Log in New API Help About

Evilham - Couple Questions

3.7 KB of Plain text
Created 10 months ago — expires in 65 days
http://dpaste.com/2JC85WV
SOFT WRAP RAW TEXT DUPLICATE
Hello ALLan and BenediCt (and everyone else who makes this
happen)!

You asked for feedback/questions, so feedback and questions you
shall have:

Thank you for your show, I specially enjoy how you both sound like
super understanding, well-meaning people; keep that up.


About 15 years ago, I was talked into trying Linux and it became
my main OS for some time and I never stopped using it on servers

About 2 years ago I was using Windows as my day to day OS (work
stuff) but found myself doing more and more work on a Linux VM to
control servers and stuff, it was then that I met a wonderful
BSD-Mensch.
So it's been nearly 2 years of being pestered with how "BSDs are
awesome, pf is awesome, ZFS is awesome, FreeBSD integrates super
nicely with ZFS, jails and base/ports are a wonderful thing".

At the beginning of this year, I had to set up a new NAS for
${work}[1] and had this BSD-Mensch around, so I used them to
bootstrap me into using FreeBSD in 2 days.
Fast forward 8 months and I run the Windowsy things on IPv6-only
VMs on bhyve, have helped create two ports I was missing
(devel/elm-format and lang/elm) with the wonderful help of arrowd
and BSD-Mensch, I write this from my FreeBSD 13-CURRENT laptop
that is building Firefox on poudriere [2] and when I SSH into my
Linux servers, I suffer from ^T^T^T^T^T^T-syndrome (probably
SIGINFO-Entzugsyndrom in German). I also successfully setup an
OpenBSD router using just the base system [3].


This is a longish introduction to:
[1]: that NAS that started everything required encryption at rest
of the whole OS, but it required remote decryption of the system.
Threat being: someone breaking in and stealing the device, not
someone physically fiddling with things and patiently waiting.

Having the Linux-mentality, it was a bit mind-boggling to realise
that there is no equivalent to initramfs where to run e.g. a
dropbear instance to remotely unlock the disk and move on with the
boot.
Instead, we figured out that we should install a base-system on an
unencrypted zpool, unlock, kenv "vfs.root.mountfrom=zfs:${bootfs}"
and reboot -r into the fully encrypted system.
Kinda elegant and straightforward actually, a beauty of the
base/ports separation.

Unfortunately, setting this up was not as straightforward as we
had liked, while the installer can throw you into a shell and let
you do it yourself, bsdinstall's zfsboot is pretty much an "all or
nothing" script.
What I would have liked, would have been something like a
zfsboot_setup_pool script/step, that takes a
disk/(geli-decrypted)partition and uses the nice defaults on it
and does only that.
I'm a bit unsure if extracting this step would be interesting at
all for the project and am not really sure how to go about that
:-). (<-- implicit question).
I know it'd be mostly a matter of changing stuff in
usr.sbin/bsdinstall/scripts, but don't really think that's worth
the full Developer's Handbook effort ATM :-D.
(I'm also a bit unsure if this kind of setup is something
perfectly obvious to BSD-people or considered utterly useless and
that's why the internet appears to not know about it)


[2]: I've been defaulting to sndio and compiling my media ports
with it, it seems to work much better for me and I really wonder
two things that the internet doesn't appear to know: are there
plans to having it be the default on FreeBSD? Is that even doable?


[3]: pf is indeed awesome, but on FreeBSD it's missing wonderful
things like NAT64 and the syntax is by now not fully compatible
with that in OpenBSD: is there a story behind that? Would it be
crazy difficult to port those features from OpenBSD, or is it more
of a "nobody has done it" thing? :-)