that's weird af

Does blocklistd reap its children?

update: why is blocklistd having children?

update: popenve()

I cant for the life of me make release

it just refuses to fucking work

pkg: Both ABI_FILE and OSVERSION are set, ABI_FILE overrides OSVERSION

when make release

well wtf am I meant to do about this

I have tried my best to follow release(7)

where is your /usr/ports/ports-mgmt/pkg ?

polarian: ?

rtprio: oh fuck sake

thanks

ive had a really shit day, I cant believe I missed that

broken port tree, let me reclone

it looks like that fails, but the following command continues

too much computer hacking, sleep is needed

SarahMalik: nah too much backstabbing

classic coup

polarian, eh?

SarahMalik: long story, basically I volunteer for a project, and I was just coup'd

is that all you are in privilege to talk about here

I thought one of the other members of the leadership was busy, turns out they were waiting for the perfect moment to strike to force a resignation

so I have been pissed off all night

so you were resignationed?

unable to concentrated

etc etc

cripes.

so yeah not too much hacking

too much conflict

cant think

ah

missing the fucking obvious

i suppose the cortisol from that would also result in sleepn't eh

SarahMalik: yeah its 3am and I cant sleep

the worst part is that the project, one of the other leadership is my closest friend

SarahMalik: why did you become Sarah? Aren't your an Amy?

hi all, I've got a problem that I hope you can help me with. I did an upgrade from 14.3-RELEASE to 15.0-RELEASE by creating a boot environment and then upgrading using freebsd-update

okay... and then what happened?

but when I boot into the BE, I found that openssl doesn't have the right libssl.so (libssl.so.35) so I can't really do anything

(i suppose you are typing)

oh

any ideas on how to fix this? I tried downloading the openssl packages onto another comp, ferrying them over and installing them offline with pkg, but I couldn't install probably because pkg was looking for dependencies and can't coneenect because ssl is borked

any ideas on how to tackle this?

was that pkgbase or not

not

openssl used by pkg is part of the base system, it would seem freebsd-update isn't behaving properly

werder: there is pkg-static which you can use

i tried pkg-static but it has the same cert errors trying to connect to the repos

when I run the openssl command it says it can't find libssl.so.35

can you show us the actual errors you're getting then

i've seen this before but i don't recall what the problem was

... ok your new bootenv is fully hosed up

sure, just a minute while I boot the server back into that BE

did you get any errors while doing freebsd-update

no, I didn't see any

did you run freebsd-update enough times?

like all three?

on first boot into the 15.0 BE I ran freebsd-update install, but it said there was nothing to do

perhaps another bad sign?

because one of those times sohuld delete the old version of libssl

IIRC

oh yeah more weirdness

the banner says 15.0-RELEASE-p2 but freebsd-verion says 14.3-RELEASE-p8

which freebsd-version

-k, -r or -u

u

probably -u

yeah the other 2 are 15.0

ug

so 15 kernel, 14 userland

yep

redo the upgrade

but like

the new version of libssl should be installed one of the times

man idk this sunds cursed

is there a way to upgrade just the userland?

going through editing all the conf files by hand for the upgrade was really tedious

I'd like to not do that again if I can avoid it

@SarahMalik yeah maybe I'll just reinstall

was etcupdate impossible to make happen

forgive me for ignorance, but what's etcupdate?

I am looking for some math functions: csinl, ccosl, ctanl. I have searched in /usr/src/lib /usr/lib /lib but have not found those functions. they're supposed to be part of base from what I understand from the internet. Anyone have any idea about where I could find them?

werder, to learn more, `man etcupdate`

@SarahMalik after reading the man page I still am not sure how to use it. Would I run that before trying to upgrade with freebsd-update -r? that's where all the file editing I was complaining about was

it looks like it would be for upgrading from source?

never mind, I just came across wiki.freebsd.org/Numerics and have my answer. Those functions aren't implemented yet. I'll have to find a workaround for compiling GCC Modula-2.

exciting developments

I extracted libssl.so.35 and libcrypto.so.35 and copied them over to the freebsd server (in the 15.0 BE)

then freebsd-update fetch and freebsd-update install was able to complete and now the freebsd-version -u shows the userland is 15.0-RELEASE-p2

but pkg is still trying to pull from the Freebsd 14 pkg base and gets an SSL peer certificate error

ah

odd...

