srk has quit [Read error: Connection reset by peer]
srk has joined #nixos-chat
<gchristensen>
aaaaaaaaaaaaaaaa wtf znapzend doesn't even enable compression by default
<gchristensen>
.... and turning it on also turns on large blocks, which used to lose data ...
<samueldr>
.oO( why would you compress small blocks? they're already small )
<aleph->
Well this is fun...
<aleph->
Why is a pool scrub suddenly starting.
<energizer>
man why do urls change direction in the middle
<energizer>
c.b.a/d/e/f
<samueldr>
it _is_ annoying
<andi->
aleph-: first sunday of the month thing?
<andi->
well 2nd but well
<aleph->
andi-: Eyep
<aleph->
Well day 1 of the month.
<aleph->
But seems the 14th counts as day 1?
<eyJhb>
I love this 3/4 in a row of complaints :D
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-chat
<elvishjerricco>
gchristensen: compression makes some sense. Like, my backup server uses gzip compression, so I don't actually want znapzend to use `-c` because then the data would be lz4 on the server.
<gchristensen>
it is rude to not compress it over the wire
<elvishjerricco>
gchristensen: Yea, I suppose compressing the stream itself would have been smart.
<elvishjerricco>
I wonder if there's something like vpn but for auto-compressing instead of encryption.
Dotz0cat has quit [Ping timeout: 258 seconds]
<elvishjerricco>
I guess ip packets are a bit small for compressing...
<gchristensen>
ideally I could ask zfs to send compressed, receiv, decompress, recompress
<elvishjerricco>
I don't *think* that's possible
<elvishjerricco>
I wonder what happens to compressed streams when you use like `receive -x compression` or something...
<elvishjerricco>
Let's try it! brb...
<gchristensen>
it is just software :)
cole-h has joined #nixos-chat
<samueldr>
it's just software, so it shouldn't be hard?
rajivr has joined #nixos-chat
<gchristensen>
no, that it is possible :)
<gchristensen>
I'm just a bit grumpy I've wasted so much time transferring uncompressed snapshots. relatedly, I've grumpily discovered my entire backup pool is not compressed by default, so this has been shocking to say the least
<elvishjerricco>
Dammit... I did something really dumb while testing this and got the pool suspended. Now I have to reboot...
<gchristensen>
oh niice what'd you do? :D
<supersandro2000>
compressing the stream on the fly isn't as efficient because you can't compress and match the entire thing
<elvishjerricco>
And now youtube is giving me ads in spanish. wat
<supersandro2000>
compression usually dedups data which can't be done if they are spread over an hour
<gchristensen>
elvishjerricco: what good things did you do to cause it to suspend?
<supersandro2000>
one shopping sends me french notifications since a few weeks
<gchristensen>
ah, ZFS's compression is in ~8kb blocks
<supersandro2000>
if the streaming would be buffered in such blocks it could work. didn't think about that
<elvishjerricco>
gchristensen: I use sparse files in /run to make pools to test with (in /run because putting those files on zfs can cause deadlocks; unrelated). I wanted to make it bigger so I figured I could `truncate -s BIGGER /run/file` and then `zpool online -e ...` and no... no you cannot do that
<elvishjerricco>
gchristensen: ZFS's compression occurs at the record level
<gchristensen>
oh right
<gchristensen>
elvishjerricco knows better than me
<elvishjerricco>
gchristensen: Ok so after testing `zfs send -c a@a | zfs recv -x compression b/a`, can confirm `b` has the same `compressratio` as `a`, but `compression=off`, so new writes wouldn't be compressed. I.E. compressed records in a stream generated with `-c` will always be written as is, without decompressing/recompressing.
Dotz0cat has joined #nixos-chat
<elvishjerricco>
oh wait a sec
<elvishjerricco>
wtf
<elvishjerricco>
If I do `-o compression=gzip-9` instead of `-x compression`, then it DOES get recompressed
<gchristensen>
hot dog
<elvishjerricco>
But with `-o compression=off`, it still uses the original compression...
<elvishjerricco>
And `-o compression=zle` still uses the original compression...
<elvishjerricco>
I guess it just always prefers the better one?
<gchristensen>
(tries to avoid spelunking through the code to find out)
<elvishjerricco>
Ok but if I just copy the same files to `b` manually with `compression=gzip-9` set, I get a much better compressratio than `receive -o compression=gzip-9`
<elvishjerricco>
wtf is going on
<gchristensen>
time to `zdb` it?
<elvishjerricco>
I do not know the dark incantations that make up the zdb command line, unfortunately
<gchristensen>
me either
<elvishjerricco>
I've often wished I understood zdb. Maybe I should spend some time on that..
<gchristensen>
my impression is there are 2-3 flags for mortals, and the rest are for "a zfs dev asked me to"
<elvishjerricco>
That's probably a safe bet
<aleph->
Haha
patagonicus4 has joined #nixos-chat
patagonicus has quit [Ping timeout: 240 seconds]
patagonicus4 is now known as patagonicus
tokudan has quit [Remote host closed the connection]
<samueldr>
I'm not even sure what I'm looking at... other than I guess it's a command to delete a lot of ... snapshots?
