06:50:45 smartos should be using a neural network to tell me the commands i should be using...haha 06:51:03 all the chatGPT goodness 06:53:08 nn trained on smartos/ora/sunw sunsolve data 06:53:50 usenet sunfaq 06:55:04 chatGPT give me a cover letter in charles bukowski style...focus in on the sun sparc...haha 11:35:15 Hi everybody, I’m looking for a way to disable IPv6 in a LX branded zone…was not lucky so far. Has anybody a solution? 12:08:26 EasyNT: what do you mean with disable ipv6? 12:24:26 I have a IPv6 address on the nic which in my case should not be 12:24:39 link-local one? 12:25:06 inet6 fe80::d0c1:ffff:fe2f:ab1b prefixlen 10 scopeid 0x20 12:25:08 yeah 12:25:12 why is that a problem? 12:26:44 I have no IPv6 on my network, I’m trying to setup Mastodon and the setup script calls some yarn stuff which tries to reach hosts with IPv6 addresses which fails 12:27:37 red hering 12:27:54 I bet this is the npm is too stupid to do multiple dns records crap all over again 12:28:11 possible 12:28:30 but I guess if I could disable IPv6 on the system, the problem would be obsolete 12:28:51 no, it doesn't 12:29:30 the problem is literally that npm gets multiple entries from getaddrinfo and craps out with the fallback to the next entry 12:29:43 hmm…so then I should make it clear to npm/yarn to not use IPv6 12:30:01 it has nothing to do with ipv6 12:30:12 so what should I do? 12:30:16 but unreachable addresses returned via DNS 12:30:55 I read somewhere that yarn has hardcoded IPv6 addresses…not sure though 12:31:12 for an lx zone, you can try gai.conf 12:31:53 looks interesting 12:32:50 uncomment this? 12:32:51 52 # For sites which prefer IPv4 connections change the last line to 12:32:51 53 # 12:32:52 54 #precedence ::ffff:0:0/96 100 12:32:57 yeah 12:33:05 and then reboot I guess 12:34:10 nbjoerg: you are my personal hero of the day :D 12:34:13 thanks so much!! 12:34:42 someone without ipv6 should beat the shit out of npm :) 12:34:46 I mean fix the problem 12:35:53 :D 13:27:47 hi guys, i hope you can help me, i have a very big security problem with all my LX branded systems (it doesn't happens with native zones), my system users seem are limited to 16 system groups when the GZ, and NGZ have NGROUPS_MAX set to 1024 not to 16 13:28:03 i tried to use the binaries of /native when possible in order to avoid this problem but without success, honestly i don't know what to do to solve this 13:29:08 I would appreciate any help 14:03:10 danmcd: any clue? https://smartos.topicbox.com/groups/smartos-discuss/T6c7ef5e11d05f9c7/nfs-server-failing-after-updating-from-20220127t011500z-to-20230209t001143z 14:48:03 I just read this now. Having the vmcore.0 might be nice. 14:48:11 hello, how do I use mount -F smbfs -o noprompt=true? I get login failed: syserr = authentication failed with sharemgr set -P smb -s /public -p guestok=true smb 14:50:04 This is an SMB/CIFS authentication problem. 14:57:38 Indeed, do I need to use idmap? 14:58:47 idmap is more for serving smb 14:58:57 if you're trying to mount an SMB share 15:00:29 you might need a .nsmbrc (IIRC) file for credentials if you don't want to supply them in the mount arguments 15:00:44 (and whatever is sharing the filesystem requires a login) 15:02:42 I'm trying to make a public share accessible to anyone without authentication and to mount it from a native zone, maybe I'm missing some steps 15:03:19 ^^ from another zone 15:19:14 is it being served from an LX zone or a VM? 15:20:02 native zone 15:22:11 i think you can add 'guestok=true' to the sharesmb options to allow anonymous access 15:22:52 if you want to share a dataset between multiple zones on the same box, you can also loopback mount the dataset in all the zones as another possibility 15:23:00 (just need to be sure uid/gids match) 15:23:02 that's what I did, and I get login failed: syserr = authentication failed 15:23:44 I want to use the share with the outside world too 15:44:47 https://twitter.com/jperkin/status/1371780238586351616 is what I needed to do to get guestok working 15:48:34 any chance you tooted that too? 15:48:47 oh, from 2021. haha 15:49:28 yeh not really sure what to do about that, retooting them seems wrong, but I also want to kill my twitter for obvious reasons 15:49:43 fair. 15:50:56 https://hachyderm.io/@nahumshalman/109841235576501866 15:51:01 saving it for later. :) 15:51:41 nice, thanks 15:53:28 psarria_: Do you mean that users are members of multiple groups? And that tops out at 16 groups? 15:53:51 random thing I noticed, jperkin: in a trunk zone I was able to install wireguard-go but it didn't see a wireguard-tools package. 