rc: Use check_jail to check values of security.jail MIBs

PR: 282404
Reviewed by: markj, netchild
Approved by: markj (mentor)
MFC after: 2 weeks
Event: Berlin Hackathon 202507
Differential Revision

rc: Use check_jail to check values of security.jail MIBs

PR: 282404
Reviewed by: markj, netchild
Approved by: markj (mentor)
MFC after: 2 weeks
Event: Berlin Hackathon 202507
Differential Revision: https://reviews.freebsd.org/D47329

show more ...

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
servic

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision: https://reviews.freebsd.org/D40371

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Introduce startmsg and use it in rc scripts

startmsg is a new rc.subr(8) function function to be used instead of
echo(1) when for boot messages. It replaces the often forgotten

check_startmsgs

Introduce startmsg and use it in rc scripts

startmsg is a new rc.subr(8) function function to be used instead of
echo(1) when for boot messages. It replaces the often forgotten

check_startmsgs && echo ...

with

startmsg ...

No functional change intended.

I adjusted the commit message and did some final clean-ups of the patch
before committing.

PR: 255207
Reported by: Jose Luis Duran <jlduran@gmail.com>
Reviewed by: imp, 0mp
Approved by: imp (src)
Differential Revision: https://reviews.freebsd.org/D34514

show more ...

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update bec

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.

Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)

show more ...

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision:

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466

show more ...

Don't warn when the "hostname" rc variable is unset, but the hostname
is already non-empty (common in jails).

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueff

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

show more ...

etc/rc.d/hostname: permit setting hostname if already set

Approved by: dteske
Differential Revision: https://reviews.freebsd.org/D2577

There is no longer a need to abstract ${rcvar_manpage} as we are not
attempting to maintain compatibility with NetBSD for some years now.

In regards to the "Starting foo:" type messages at boot time, create and
employ a more generic solution, and use it in the individual rc.d scripts
that also have an $rc_quiet test:

1. Add check_star

In regards to the "Starting foo:" type messages at boot time, create and
employ a more generic solution, and use it in the individual rc.d scripts
that also have an $rc_quiet test:

1. Add check_startmsgs() to rc.subr.
2. In the rc.d scripts that use rc_quiet (and rc.subr) substitute
variations of [ -z "$rc_quiet" ] with check_startmsgs
3. In savecore add a trailing '.' to the end of the message to make it
more consistent with other scripts.
4. In newsyslog remove a : before the terminal '.' since we do not expect
there to be anything printed out in between to make it more consistent.
5. In the following scripts change "quotes" to 'quotes' where no variables
exist in the message: savecore pf newsyslog
6. In the following scripts substitute if/then/fi for the simpler (and
more consistent) check_startmsgs &&: faith stf
7. In the following scripts separate the "Starting foo:" from the terminal
'.' to make them more consistent: moused hostname pf
8. In nfsclient move the message to its own line to avoid a style bug
9. In pf rc_quiet does not apply to the _stop method, so remove the
test there.
10. In motd add 'quotes' around the terminal '.' for consistency

show more ...

As previously discussed, add the svn:executable property to all scripts

Move a lot of diagnostic output behind $rc_quiet in scripts that
implement their own start command.

Add a dummy script, FILESYSTEMS, which depends on root and mountcritlocal
and takes over mountcritlocal's role as the early / late divider. This
makes it far easier to add rc scripts which need to r

Add a dummy script, FILESYSTEMS, which depends on root and mountcritlocal
and takes over mountcritlocal's role as the early / late divider. This
makes it far easier to add rc scripts which need to run early, such as a
startup script for zfs, which is right around the corner.

This change should be a no-op; I have verified that the only change in
rcorder's output is the insertion of FILESYSTEMS immediately after
mountcritlocal.

MFC after: 3 weeks

show more ...

Don't be paranoid about hostname(1) and order the things logically.

Pointed out by: ceri

Don't nag about unset $hostname if DHCP is in use.

Pointed out by: ceri

Handle the case when the admin forgot to set $hostname,
which can happen in new installations: advise to set the
variable and refer to rc.conf(5).

Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days

- Use "/bin/hostname" explicitly instead of "hostname".

Approved by: tobez
MFC after: 1 week

Overhaul the /etc/rc.d/diskless script by splitting it out into
hostname, resolve, tmp, and var scripts. The latter three are new and
were repo copied. These scripts no longer depend on being boote

Overhaul the /etc/rc.d/diskless script by splitting it out into
hostname, resolve, tmp, and var scripts. The latter three are new and
were repo copied. These scripts no longer depend on being booted with
and NFS root instead attempt to automaticly create mfs /tmp and /var
volumes if the they are not writable. This behavior can be overridden
in /etc/rc.conf.

Reviewed by: luigi, pjd

show more ...

One tab too much.

Teach 'hostname' script how to act inside a jail.

No objections from: mtm, arch@

tty whacking should occur early, but not so early that the
required commands are not on a mounted file system.

Noticed by: bde

Make ipfilter, ipnat, ipmon, and ipfs behave more like the old rc.
o group them together so they run one right after another
o use the NetBSD supplied ipfs script instead of tacking
it on to the

Make ipfilter, ipnat, ipmon, and ipfs behave more like the old rc.
o group them together so they run one right after another
o use the NetBSD supplied ipfs script instead of tacking
it on to the end of ipnat
o Load the ipl module in ipnat and ipfilter, if it's not already
loaded
o In ipmon and ipnat show a warning if neither ipfilter nor
ipnat is enabled or the ipl module is not loaded, and exit

Approved by: markm (mentor) (implicit)
Tested by: leafy <leafy@leafy.idv.tw>

show more ...

Break out and rewrite the network setup scripts.
o /etc/network.subr contains common subroutines used for seting
up network interfaces
o rc.d/hostname sets the hostname if not already set
o rc.

Break out and rewrite the network setup scripts.
o /etc/network.subr contains common subroutines used for seting
up network interfaces
o rc.d/hostname sets the hostname if not already set
o rc.d/nisdomain sets the nis domain *after* rpcbind but
before the yp* daemons. This fixes issues with temporary
hangs when looking up informaion in nis before it's ready.
o rc.d/netif brings network interfaces (minus dhcp) up.
o rc.d/network1 has been disabled and will be retired before
RELENG_5. It will be replaced by rc.d/netif

Approved by: markm (mentor)

show more ...