rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
servic

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision: https://reviews.freebsd.org/D40371

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Run netoptions startup script in vnet jails.

People use rc.conf inside vnet jails to configure networking setups.
Presumably because some sysctl were not virtualised up until r356527 the
script was

Run netoptions startup script in vnet jails.

People use rc.conf inside vnet jails to configure networking setups.
Presumably because some sysctl were not virtualised up until r356527 the
script was not run for vnet jails leaving the rc.conf options without
effect for non-obvious reasons. Run the netoptions startup script also
for VNET jails now to make the rc.conf options work.

PR: 243193
MFC after: 2 weeks

show more ...

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update bec

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.

Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)

show more ...

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision:

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466

show more ...

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueff

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

show more ...

Add $ipv6_cpe_wanif to enable functionality required for IPv6 CPE
(r225485). When setting an interface name to it, the following
configurations will be enabled:

1. "no_radr" is set to all IPv6 int

Add $ipv6_cpe_wanif to enable functionality required for IPv6 CPE
(r225485). When setting an interface name to it, the following
configurations will be enabled:

1. "no_radr" is set to all IPv6 interfaces automatically.

2. "-no_radr accept_rtadv" will be set only for $ipv6_cpe_wanif. This is
done just before evaluating $ifconfig_IF_ipv6 in the rc.d scripts (this
means you can manually supersede this configuration if necessary).

3. The node will add RA-sending routers to the default router list
even if net.inet6.ip6.forwarding=1.

This mode is added to conform to RFC 6204 (a router which connects
the end-user network to a service provider network). To enable
packet forwarding, you still need to set ipv6_gateway_enable=YES.

Note that accepting router entries into the default router list when
packet forwarding capability and a routing daemon are enabled can
result in messing up the routing table. To minimize such unexpected
behaviors, "no_radr" is set on all interfaces but $ipv6_cpe_wanif.

Approved by: re (bz)

show more ...

Replace ${SYSCTL_W} with ${SYSCTL} in rc.d scripts, as they are identical.
This is a further clean up after r202988.

SYSCTL_W is still initialized in rc.subr as some ports may still use it.

Add $ipv6_privacy to support net.inet6.ip6.use_tempaddr. Note that this
will be replaced with a per-IF version later.

Based on: changes in r206408 by dougb

Revert changes in r206408.

Discussed with: dougb, core.5, and core.6

Improve the handling of IPv6 configuration in rc.d. The ipv6_enable
and ipv6_ifconfig_<interface> options have already been deprecated,
these changes do not alter that.

With these changes any value

Improve the handling of IPv6 configuration in rc.d. The ipv6_enable
and ipv6_ifconfig_<interface> options have already been deprecated,
these changes do not alter that.

With these changes any value set for ipv6_enable will emit a
warning. In order to avoid a POLA violation for the deprecation
of the option ipv6_enable=NO will still disable configuration
for all interfaces other than lo0. ipv6_enable=YES will not have
any effect, but will emit an additional warning. Support and
warnings for this option will be removed in FreeBSD 10.x.

Consistent with the current code, in order for IPv6 to be configured
on an interface (other than lo0) an ifconfig_<interface>_ipv6
option will have to be added to /etc/rc.conf[.local].

1. Clean up and minor optimizations for the following functions:
ifconfig_up (the ipv6 elements)
ipv6if
ipv6_autoconfif
get_if_var
_ifconfig_getargs
The cleanups generally were to move the "easy" tests earlier in the
functions, and consolidate duplicate code.

2. Stop overloading ipv6_prefer with the ability to disable IPv6
configuration.

3. Remove noafif() which was only ever called from ipv6_autoconfif.
Instead, simplify and integrate the tests into that function, and
convert the test to use is_wired_interface() instead of listing
wireless interfaces explicitly.

4. Integrate backwards compatibility for ipv6_ifconfig_<interface>
into _ifconfig_getargs. This dramatically simplifies the code in
all of the callers, and avoids a lot of other code duplication.