copy in /etc/pkg as well ?

sorry what do you mean about /etc/pkg?

aha, pkg -vv shows it is using openssl-3.0.6 but openssl --version is 3.5.4

and pkg -vv shows that the ABI is Freebsd:14:amd64

maybe it is cursed

the config files for pkg are in /etc/pkg

also try pkg-static bootstrap -f

pkg: Attempted to fetch pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/base_release_0/Latest/pkg.pkg

pkg: Error: Not Found

changed pkg config to quarterly and it completely successfully, but said pkg is already installed (2.5.1)

oh.

ok this thing is cursed. thanks for the help SarahMalik

freebsd-version -u says 15.0-p2 but the ABI is still 14.0

I think I just need to reinstall

perhaps

i have a running process using a bunch of cpu shown as "find" in top, `pgrep -laf find` doesn't find anything, the pid shown for that process by top shows this as the command: / /usr /var /var/log /mnt/fastread /mnt/s

like, no actual executable, just the rootfs. anyone know what this is?

(the command part comes from the output of `ps aux`)

phryk, when did `periodic daily` start?

SarahMalik: apparently right when cpu went up. care to explain your hunch?^^

that's part of some of the tasks that periodic daily runs.

specifically permissions check and cleaning (the latter I recommend you turn off if you plan on installing Steel Bank Common Lisp as it removes essential files that are extended .core)

you should also check root's mail every week at the least.

if you don't have a working mail server, you do need to install one.

if you want to disable these tasks (not recommended) check /etc/crontab

you can also reschedule them there; I did this on one of my installations for Reasons™

yeah, i have a mailserver and once upon a time i had the cron mails forwarded to it, but i think that was before the current deployment.

wonder why it's taking so much cpu for so long tho…

like one core has been going at it full-tilt for ~5.5h now.

yep

it'll do that

it is, and I shit you not, scanning *the entire filesystem* for negative group permissions or core files last modified too long ago

That cleaning feature also deletes innodb files from your mysql databases (staring with #). Took a while for me to find out why mysql in a jail got corrupted

SarahMalik: like, every single mounted partition, including my big-ass filesystems in /mnt? o_O

Afterglow: ouch. i consider myself warned, but glad i chose postgres^^

I use both

phryk, All of them.

Afterglow, I'm wondering if I should disable it in my fork.

SarahMalik: that's cray cray. and having a bunch of them nullfs mounted into jails where i guess the same is happening definitely explains things…

Yeah, you're going to want to turn at least the cleaning part off, and reschedule the jails' scans

But yeah. Check root's mail, or figure out how to forward your cron mails to your mailserver again.

I want to build some s3 storage on freebsd/zfs, what alternatives are there to minio?

I don't know minio, but what's wrong with it?

Afterglow: did you write a problem report for the daily task cortupting innodb?

nimaje, no I didn't. The fix is easy, by modifying daily_clean_disks_files="[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*" from defaults

phryk: setting noexec or nosuid reduces some of those scans

Afterglow: linuxiac.com/minio-ends-active-development

Tykling: okay, that's indeed bummer

Afterglow: but then only you have the fix and whoever encounters that next has really fun debugging that for a while too

nimaje: makes sense

My -current makeworld bails out with

/usr/src/sys/contrib/openzfs/include/sys/spa.h:1282:26: error: a paramete

r list without types is only allowed in a function definition

1282 | int param_set_slop_shift(ZFS_MODULE_PARAM_ARGS);

This is on an older 15-current. Refreshening /usr/include did not help.

I dunno if any of you remember but yesterday I was here going nuts why firefox was taking 30 secs to launch on my freshly installed freebsd

today I just decided to reinstall freebsd, and welp now it launches in 1 second

No idea how that happened I think something must have gotten messed up in firefox determining whats supposed to be my home folder because it complained about missing some paths to certain folders there (?)

I was about to concede that the world had simply gotten so deep in linuxism that not even a FOSS browser could run on freebsd without kicking and screaming about it

seti: probably a DNS problem.

not helpful.

funny, but not helpful.

ant-x, oh no.

On Windows, one must use as much portable (installer-less) software as possible.

Because installation bloats the global database?

