The home directory of the ftp user is /var/spool/ftp according to
hier(7). Update the manual page of ftpd(8) to reflect that.
MFC after: 2 weeks
(cherry picked from commit bad2f716f4)
The mountd script in rc.d sets vfs.nfsd.server_max_nfsvers correctly
when it is run at system startup, relying on the kernel default.
However, if NFSv4 was enabled in /etc/rc.conf later, and the script
was re-run to restart mountd, the sysctl was still set to 3.
Set the sysctl to the right value in all cases.
Reviewed by: rmacklem
(cherry picked from commit 1cf8e6339e)
This is a more reliable method that accounts for existing pidfiles,
procname and interpreter settings.
Current method of obtaining the pid for oomprotect="YES"|"ALL" processes
in certain cases fails to find a unique pid.
One such case are rc.d scripts defining command as:
command="daemon"
which results in all processes started via daemon being selected and
passed to protect(1) which fails and prints usage:
$ /etc/rc.d/exampled restart
Stopping exampled.
Starting exampled.
usage: protect [-i] command
protect [-cdi] -g pgrp | -p pid
Running the same with -x reveals what happens:
+ pid='3051 4268 4390 4421 4427 4470 4588 4733 4740 4870 4949 4954 4979
5835 5866 55487 55583 56525 57643 57789 57882 58072 58167 99419'
+ /usr/bin/protect -p 3051 4268 4390 4421 4427 4470 4588 4733 4740 4870
4949 4954 4979 5835 5866 55487 55583 56525 57643 57789 57882 58072 58167
99419
usage: protect [-i] command
protect [-cdi] -g pgrp | -p pid
We have a more reliable way of obtaining pid already defined in rc.subr
and available when protect(1) needs it. We can simply `eval $_pidcmd`
which also invokes `check_process` but properly accounts for existing
pidfile, procname and interpreter settings.
With the change the pidfile is properly obtained.
Submitted by: Adam Wolk <a.wolk at fudosecurity.com>
Sponsored by: Fudo Security
Differential Revision: https://reviews.freebsd.org/D30367
Approved by: oshogbo
(cherry picked from commit 6ba108e52d)
To allow for a dynamic page size on arm64 have the runtime linker
query the kernel for the currentl page size.
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34765
(cherry picked from commit e85eaa9308)
- Include <machine/tls.h> in MD rtld_machdep.h headers.
- Remove local definitions of TLS_* constants from rtld_machdep.h
headers and libc using the values from <machine/tls.h> instead.
- Use _tcb_set() instead of inlined versions in MD
allocate_initial_tls() routines in rtld. The one exception is amd64
whose _tcb_set() invokes the amd64_set_fsbase ifunc. rtld cannot
use ifuncs, so amd64 inlines the logic to optionally write to fsbase
directly.
- Use _tcb_set() instead of _set_tp() in libc.
- Use '&_tcb_get()->tcb_dtv' instead of _get_tp() in both rtld and libc.
This permits removing _get_tp.c from rtld.
- Use TLS_TCB_SIZE and TLS_TCB_ALIGN with allocate_tls() in MD
allocate_initial_tls() routines in rtld.
Reviewed by: kib, jrtc27 (earlier version)
Differential Revision: https://reviews.freebsd.org/D33353
(cherry picked from commit 8bcdb144eb)
This matches the TLS_TCB_ALIGN definition in libc.
Reviewed by: kib, jrtc27
Sponsored by: The University of Cambridge, Google Inc.
Differential Revision: https://reviews.freebsd.org/D33349
(cherry picked from commit 299617496c)
Previously TLS_DTV_OFFSET was added to the offset passed to
tls_get_addr_common; however, this approach matches powerpc and RISC-V
and better matches the intention.
Reviewed by: kib, jrtc27
Sponsored by: The University of Cambridge, Google Inc.
Differential Revision: https://reviews.freebsd.org/D33347
(cherry picked from commit 23e0c0e9a3)
This is the more standard name for the bias of dtv pointers used on
other platforms. This also fixes a few other places that were using
the wrong bias previously on MIPS such as dlpi_tls_data in struct
dl_phdr_info and the recently added __libc_tls_get_addr().
Reviewed by: kib, jrtc27
Sponsored by: The University of Cambridge, Google Inc.
Differential Revision: https://reviews.freebsd.org/D33346
(cherry picked from commit 03f6b14106)
When no interface is specified results in a syntax error in the rc
script. Only execute poststart when an interface has been specified.