5. In rc.d/netoptions, add code for an ipv6_privacy option to use
RFC 4193 style pseudo-random addresses (this is what windows does
by default, FYI).

6. Add support for the [NO]RTADV options in ifconfig_getargs() and
ipv6_autoconfif(). In the latter, include support for the explicit
addition of [-]accept_rtadv in ifconfig_<interface>_ipv6 as is done
in the current code.

7. In rc.d/netif add a warning if $ipv6_enable is set, and remove
the set_rcvar_obsolete for it. Also remove the latter from
rc.d/ip6addrctl.

8. In /etc/defaults/rc.conf:

Add an example for RTADV configuration.

Set ipv6_network_interfaces to AUTO.

Switch ipv6_prefer to YES. If ipv6_enable is not set this will have
no effect.

Add a default for ipv6_privacy (NO).

9. Document all of this in rc.conf.5.

show more ...

Use double-quotation marks to fix the unexpanded variable issue.

Spotted by: swell.k

The net.inet.tcp.log_in_vain accepts 0, 1 or 2, not Y/N.

- Fix logic inversion bug of net.inet.tcp.rfc1323[*].

- Split netoptions_start() to netoptions_AF() and add afexists() check
for each address family.

- Display a message only if the user sets a n

- Fix logic inversion bug of net.inet.tcp.rfc1323[*].

- Split netoptions_start() to netoptions_AF() and add afexists() check
for each address family.

- Display a message only if the user sets a non-default value, and set
a sysctl explicitly even if it is the default value.

Spotted by: Pegasus Mc Cleaft[*]

show more ...

Don't do an IPv6 operation when the kernel doesn't have
an IPv6 support.

Reported by: Alexander Best <alexbestms__at__math.uni-muenster.de>
Confirmed by: Paul B. Mahol <onemda__at__gmail.com>,
Ale

Don't do an IPv6 operation when the kernel doesn't have
an IPv6 support.

Reported by: Alexander Best <alexbestms__at__math.uni-muenster.de>
Confirmed by: Paul B. Mahol <onemda__at__gmail.com>,
Alexander Best <alexbestms__at__math.uni-muenster.de>

show more ...

Use RCng coding convention.

MFC after: 3 days

As previously discussed, add the svn:executable property to all scripts

Set the sysctl(8) value in the same shell, not a subshell. This was
causing calls to netoptions_init() to not properly set a global variable,
which ended up being in the parent shell.

Do not print anything unless one of the net/routing options is set.

Move options that do not have anything to do with routing out of
rc.d/routing and in to rc.d/netoptions. Also instead of saying
"TCP options" say "IP options".

When rc.d/NETWORKING included this script in its REQUIRE line, a circular
dependency was introduced because this script had rc.d/localpkg (which is
*after* rc.d/NETWORKING) in its REQUIRE line.

From

When rc.d/NETWORKING included this script in its REQUIRE line, a circular
dependency was introduced because this script had rc.d/localpkg (which is
*after* rc.d/NETWORKING) in its REQUIRE line.

From an examination of its contents it seems that only the availability of
a local filesystem is necessary for this script to function properly.

show more ...

Apply "additional TCP options" earlier.

Requested by: andre@
MFC after: 1 week

Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days

Mark scripts as not usable inside a jail by adding keyword 'nojail'.

Some suggestions from: rwatson, Ruben de Groot <mail25@bzerk.org>

Rename localdaemons to localpkg.
The original name was really a mistake since
/usr/local/etc/rc.d scripts can (and usually do) start
more than just daemons. Even the output in the script
uses 'local

Rename localdaemons to localpkg.
The original name was really a mistake since
/usr/local/etc/rc.d scripts can (and usually do) start
more than just daemons. Even the output in the script
uses 'local packages.' Also, the term 'local daemons' is
used by rc.d/local, which was etc/rc.local of rcOG fame.
No repo-copy because there isn't much history to save.
I will remove localdaemons shortly with all the other
files that don't belong in rc.d anymore.

Discussed with: dougb, freebsd-rc@yahoogroups.com

show more ...