Unplanned maintenance: today

[Shawn Webb]

Hey all,

Sorry for the outage earlier. I deployed the newer version of hbsdfw
and I'm finding a few bugs. :-)

git.hardenedbsd.org should be back up, along with our other services
like vaultwarden.hardenedbsd.org.

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

[Ulaş Saygın]

for this week i got network connection issues. i guessed that it seems firewall issue like more hardening.

now i am getting this error. just in case i am sending for any help to understand situation.

before that i struggled with ssl of git.hardenedbsd.org when i use to get git clone command.

it was getting all histor of commits. but after 1GB of getting files it gave error about connection.

connection seems reseted by firewall or somethingelse on git.hardenedbsd.org. in my opinion.

in order to get ports , i used depth 1 command to get ports. less files it gets quicker.

root@s:/usr/ports # git pull -vv
POST git-upload-pack (486 bytes)
want f7ed21a3058293de09d65486e1b4a95bd0ce95ae (refs/heads/hardenedbsd/main)
POST git-upload-pack (260 bytes)
error: RPC failed; HTTP 504 curl 22 The requested URL returned error: 504
fatal: expected 'acknowledgments'

20 Kasım 2023 Pazartesi tarihinde saat 00:15:11 UTC+3 itibarıyla Shawn Webb şunları yazdı:

[Ulaş Saygın]

another thing that in order to get verified of git.hardenedbsd.org ssl , i have to install cacert.pem from https://curl.se/docs/caextract.html

and then it is validated SSL sertificate of ZeroSSL.

i dont know why i needed cacert.pem if you can know why, let me know please thank you.

20 Kasım 2023 Pazartesi tarihinde saat 00:54:57 UTC+3 itibarıyla Ulaş Saygın şunları yazdı:

[Shawn Webb]

Cloning large repos (src and ports) over HTTPS has been broken for
some time. Use of SSH for cloning is preferred.

I've tried many, many different "fixes" for the HTTPS cloning issue.
nginx just doesn't seem to want to support clients cloning large repos
in our environment. I'm unsure why.

We would like to provide read-only anonymous ssh cloning support, like
what FreeBSD offers. But it seems GitLab doesn't support that.

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

[Ulaş Saygın]

thank you for information. i didnt do that " Use of SSH for cloning is preferred " before.

i will look at why nginx causes problem or gitlab support.

for "Use of SSH for cloning is preferred", i think i need to login to your ssh server, so it does not seem possible.

maybe gitlab alternative can be found in golang.

20 Kasım 2023 Pazartesi tarihinde saat 00:59:16 UTC+3 itibarıyla Shawn Webb şunları yazdı:

[Shawn Webb]

You just need to sign up for an account on our GitLab instance and
upload your SSH public key. Accounts are free and widely available,
but due to spam, requires manual activation by the HardenedBSD
Foundation Network Operations team (who actively monitors new account
signups.)

A little bit of history: when we first decided to self-host our
repositories, we initially went with Gitea. It has a much smaller
footprint and is overall easier to maintain than self-hosted GitLab.

However, Gitea proved to not perform well with larger repos. The
performance issues were serious enough that it impacted all services,
even automated processes internal to the project.

Additionally, the ports framework has integration for GitLab and
GitHub, but not for Gitea-hosted projects. This is still the case.

We eventually decided "enough is enough" with the performance issue
and switched to GitLab Enterprise.

Right now, there's two nginx instances: the publicly-facing one that
everyone interacts with and the one embedded in the GitLab Omnibus
package for Debian-based systems. (Yes, unfortunately, this is the ONE
place we run Linux (but in a VM!))

There's something going wrong with the interactions between the two
nginx instances. The publicly-facing one thinks that the GitLab
Omnibus one closed the connection too early and in turn closes the
connection to the git client.

I have not had any success in figuring out a workaround or a solution.
I can provide a sanitized nginx.conf for the public nginx instance if
desired.

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

[Ulaş Saygın]

I see the strugle. thank you for information and experince sharing.

now i have more information.

maybe we may think to depth 1 or depth 2 git for ports to quickly and efficently download ports.

because not all people needs to save all commits on server unless they gonna monitor ports and do some development.

it can be beneficial for people. because everyone pulls git with all commits even they dont need.

did you try gogs? gitea also comes from gogs if i am not wrong.

i found these for nginx large file settings. you may want to take a look.

from gogs faq : https://gogs.io/docs/intro/faqs

https://stackoverflow.com/questions/7489813/github-push-error-rpc-failed-result-22-http-code-413/15021750#15021750

another person solves problem with same settings different than gogs.

https://serverfault.com/questions/1004202/nginx-config-to-allow-git-clone-via-http

20 Kasım 2023 Pazartesi tarihinde saat 01:20:36 UTC+3 itibarıyla Shawn Webb şunları yazdı:

[Shawn Webb]

Give it another shot and let me know how it goes. I just made a change
to the nginx config.