PR: 263358
Submitted by: markj
Reported by: Joshua Kinard <freebsd@kumba.dev>
Fixes: 0da2c91e64
(cherry picked from commit 1452bfcd9b)
PR#254282 reports a problem where nullfs mounts cannot be
exported via mountd for FreeBSD 13.0.
The problem seems to be that, to do the nullfs mounts in
/etc/fstab, they require the "late" mount option, so that the
underlying filesystem is mounted (ZFS for the PR).
Adding "mountlate" to the REQUIRE list in /etc/rc.d/mountd
fixes the problem, but that results in a dependency cycle
because /etc/rc.d/lockd specifies:
REQUIRE: nfsd
BEFORE: DAEMON
--> which forces mountd to preceed DAEMON.
This patch removes "nfsd" from REQUIRE for lockd and statd,
then adds mountlate to REQUIRE for mountd, to fix this
problem. Having lockd REQUIRE nfsd was done in the NetBSD
code when it was pulled into FreeBSD and there does not
seem to be a need for this.
In case this causes problems, a long MFC has been specified.
PR: 254282
(cherry picked from commit f72926eab0)
The zfskeys service script starts before the zfs service script, so that
dataset decryption keys are available when `zfs mount -a` is run. One of
the potential edge cases of this design is that if a key is stored on
ZFS it won't be loaded until `zfs mount -a` is issued.
In order to address that let's try to load the additional keys and mount
related ZFS datasets after the zfs script finishes its standard mounting
procedure.
PR: 262468
Reported by: Graham Perrin <grahamperrin@gmail.com>
Reviewed by: allanjude
Approved by: allanjude (src)
Fixes: 33ff39796f Add zfskeys rc.d script for auto-loading encryption keys
MFC after: 3 days
Sponsored by: Modirum
Sponsored by: Klara Inc.
Differential Revision: https://reviews.freebsd.org/D34601
(cherry picked from commit 97aeda2243)
/etc/rc.d/dumpon runs before /etc/rc.d/swap. When encrypted swap is in
use the .eli or .bde device will not exist at the time dumpon runs.
Even if this is addressed it does not make sense to dump core to
encrypted swap, as the encryption key will not be available after
reboot rendering the dump useless. Thus, for the case that dumpdev=AUTO
and encrypted swap is in use, strip the extension and use the underlying
device.
Emit a warning if we are using the underlying device and the user has not
configured dump encryption, so that the user knows that the will not be
encrypted.
PR: 238301
Reported by: Ivan Rozhuk
Reviewed by: jilles
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34474
(cherry picked from commit 67e751f167)
Using /etc/jail.{jailname}.conf is nice, however it makes /etc/ very
messy if you have many jails. This patch allows one to move these
config files out of the way into /etc/jail.conf.d/{jailname}.conf.
Note that the same caveat as /etc/jail.*.conf applies: the jail service
will not autodiscover all of these for starting 'all' jails. This is
considered future work, since the behavior matches.
(cherry picked from commit 7955efd574)
Previously it depended on sysctl, which itself has no dependencies,
so rcorder(8) had a bit too much flexibility when choosing when to run
it. Make sure it runs just between 'fsck' and 'root'.
Reviewed By: jmg, imp
Sponsored By: EPSRC
Differential Revision: https://reviews.freebsd.org/D29748
(cherry picked from commit b68e656922)
Currently, if the linux service is run twice, mount(8) fails with:
mount: linprocfs: Device busy
mount: linsysfs: Device busy
mount: devfs: Device busy
mount: fdescfs: Device busy
mount: tmpfs: Device busy
It is a bit more user-friendly if before running mount(8) the service
checks if there are any file systems left to be mounted. This patch
implements this behavior.
Also, while here, create mount points directories (as suggested by
otis).
Reviewed by: trasz
Approved by: trasz (src)
Differential Revision: https://reviews.freebsd.org/D32463
(cherry picked from commit 5690261858)
Arno Tuber reported via email that he needed to restart the gssd daemon
after booting, to get his Kerberized NFS mount to work.
Without this patch, rcorder shows that the gssd starts before NETWORKING
and kdc. The gssd will need NETWORKING to connect to the KDC and, if
the kdc is running on the same system, it does not make sense to start it
before the kdc. This fixed the problem for Arno.
While here, I also added a "# BEFORE: mountcritremote".
It does not affect ordering at this time, but I felt
it should be added, since the gssd needs to be running
when remote NFS mounts are done.
PR: 261939
(cherry picked from commit 0f5e9425e7)
This addresses the following boot message:
/etc/rc: WARNING: $zfskeys_enable is not set properly - see rc.conf(5).