<gchristensen>
yeah
<gchristensen>
and apparently it doesn't break it up if it would exceed the cmdline length
<elvishjerricco>
wtf
<gchristensen>
also doing it in one massive command like that appears to lock all operations on the dataset until it completes, and it isn't ... fast ...
<elvishjerricco>
Didn't realize you could comma separate snapshot names to delete multiple...
<gchristensen>
(~1 delete/sec it seems)
<elvishjerricco>
One day I'll set up zrepl instead of znapzend...
<elvishjerricco>
one day...
<supersandro2000>
more like 1 second per delete
<supersandro2000>
is it a bad idea to have my branch based on master and staging when doing a more core update? I don't want to rebuild stdenv.
<supersandro2000>
*more python core package
<samueldr>
OH, it's a ps output!
<gchristensen>
ah, yea :)
<gchristensen>
znapzend seems perfectly optimized to make me wait as long as possible before it reclaims space on the database server, which is currently at 98% full
<elvishjerricco>
gchristensen: It's probably going slow because it's 98% full, not because of znapzend
<elvishjerricco>
ZFS starts preferring way slower allocation algorithms when the pool gets full
<gchristensen>
no, this is not the database server which isslow
<elvishjerricco>
oh
<gchristensen>
but znapzend won't reclaim space on the sending side until everything else is completely done without errors
<elvishjerricco>
Well that's annoying
<gchristensen>
yes
<gchristensen>
I've been manually shuffling stuff around all day keeping the disk happy "enough" while znapzend catches up
<gchristensen>
aaaand it finished pruning, and it went from 98% full to 40%
<danderson>
I haven't added that to the nixos module because I don't know how it interacts with the many ways you can configure DNS on nixos (e.g. systemd-resolved, networkmanager, ...)
<danderson>
and there's no obvious way that I could see to switch based on "how did the operator decide to configure their DNS"
<gchristensen>
yeah I don't know myself :x
<danderson>
But adding openresolv is enough to make tailscaled go "oh, I can use resolvconf to override DNS" and it works on my system
<__monty__>
Oh, you can use magic DNS with a local DNS server/proxy?
<__monty__>
And is magic DNS the only way to get zeroconf-like names for tailscale nodes?
<flokli>
for resolved it should just try to invoke systemctl is-active systemd-resolved
<flokli>
and then configure search domains through dbus
<flokli>
similarly for the networkmanager stuff
<danderson>
__monty__: MagicDNS is zeroconf names, yes. It's implemented as a local in-process resolver inside tailscaled
<flokli>
openresolv seems to be the last resort thing
<danderson>
flokli: we try to support many different DNS config methods, but yeah if resolved or networkmanager are reachable we default to those
<flokli>
not sure if systemctl and other stuff is in path
<danderson>
if not, then resolvconf, and if that's also unavailable, we try to just replace /etc/resolv.conf ourselves (as a last resort for embedded systems)
slack1256 has quit [Ping timeout: 246 seconds]
<danderson>
ooh yeah, that's probably why we fail to detect some stuff. Good call.
<flokli>
just look at manager_linux.go, and then at the individual impls
<danderson>
I've been meaning to figure out why tailscale falls all the way back to openresolv on nixos even though I run networkmanager...
<__monty__>
And this doesn't require setting up the DNS host in the web interface?
<flokli>
danderson: because NetworkManager ist not in path, or your /etc/resolv.conf doesn't contain it
<__monty__>
Would something like bind or pdnsd serve?
<aleph->
Howdy folks
<aleph->
Oh heya danderson o/
<danderson>
flokli: yup, the nixos module needs some tweaks to make our detection work (or our detection needs some tweaks ;) )
<flokli>
danderson: I'd be curious to know why the detection logic is implemented the way it is
<danderson>
__monty__: right now, you do need to set a CorpDNS in the admin panel, and all your machines will use that as their "upstream" resolver. It's a limitation of our current implementation.
<gchristensen>
if you don't use the text spew from yubikeys you can turn it off :)
<danderson>
later on, we'll teach tailscale how to use the "local" resolver for non-tailscale names
<aleph->
gchristensen: Oh really how?
<aleph->
Through yubikey manager?
<gchristensen>
the yubikey personalization tool can disable that slot iirc
<gchristensen>
(IIRC that is the term. it can definitely disable it.)
<flokli>
danderson: you could easily detect if networkmanager is running by also looking at whether the unit is enabled
<danderson>
flokli: how do you mean? Basically it's trying to do "find the most modern resolver method on this machine, that supports all the features we need"
<__monty__>
danderson: Upstream resolver for non-tailscale domains?
<flokli>
like you do for systemd-resolved
<aleph->
gchristensen: Neat, thanks
<danderson>
__monty__: yes - so something like 8.8.8.8 or whatever
<__monty__>
Or my ISP's resolver? Thank you, had definitely misunderstood this.
