a time (years ago) I was using a 486/66 has a natd box. . . a buildworld would run about 24 hours on that bad boy.

damn

I have poudriere running and building only the ports I want to configure with non-default options, and the dependencies are downloaded via pkg. When a patch release happens, but all packages have not yet been built, poudriere detects this and starts to build them itself. At the same time, I want to automate poudriere. Is there a way to automate poudriere so that it doesn't start building if the

dependencies are not yet available as packages?

lts: you have pkgbasified? :/

I have indeed

:(

death to pkgbase!

:)

Hey is anyonr able to update the desc of my talk

I updated it on pretalx, there was a bunch of grammar mistakes which I have fixed :)

does freebsd have a non-github place for the repositories? github seems to just rate limit when you breathe on it.

git.freebsd.org ?

ah ha cgit.freebsd.org.. perfect

this is gonna sound like a stupid question: is RES in top reflective of a program's actual memory usage, assuming no swap?

i had been assuming it was

massively unhelpful and appears to confirm my initial assumption

RES is the resident set size, it is the pages a program has allocated and "touched" sans those swapped out

the wikipedia page is succinct, but correct

pertho: the repo on github is just a mirror of the official one on git.freebsd.org and cgit.freebsd.org is a web interface to the official repo

stuff like overcommit, mmapping files and copy-on-write makes measuring memory usage a bit difficult

dvl: would you be willing to share your nagios pkg-audit script ?

rtprio: git.langille.org/dvl/nagios

thank you

dvl, Unsolicited comment from the peanut gallery: "NOTE: This repo is not my go-to-place for these scripts. I've collected them here for public convenience." In this new world where everyone typos that sentence just reads a little funny to me.

rwp: Type, or public convenience == toilet?

I initially read that as "... is /now/ my go-to-place...". And then drew up short and read it again. In the end I don't quite know what to understand about that git repoisitory.

I have those scripts in an ansible repo. That's the real location.

i need to figure out my npre or ssh checks

dvl, Okay. Gotcha. Now I understand. May I unsolicitly suggest more or less saying, hey, I am not actually using the files from here live, I am using other files for real, I just copied them here a while ago to share. I might have changed all of them since throwing them here. :-)

In any case, obviously I was interested in looking. Thanks for sharing them! :-)

moviuro, If I had that problem of having found a modified file from base and wanting to update that file individually I would fetch the base.txz bundle of base files and then extract that one file from it and fix up that one file.

For example for 14.3R "fetch download.freebsd.org/releases/arm64/14.3-RELEASE/base.txz" and then for your example "cd / && tar xvf ~-/base.txz /usr/share/zoneinfo/Europe/Paris"

However how would only ONE file become corrupted? If that part doesn't make sense then I would suspect that where there is one corrupted file that there are probably many corrupted files.

But if I were pretty sure it was just me who broke something then sure I would just fix that one file I created.

And then I would move to zfs and enable automatic snapshots. With zfs auto snaps enabled here I would compare /usr/share/zoneinfo/Europe/Paris against /.zfs/snapshot/zfs-auto-snap_weekly-2026-01-04-00h14/usr/share/zoneinfo/Europe/Paris for example and update from the auto-snap snapshot.

Also if there were some underlying hardware problem that corrupted the data then zfs checksums would prevent that being silent in the future.

NOTE: These scripts were copied here from my actual offline repo.

They worked at the time, but may become out-of-date.

dvl, Nice clarification. I like it! :-)

updated

thanks, working, or would not be so short.

How do I see if snapshots are enabled for my ZFS partitions? I thought that was done by default but apparently not. `zfs list` gives me zroot/usr/home which is mounted at /usr/home. Where would the .zfs/snapshot be? in /usr/home ?

zfs list -t snapshot

they're "enabled" but have you made any? they don't happen automatically

the .zfs/snapshot directory would be /usr/home/.zfs/snapshot

I see zroot/ROOT/default and zroot/containers in the output for 'zfs list -t snapshot' but nothing for zroot/usr/home.

rtprio: I was under the impression that whenver there were changes on the filesystem, like deleting files, etc. that a snapshot was taken. When I worked at the place that destroyed Sun, that used to happen "automagically" and I just thought it was default behaviour. I'll have to learn ZFS a lot more now.

nope, not automagic. there are tons of scripts which will run `zfs snapshot` for you as often as you like

oh

I wonder how they did that. Will have to check with coworkers that are still there.

I have been using the older zfstools zfs auto snap but these days most people recommend sanoid. freebsdfoundation.org/blog/zfs-auto…ic-snapshots-with-sanoid-on-freebsd

I wonder how the snapshots for zroot/ROOT/defaults got taken. Must be as part of the upgrades

mns: bectl

freebsd-update automatically makes a couple of snapshots over its upgrades in conjuction with Boot Environments. See: bectl list

(beadm is the original tool, which is now in ports. bectl is a recreation, resides in base.)

Over time and major upgrades those will consume disk space and it's unlikely needed past a certain point. I review them manually and expire them off after I am sure I won't need them anymore.

how do I get more info on a snapshot, like when it was taken, etc.

See "zpool history".

thanks

The Boot Environments are just slightly more complicated. I would use bectl (or beadm) to manage them. "bectl list" and if you want to remove one "bectl destroy $theonehere" and it will take care of the snapshot and the clone together. Because Boot Environments are life file system clones based upon a snapshot.

But for the other snapshots feel free to manage them manually as you wish.

Just did a pkg upgrade for the FreeBSD OS packages. Went smooth, through a reboot and everything.

Woot!

wavefunction: using pkgbase?

mns: Yes, sorry -- couldn't remember what it was called