SarahMalik, I think so, yes. And deinstallaions leaves a lot of trash in the registry.

how does one design an OS and DE that badly? (actually, I can imagine how, I'm probably about to do it in the next few years)

iocage has broken a VM again

got logs?

Is anybody using 3proxy <3proxy.ru> ?

SarahMalik: + Starting services OK + Executing exec_poststart FAILED

ERROR:

Script is not executable!

this was a freshly built nextcloud jail

ah

it's pretty non-verbose and /var/log/iocage doesn't contain much

is there a way you can turn up verbosity to try to figure out what iocage is feeding to the jail command or syscall

that's what I'm trying to find out

iocage -9 increases verbosity moderatly, not to the point of telling me which script failed

s/-9/-9

ah

ugh

s/-9/-D

or iocage --debug

[noises of dissatisfaction] #iocage is empty

I use a script to nfs mount dirs into the jail after boot, maybe that's the script not working (or rather stopped working)

just tried to move it out of the scripts dir and iocage start nextcloud but same error

need to unset the variable

ok unsetting (which means using: iocage set exec_poststart='' nextcloud) allows the jail to start normally

would love to know what a series of mount commands is causing issues with

thanks for support SarahMalik

mh still getting http 503 errors when trying to back up over webdav

oh

is nextcloud running?

SarahMalik: it is but there may yet be problems. At least the jail starts cleanly

still having this error when trying to make release

wait lemme make clean and make release again

polarian: what does your release.conf look like?

rtprio: using the default

not specifying a release.conf

besides I am not too sure what a release.conf should look like, I just want to build a damn release before tinkering with it

well, i'll give it a try; wonder if i will have the same results

 

Good day all, i have a question regarding robustness of the filesystem on power loss, using zfs

ask away

does next reboot reconstruct or cleanup automatically ?

I'm not used to zfs

there is no cleanup or reconstruct, writes are atomic

rtprio: 15.0-RELEASE-p2

Ah

but it seems to be working fine now

after make clean, it seems to be doing its magic

will wait and see

Ty

So powerless can't really corrupt the filesystem right ?

powerloss

jfsimon: zfs can recover just fine from powerloss

although I dont recommend it

jfsimon: An interrupted write will not have happened. It will unhappen, in a way.

and because of that there's no fsck

meanwhile on OpenBSD...

:)

; )

got it

is there a way to figure out why a pkg didn't update on arm64 in comparison to amd64? (as in build logs or so)

I noticed now that I dont have the freebsd ports tree downloaded, whats the "canonical" way to download it such that it also tracks various quarterly updates and whatnot

get it from git.freebsd.org/ports

fetch from download.freebsd.org/ports/ports

i don't think there's a canonical way

but how exactly is the ports tree kept updated when one manually downloads it like this?

(I assume) that when its opted-into during install then pkg will help track it to keep it up to date?

no, pkg will not track it or keep it up to date

pkg can keep your packages up to date

i would use git

I see, ok!

but you'd need to manually update it

thanks

rrahl0: yeah, what's that fallout url. portsfallout.com ? there might be another one

rtprio: thanks for the link, but for some reason it doesn't show up, but at the same time the Makefile doesn't exclude arm64. hm

specifically talking about tailscale

alright seems make release finally works

make sure your ports tree is not broken

I assume its required for git port

and can be configured with release.conf

polarian: good to hear

yeah sorry about last night

no worries

rrahl0: you could try building it, i guess?

ill have to look. still very fresh to freebsd. and i am kinda bumped out that you need to build every dependency when you want to build a port

first I wanted to understand why it didn't show up on arm64, but _shrug_ seems like I can't figure that out

rrahl0: that's true.

coming from maintaining packages for a linux distro, it's definitely way different ;)

rrahl0: looking at pkg-status.freebsd.org was the other site that might help you

rrahl0: also it's possible a dependancy failed

rtprio: could be, at the same time I would be shocked (as it's "just" a go application)

still trying to figure out what that site actually wants to tell my besides how many packages failed etc...

hm, seems like it's not in the history anymore, or 143arm64 was never built (for the quarterly)

pkg-status.freebsd.org/ampere3/buil…0arm64-quarterly&build=9c1a2ce37b90 it's queued but there are no active jobs?

