Dan Langille
@dvl@bsd.network
dvl@FreeBSD.org
I've been contributing to open source since 1998.
Posts
Latest notes
(have not read the blog post yet)
I use IP addresses on bridge0 because:
https://dan.langille.org/2025/03/28/why-dont-my-hosts-get-ipv6-routes/
My config is below.
Looking at the repo, for langille.org, the first nsnotify commit was:
Modified Sat Aug 26 17:44:54 2017 UTC (8 years, 5 months ago) by dns-notify
It's something which just runs and runs. It's in the category of software I love: I forget I'm running it because I am rarely reminded that I am.
[17:23 nsnotify dvl ~] % grep nsnotify /etc/rc.conf
nsnotifyd_enable="YES"
nsnotifyd_flags="-l local6 -u nsnotifyd -P /var/run/nsnotifyd.pid -4 -a 10.55.0.20 -p 5353 -s 10.55.0.53 /usr/local/sbin/dns-notify example.net example.org example.com"
Where:
% host nsnotify
nsnotify.int.unixathome.org has address 10.55.0.20
% host 10.55.0.53
53.0.55.10.in-addr.arpa domain name pointer dns-hidden-master.int.unixathome.org.
[17:29 nsnotify dvl ~] % cat /usr/local/sbin/dns-notify
#!/bin/sh
MYNAME="dns-notify"
ZONE=$1
SERIAL=$2
MASTER=$3
SVN_SSH="/usr/bin/ssh -qi /usr/home/nsnotifyd/.ssh/id_ed25519"
export SVN_SSH
DIG="/usr/local/bin/dig"
LOGGER="/usr/bin/logger"
SVN="/usr/local/bin/svn"
ZONE_FILE_DIR="/usr/home/nsnotifyd/dns-zone-files"
${LOGGER} -t ${MYNAME} -p local6.info has been invoked with zone=\'$ZONE\', serial=\'$SERIAL\', and master=\'$MASTER\'.
cd ${ZONE_FILE_DIR}
${DIG} +noall +answer +onesoa +rrcomments @${MASTER} ${ZONE} axfr > ${ZONE}.db
${SVN} ci -m "serial ${SERIAL}" ${ZONE}.db
${LOGGER} -t ${MYNAME} -p local6.info $ZONE with serial ${SERIAL} has been saved.
I did like the service jails when I first read of them, however I have not used one yet.
Even though it's running just a tiny program, the jail puts it all "over there", contained, and easily moved.
What if nsnotifyd was listening on 127.1.0.10, for example? ... No, that's still the same host so it'll do the same thing.
@dch @feld I'm using git-lite in my nsnotify instance.
There are no dependencies with nsnotifyd.
I'm using a custom script which updates a subversion repo: /usr/local/sbin/dns-notify
Looking here, we could add a nsnotifyd@git flavor to install git... (or git-lite?) and bind-tools
Perhaps nsnotifyd@git and nsnotifyd@git-lite
[20:24 nsnotify dvl /usr/local/bin] % grep svn nsnotify*
[20:24 nsnotify dvl /usr/local/bin] % grep git nsnotify*
nsnotify2git: git commit -q -m "$zone IN SOA $serial" $zone
nsnotify2git:logger -p daemon.notice -t nsnotify2git -s
[20:24 nsnotify dvl /usr/local/bin] % grep dig nsnotify*
nsnotify2git: dig +noall +answer +onesoa +multiline $master $zone axfr >$zone
@feld And it's in ports:
I spoke with the author just now.
It is not keychain as in osx keychain.
It is a third party utility. `brew install keychain`
@feld This came up as a fix similar to fixssh().
@feld I'm glad you're reading it. Seems it is.
@feld this came up at work today:
https://gist.github.com/dlangille/48cbb3b31b2ad4d2eba7f34f053c4b4c
if [ `uname -o` = "Darwin" ]; then
if [ -z "$INTELLIJ_ENVIRONMENT_READER" ]; then
keychain --debug --ssh-allow-forwarded ~/.ssh/id_rsa
keychain --ssh-allow-forwarded ~/.ssh/id_rsa_vrt_new
fi
else
if [ "$SSH_AUTH_SOCK" != "$HOME/.ssh/`hostname`-agent_sock" ] ; then
ssh-add -l > /dev/null 2>&1
if [ $? -eq 0 ]; then
unlink "$HOME/.ssh/`hostname`-agent_sock" 2>/dev/null
ln -s "$SSH_AUTH_SOCK" "$HOME/.ssh/`hostname`-agent_sock"
export SSH_AUTH_SOCK="$HOME/.ssh/`hostname`-agent_sock"
else
echo -n
#echo "Bad agent"
fi
else
#echo "No agent (rc)"
echo -n
fi
fi
In my #FreeBSD 15.0 nsnotifyd jail, I found syslogd was not started. Nothing useful in the logs.
I noticed this file:
$ cat /usr/local/etc/syslog.d/nsnotifyd.conf
*.daemon /var/log/messages
I commented that line out.
syslogd started.
I read the man page. I changed the line to:
daemon.* /var/log/messages
syslogd restarted.
So, why was that OK under 14.3 but not 15 ....
A while back, I build my packages for each of Python 3.12, 3.13, and 3.14 to see which version I would target as I moved off Python 3.11
I chose 3.12 as it build everything I needed.
I noticed today that my daily builds against those three versions continue. I'm going to stop my test build against 3.12 (because I'm now using it daily). The builds against 3.13 and 3.14 will help me keep track of what's building and not building.
That information will let me know when it's time to move to a newer version of Python.
I just updated a FreeBSD 14.3 jail to FreeBSD 15.0 using mkjail. This is unformatted. Scroll to the bottom for the actual update.
In short, use the FreeBSD pkg repo until you get your host/poudriere running.
https://dan.langille.org/2026/02/08/updating-pkg01-to-build-15-0-packages/
Not shown, the jail host was updated first.
@feld No, I was waiting for you to do that.
I suspect it does break because each one will clobber the others diff/etc.
Here's a LibreNMS tip. It's really an snmpd tip
If you have three hosts, and one of them is not acting like the others, check the snmpd settings. In my case, the third host was configured with ucp. Swapping to tcp meant the bind application starting showing up.
@feld have you tried running mkjail in parallel?