<flokli>
also, shipping a nss module like avahi does, and documenting the config necessary to make use of it might be better in the long run
<danderson>
flokli: oh, hmm, yeah, I wonder why we use the existence of the binary as the check.
<danderson>
ugh, nss
<flokli>
heh
<danderson>
yeah, maybe, that could be a nice way to integrate
<flokli>
it's not too hard
<danderson>
I'll file a bug for that
<flokli>
look at nss-mymachines
<danderson>
yeah I know, I've implemented one before. It's just horrible C shared libraries and I hate that :)
<danderson>
and it's hard to build a universal .so, which means it messes with our binary distribution
<flokli>
well, it's just an interface. I didn't write a golang nss module (yet), but :shrug:
<aleph->
Hmm wonder if that nss module might fsck with the tweaks to nss SmallStep does... probably not just a seperate module.
<aleph->
danderson: Incidentally if still looking for sec tweaks for ssh we went with SmallStep at work over Teleport.
<aleph->
Can whole heartedly recommend it.
<flokli>
I just wonder, configuring an additional nss module might be less obstrusive compared to switching global dns resolver settings
<flokli>
you can easily check if you know that hostname, and then let the rest of the pipeline take over.
<danderson>
it might, yeah. Although it also raises some questions, like in some modes we do actually want to replace the entire config (mostly enterprise users want this - force everything through their DNS servers)
<danderson>
and also how to compile it such that we can build it once and ship it everywhere, rather than be forced to build the .so once on every single distro we support
<danderson>
flokli: right, I mean altering /etc/nsswitch.conf
<danderson>
on some distros, that's the admin's problem. On others, I _think_ we're supposed to insert ourselves?...
<flokli>
yeah, would need to look at how debian and friends to that
<flokli>
probably some scary shellscript
<danderson>
yeah, probably
<aleph->
ashkitten: Boooh
<danderson>
aleph-: interesting re: smallstep, why did you pick that over teleport, out of curiosity?
<aleph->
danderson: Just hooks into standard unix tools.
<aleph->
So for example incremental rollouts are a cinch
<danderson>
ah, neat
<aleph->
Just a deb/rpm/binary install
<danderson>
browsing their site, I see no mention of pricing. How is this company planning to survive?
<aleph->
danderson: We also just had the module I did a good amount of work on merged into master for this too. :) They have a guide on DIY'ing this as well.
<aleph->
danderson: But yeah all they do is a few tweaks to sshd (modifying the conf to use a host cert) tweaks to sssd and nss for user account management, and run some services to modify the host cert and update perms from their ACL system.
<aleph->
And you have a client util to login (or trigger when trying to ssh) and check if a host belongs to the system, refresh a cert, and then log you in
<danderson>
nice
<__monty__>
Hmm, since I don't have a tailscale module on a mac. How do I enable magic DNS there?
<aleph->
Yep, all in all a good choice. And there support team is very, very helpful.
<danderson>
__monty__: it's enabled by default in the mac app, should just work
<danderson>
(assuming you enabled it in the admin panel)
<danderson>
(sorry, this is turning into #tailscale now, I can shut up any time :) )
<danderson>
omg what Perseverance is arriving in 3 days?!
<danderson>
somehow my brain had it down as "July"
<infinisil>
Yup!
<infinisil>
That's the time that the main stream starts btw, landing is a bit after that
<infinisil>
Idea: What if we get rid of timezones by making heavy use of time differences
<infinisil>
So instead of a meeting being at a specific time, it's at a specific difference from now
<infinisil>
Underneath we'll just UTC though
<infinisil>
I guess this would be a bit problematic when talking about specific times
<infinisil>
Because the difference to it changes all the time
<infinisil>
You can say "The meeting is in 16 minutes and 45 seconds", and you could infer its exact time by looking at the time the message is received
<infinisil>
But a second later you couldn't just repeat the same message
<infinisil>
But I like the idea of at least using time differences for all interfaces
<aleph->
... I don't like this
<infinisil>
What if we didn't even have a clock showing on the computer
<infinisil>
Instead it's always just "how long until something of relevance happens"
<infinisil>
Like, 1 hour until sunset
<infinisil>
Or 16 hours until your meeting next morning
<infinisil>
I think this might be kind of nice, because time is really only needed because we have events at certain moments
<infinisil>
By only knowing how long until stuff happens, we aren't as concerned with the absolute value of time anymore
<infinisil>
Instead of staying up late being "Oh it's midnight and I'm still awake", it's more like "Oh damn, I can only sleep 6 hours now"
<infinisil>
Anyways, </rant>
<__monty__>
infinisil: You type 'in 15 min', program parses that, fetches current UTC, sends modified UTC, other end fetches its current UTC displays the delta. Now you can look at the message whenever and it'll always say exactly how long to/since the event.
<infinisil>
Yess
<__monty__>
I actually thing constantly being reminded how long it is to events would me more stressful not less. But I could be wrong.
<infinisil>
Hmm
<infinisil>
We do like countdowns
<infinisil>
Usually
<infinisil>
__monty__: Also, imagine a visualization that actually shows a timeline of events, and your current position slowly moving towards them