rtprio: yeah found finally a way to see the first link myself. now it's only finding the correct build, as it got updated to 1.94.1

so latest build says listed for tailscale/1.94.1, whatever that means :)

in queued

jfsimon: i think ZFS is more likely to be corrupted by power loss. it's unlikely, but quite possible if there is a lot of IO load at the moment when the power loss happens

it happened to me at least once (actually the instance i'm thinking of, it was a kernel panic that halted the system, but the same effect, it seems)

> ZFS is more likely to be corrupted by power loss

over...?

i think zfs maintains many structures of data on disk, so those are not always consistent at every instant of time. i think zfs usually recovers from such things without a problem, but it's possible that it doesn't. that could be a bug rather than an intended failure, though

You think a lot, but do you know for sure? I read two completely different stories about zfs here

ot

(typo)

i'm not an expert on zfs but it surely does maintain quite a bit of on disk state. as a general matter that state can't always be consistent because it's updated with multiple writes

my most recent unrecoverable zpool was a single disk drive that was resilvering and then experienced sudden unexpected disconnection which i think would be comprable to power loss. i don't know why it was resilvering - maybe a faulty cable

Earlier today someone wrote that writes are atomic: either they succeed, or they didn't happen

that would be true of a single write on an underlying device

Ah, okay, so a RAID-1/RAIDz broke, while crashing.

i mean, it depends on what we mean by write. zfs will know how to conclude if the write was successful

yeah, i had a onrecoveraeble snafu when i lost n>2 disk on the bus

but i'm talking about some zfs-related on-disk metadata and state (which is also something that is written to disk)

but that's not the same thing as

Afterglow: actually this was somehow not a raid - i'm not sure why it was resilvering, but it may have been related to previous errors it detected from a bad cable, i think

(ZFS can apparently resilver a one-drive non raid vdev pool)

that's the first time I read this.

i hope i'm not recalling incorrectly. i'm pretty sure that's what it was...

it may be that it was previously a mirror, but then the second drive was removed, leaving only one drive remainign in the mirror vdev

resilvering is restoring the redundancy after replacing a disk. Is it possible to create a mirror on one disk (with two partitions)?

if i'm remembering right, it was previously a mirror on two disks, but i removed the second disk, i think, leaving one disk only. then that disk was resilvering, alone

i think i concluded that "resilvering" was somehow a result of some errors, not related to the mirror status. not sure

i felt it was strange, and i even might have disregarded it, so i think i actually was the one to disconnect it, and that's what made it fail

but there was probably a faulty cable involved, so, that was also a contributing factor

that said...we all have millions of hours of zpools running fine under all sorts of conditions.. so i think the original user shouldn't be too frightened

jmnbtslsQE: zfs doesn't mutate stuff on writes, it adds more nodes to its DAG datastructures and only when that is finished it atomically changes the root of the datastructure, that makes it more resilient to powerloss than traditional filesystems (even in mirrors, as zfs knows which root node is newer, if for some reason the write only happend to one disk) and additionally makes snapshots cheap,

as it only has to make a root node as needed, so that garbage collection doesn't collect what it references

jmnbtslsQE problem is i like perfection too much, if i listen to me, i'll setup an automated on/off to gather statics on how much system corruption would occur

but as you mentionned, the os needs be loaded for any issue to have a chance get made

rtprio: it crashed again, this is not my syncthing jail

i think i need to reinstall

i'm considering replacing my setup with a raspeberri pi 4 or 5

what's the cheaper solution for a san with 250G nvme ?

i want something which does not eat power

eoli3n: you said this was arm64 yes?

yes, but i can reinstall on amd64

on the new device i mean

i'm discovering banana pi

250G nvme?! on a whatever pi?

hodapp: ?