[Ulaş Saygın]

Firstly on v14 bad , setenv is not present as command.

another thing , it seems vanilla bad install may sometimes not being recognize zerossl 

i will test it again to be sure.

:/etc/ssl # fetch -v https://curl.se/ca/cacert.pem

resolving server address: curl.se:443

SSL options: 82004850

Peer verification enabled

Using OpenSSL default CA cert file and path

Verify hostname

TLSv1.3 connection established using TLS_AES_128_GCM_SHA256

Certificate subject: /CN=curl.se

Certificate issuer: /C=US/O=Let's Encrypt/CN=R3

requesting https://curl.se/ca/cacert.pem

remote size / mtime: 221470 / 1692673924

cacert.pem                                             216 kB 1377 kBps    00s

I looked Index of /HardenedBSD/pkg/FreeBSD:14:amd64/Latest

there is no txz file. so I can not install it...

 # pkg

The package management tool is not yet installed on your system.

Do you want to fetch and install it now? [y/N]: y

Bootstrapping pkg from https://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:14:amd64, please wait...

pkg: Error fetching https://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:14:amd64/Latest/pkg.txz: Operation timed out

A pre-built version of pkg could not be found for your system.

Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

 # fetch -v https://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:14:amd64/Latest/pkg.txz

resolving server address: pkg.hardenedbsd.org:443

failed to connect to pkg.hardenedbsd.org:443

fetch: https://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:14:amd64/Latest/pkg.txz: Operation timed out

vanilla install vm on virtual box , HardenedBSD nov 14 latest version.

another thing is when I ping png site it pings but like this

# ping pkg.hardenedbsd.org

PING pkg.hardenedbsd.org (199.233.231.2): 56 data bytes

64 bytes from 199.233.231.2: icmp_seq=0 ttl=129 time=328.046 ms

64 bytes from 199.233.231.2: icmp_seq=1 ttl=129 time=239.380 ms

64 bytes from 199.233.231.2: icmp_seq=2 ttl=129 time=174.404 ms

64 bytes from 199.233.231.2: icmp_seq=3 ttl=129 time=644.692 ms

64 bytes from 199.233.231.2: icmp_seq=4 ttl=129 time=200.944 ms

64 bytes from 199.233.231.2: icmp_seq=5 ttl=129 time=180.277 ms

64 bytes from 199.233.231.2: icmp_seq=6 ttl=129 time=201.149 ms

64 bytes from 199.233.231.2: icmp_seq=7 ttl=129 time=167.099 ms

64 bytes from 199.233.231.2: icmp_seq=8 ttl=129 time=184.643 ms

64 bytes from 199.233.231.2: icmp_seq=9 ttl=129 time=165.293 ms

64 bytes from 199.233.231.2: icmp_seq=10 ttl=129 time=196.422 ms

64 bytes from 199.233.231.2: icmp_seq=11 ttl=129 time=179.409 ms

^C

--- pkg.hardenedbsd.org ping statistics ---

13 packets transmitted, 12 packets received, 7.7% packet loss

round-trip min/avg/max/stddev = 165.293/238.480/644.692/129.722 ms

20 Kasım 2023 Pazartesi tarihinde saat 02:42:36 UTC+3 itibarıyla Shawn Webb şunları yazdı:

[Ulaş Saygın]

another thing is on hardenedbsd 14 v, 

powerdns, bootlibs, some ports need llvm 16.0.6 which is same version of base llvm but even if there is base version.

it installs the whole port and it takes to much time. is there any way to say there is llvm 16 in base system?

25 Kasım 2023 Cumartesi tarihinde saat 23:39:49 UTC+3 itibarıyla Ulaş Saygın şunları yazdı:

[Ulaş Saygın]

on mobile internet I have timeout problem because of that I can't pkg update.

and fetching is not possible because of that. I changed pkg timeout value to 999.

but no luck. is it the internet connection or your settings , I am not sure. I will test another internet connection when I can.

can you tell me the config file places for pkg? because I couldn't find all config on default config places.

thank in advance.

# fetch -v https://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:14:amd64/meta.conf

resolving server address: pkg.hardenedbsd.org:443

failed to connect to pkg.hardenedbsd.org:443

fetch: https://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:14:amd64/meta.conf: Operation timed out

25 Kasım 2023 Cumartesi tarihinde saat 23:45:00 UTC+3 itibarıyla Ulaş Saygın şunları yazdı:

[Shawn Webb]

I just wanted to drop a little note that I haven't forgotten about
your emails. I've been a bit busy and will provide a better response
when I get enough time to give you the answer(s) you need.