15:54:15 oh, lemme look 15:56:07 ah ok, so there's already a wireguard-tools package which ends up being chosen instead of the version in pkgsrc-extra, in 2021Q4 I disabled that package but I didn't do that in trunk 15:57:18 2022Q4 even 15:59:27 psarria_: I can reproduce this behavior...I'll look into it. 16:00:43 this will all be much better if I just get my act together and get everything upstreamed, huh... 16:02:09 bahamat, yes, 16 is the maximum number of groups that a system user can belong to 16:04:45 bahamat, afaik NGROUPS_MAX is by default 16 but you can override that in /etc/system, even doing so, system users in LX branded zones are unable to do anything beyond of 16th group 16:17:30 bahamat, i can reproduce in bash: https://pastebin.com/7RiJhNr6 16:27:50 if i use strace, i can see a getgroups syscall with 16 as array size: https://pastebin.com/RRcEgU78 16:37:34 how are LX processes determining the max? 16:38:46 there is a sysconf parameter -- i don't know if LX returns a hard coded value or not (or if that's waht that program is using to determine the max) 16:52:33 jbk, there is a sysctl parameter that inherits GZ's NGROUPS_MAX value correctly but it's like getgroups syscall take a value (16) as maximum, you can see that here: https://pastebin.com/E8Xd7uRW 16:57:17 psarria: And you mean system users vs...what other kind of user? 17:05:01 ok, sorry, i wrote "system user" because as root i can see the groups the user belongs to, i mean users, perhaps it wasn't the best form to called them, sorry 17:06:17 Yeah, doing `groups ` will show all the groups they're assigned to. But as any user, just `groups` will top out at 16. 17:06:46 right! 17:07:46 psarria: So, how many groups are we talking about here? 17:08:26 273 17:10:52 !! 17:11:30 i know, it's a high number but in this environment it should normal i think, it's the relation within websites groups and webserver apache group 17:14:13 There have historically, iirc, been several places where a limit of 16 has existed. You're definitely out in poorly explored territory with that scale of group assignments. 17:15:04 So, the limit of 16 on illumos is for NFS. NFS breaks badly when it's more than 16. But I think there's a hard coded cap at 32, even increasing it via /etc/system. 17:15:27 And LX just uses whatever the illumos value is. 17:16:15 Oracle documentation says it can go up to 1024, but I'm not sure which versions that applies to. 17:16:44 however, it works correctly under native zones 17:17:03 How do you normally set it for native zones? 17:18:35 ok, i've tested under native zones only in lab, i mean it works when a user belongs to 20 groups, but i'm going to test with 300 right now 17:38:19 bahamat, yes, it works inside a native zone, i've attached an user to 300 groups, https://pastebin.com/raw/Ch4RUarv 17:39:01 That's not a valid test. 17:39:12 You need to *be* the user and run just `groups`. 17:39:43 Running `groups ` will look up the user database. 17:40:22 But running `groups` will check the groups on the process itself. 17:41:47 yes, it works too: https://pastebin.com/07sytz5F 17:44:12 And to increase groups, how is it you're doing that? Are you just setting it in /etc/system in the ngz? 17:50:31 yes, i used this guide: https://wiki.smartos.org/modifying-boot-files/ the part related to root pool because i don't use USB 17:50:45 in GZ 17:50:59 Do you *also* set that in the ngz, or just for the gz? 17:53:49 only in GZ, this is only the line i've added: https://pastebin.com/RYUZruYD 17:55:14 i set 1024 because is the maximun 18:08:57 OK, well there's probably no short term answer. 18:16:36 @bahamat I already have a disk that spare took over spare-2 DEGRADED 0 0 0\n c3t5000CCA27077CE29d0 OFFLINE 0 0 0\n c3t5000CCA270ADF839d0 ONLINE 0 0 0 18:17:09 how do I just make the spare the new member, 29d0 was already taken out 18:17:12 Smithx10: Ok, I'm missing context on this...I don't remember this conversation :-) 18:17:54 ahhh, disk went bad, spare took over, we powered down, found the serialnumber in slot 6 replaced it with new disk, powered back up 18:17:57 Ok, so to promote the spare, IIRC it's `zpool replace zones ` 18:18:19 then your replacement device, you just add as a spare. 18:18:32 cannot replace c3t5000CCA27077CE29d0 with c3t5000CCA270ADF839d0: c3t5000CCA270ADF839d0 is busy, or device removal is in progress 18:19:25 Guessing because it is already online as the spare and resilvered? 18:19:44 https://gist.github.com/Smithx10/8ec2791745ae692f2104ee369ffb8c89 18:28:08 reading https://serverfault.com/questions/838880/zfs-hotspare-replace-detach-ressource-is-busy 18:28:10 bahamat, ok thanks for all, i'm going to migrate these systems to bhyve in order to avoid more security problems, although i would like to investigate a bit more, any advises with that ? 18:29:27 so.... do I just detach the offline disk at this point? 18:29:45 Smithx10: Yeah, that looks like the right thing. 18:30:02 Smithx10: Let me give you a gist... 18:30:17 nice that worked 18:30:22 now just add the new disk as a spare 18:30:51 Here's a test I did: https://gist.github.com/bahamat/af25c60c9dff964ac4c261a79aac8f74 18:34:43 bahamat: all good now