I fully understand hodapp's surprised disgust!

hodapp: Dude, go on though. You're keeping us at youtu.be/PfPdYYsEfAE dude

ah shit

I pissed someone off at FOSDEM

I have been told by someone that I pissed off the wrong guy

because he runs a successful company and I obviously dont

the guy was shilling docker, and saying how secure it is because he has yet to be hacked

I countered, complained about the number of vulnerabilities within the daemon itself, but also the images, because images are often left to fester until the next software update, so in the meantime supply chain vulnerabilities become huge

meanwhile if you just used freebsd with jails, you would have the dependencies and underlying OS kept secure, and the application can only be updated when required.

turns out my security beliefs have caused some... friction and now I have pissed someone "important" off

nimaje: good to know. are you talking about application writes, or is this apply for everything? i'm thinking maybe issues can arise when the writes relate to the zpool structure/metadata?

polarian: probably someone really unimportant, if someone felt the need to say that they were important (if they said it about themself I would drop the "probably")

jmnbtslsQE: should apply to about all writes

nimaje: no its a mutual friend

who basically slapped me on the wrist fo rit

pointing out he runs a successful small business, and has a large following, and I argued with them as a first impression

lessless: virgin media O.O

not sure if I really understand this all, but in my experience docker images are updated more frequently than packages in jails in freebsd.

Afterglow: but they usually dont update the underlying OS

look at say postgresql image

security patches debian released over a month ago are still not pulled in

I move drupal off of FreeBSD to docker because of serious issues, which could only be resolved to making the site unaccassible in FreeBSD

Afterglow: ???

I dont get what you are saying

that a serious vulnerability took too long to resolve with packages

"The wrong guy" is often the right guy to piss off

okay, from the start: running a drupal site on FreeBSD (pkg), drupal has serious vulnerability, waiting for new pkg, but if you don't want to get exploited, make site unaccessible (restricting access)

takes too long, imho. So I moved drupal site to docker, which is updated more frequently

Don't get me wrong, I love FreeBSD, and certainly jails

To me it seems like you should have taken on the updating of the port since you cared about it and then could ensure that it was updated in the manor you wanted it updated.

polarian one day I'll setup bouncer behind vpn :)

lessless: the number of people who tell me this

and never do :p

Afterglow: yeah this happens sometimes, but this is a more of a freebsd issue

Drupal doesn't sound like something that would be complicated to update. Are there breaking changes?

Not sure what your argument is here: running FreeBSD is more than just the OS, it's also about the applications running on top of it. imho port maintainers should be more agile. I'm a user, not a maintainer, so I won;t take that kind of action, rwp

vkarlsen: probably not, but it's just an example. I don't want to install something from source if I don't have to, that's where the whole idea of packages was build around

Afterglow, You blocked access forcing use only of the docker container and that sounds like a developer action to me.

rwp, maybe I didn't explain myself enough: I moved to docker, because it took too long for the pkg maintainer to update drupal to be safe to use again

and that happened more than once

Oh... You switched /yourself/ to docker. You didn't make the site inaccessible from FreeBSD. That was confusing.

apologies for the confusion

I had to make the site _on freebsd_ inaccessable for 'the world' (whoever wanted to access my site) because of a non-resolved vulnerability

Another thing that is confusing is that my web browser is caching (of course they do) the DNS for something I have overridden in /etc/hosts to force it to one host out of a larger RR-DNS pool and it is refusing to let go of the other system it is hitting.

I have been trying to fix one of the hosts and the problem is that host isn't the broken one.

must be brave... Brave is having issues with split-dns

Actually Firefox. But I am sure Brave/Chromium would behave the same.

drives me crazy :-)

from the get go DNS should have been a system service to which you speak via some ipc (probably an uds), instead of the mess of libc doing stuff like reading config files and opening udp sockets and some applications implementing that stuff themself

Afterglow, "that's where the whole idea of packages was build around" -- pun detected.

Why would one need a firewall on one's servere? For example, if serving an HTTP-website, and FTP-server, and a SOCKS5 proxy with authentication, what additional security would a firewall provide?

well, it could make sure that only those services are accessable and other services are not (maybe you start something to test it locally, but by accident binding it on all addresses) and you can enable blocklistd to block whoever tries to bruteforce the auth of your SOCKS5 proxy

nimaje, check.

you can also restrict where to your server can initiate connections

Resrict incoming connection by region/ip/&c ?

well, you only have the information of the connction, so region is a bit of a guess, there is a geoip database, but it will be wrong in some cases

Quite often people will implement blocklists with firewalls as well, to block bad actors, spam, etc.

LLM web-crawlers?

Potentially yeah, if you have a reliable IP range for that. You'll find people maintain all sorts of lists online. More so hostnames, but also IPs.

those sadly seem to use residential proxies, to avoid being blocked, so they have a large number of ip addresses coming from anywhere