Reported by: Mark Millard
Sponsored by: Modirum MDPay
Sponsored by: Klara Inc.
Fixes: bfb7a31b6a ("rc: Hook zfskeys to the build")
Fixes: 33ff39796f ("Add zfskeys rc.d script for auto-loading encryption keys")
(cherry picked from commit 6596f19daa)
This removes a minor annoyance with Linux jails, where you often
want linux_mounts_enable="NO", yet you want those filesystems
available for mounting in jails; normally mount(8) would result
in kernel automatically loading the KLD, but this doesn't work
inside jails or chroots.
PR: 242955
Sponsored By: EPSRC
Differential Revision: https://reviews.freebsd.org/D29725
(cherry picked from commit 45aec46246)
Support loading a default pf ruleset in case of invalid pf.conf.
If no pf rules are loaded pf will pass/allow all traffic, assuming the
kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in
GENERIC.
In other words: if there's a typo in the main pf_rules we would allow
all traffic. The new default rules minimise the impact of this.
If $pf_program (i.e. pfctl) fails to set $pf_fules and
$pf_fallback_rules_enable is YES we will load $pf_fallback_rules_file if
set, or $pf_fallback_rules.
$pf_fallback_rules can include multiple rules, for example to permit
traffic on a management interface.
$pf_fallback_rules_enable defaults to "NO", preserving historic behaviour.
man page changes by ceri@.
PR: 256410
Reviewed by: donner, kp
Sponsored by: semaphor.dk
Differential Revision: https://reviews.freebsd.org/D30791
(cherry picked from commit 28f47a199c)
When a use sets umask in login.conf(5) to 027 or 077 a subsequently
fetched /var/db/ntpd.leap-seconds.list will inherit the permissions
allowed by the umask, resulting in a file that may not be readable
ntpd running under the ntp account. This patch adds a umask command
to preempt the umask in login.conf(5) prior to fetching a new copy
of the leap-seconds file.
PR: 261298
Reported by: Martin Waschbusch <martin@waschbuesch.de>
(cherry picked from commit c6806434e7)
This fixes a problem where ctld(8) would refuse to start on boot
with a specific IP address to listen on configured in ctl.conf(5).
It also fixes a problem where ctld(8) would fail to start with
some network interfaces which require a sysctl.conf(5) tweak
to configure them, eg to switch them from InfiniBand to IP mode.
PR: 232397
(cherry picked from commit 015351de04)
And put ftpd into it.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33453
(cherry picked from commit 20cd6e315e)
And put the tcp-wrapper utilities in it.
Reviewed by: emaste
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33439
(cherry picked from commit 078b764da3)
Move some needed binaries/libs from FreeBSD-utilities to FreeBSD_runtime.
This is everything needed to boot to multiuser with FreeBSD-rc installed.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33435
(cherry picked from commit 93c4369096)
YP is less and less used, split them to users have the choice to not
install them.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33441
(cherry picked from commit 5abb10faa1)
both telnet and telnetd aren't that useful nowadays but some
might want them.
Create a FreeBSD-telnet package so users have a choice to have
them or not.
Differential Revision: https://reviews.freebsd.org/D31791
Reviewed by: emaste
(cherry picked from commit c7fd29f0f2)
In network6_getladdr() we are iterating over inet6 lines and are not
interested in any others. So tell ifconfig to limit output to "inet6"
as much as possible.
This is probably a micro-optimisation but was noticed while looking
at other IPv6-related boot-time improvements.
(cherry picked from commit e448ff6f0e)
Like wpa_supplicant, hostapd does not automatically UP the interface
when configured. The fix is similar to 5fcdc19a81.
Reported by: avg
Tested by: avg
(cherry picked from commit 0da2c91e64)
Parentheses added to HASZERO macro to avoid a GCC warning, and formatted
with clang-format as we have adopted these and don't consider them
'contrib' code.
Obtained from: musl (snapshot at commit 4d0a82170a25)
Reviewed by: kib (libc integration), mjg (both earlier)
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17630
(cherry picked from commit 7f72497ef7)
This disables the random (between zero and one seconds) delay before
rtsol and rtsold send a a Router Solicitation packet. This delay is
specified as a SHOULD by RFC 4861 for avoidance of network congestion,
but network speeds have increased enough in the 25 years since this
first appeared (in RFC 1970) that it seems unnecessary as a default
at this point.
This speeds up the FreeBSD boot process by an average of 500 ms.
Reviewed by: kp
Relnotes: yes
Sponsored by: https://www.patreon.com/cperciva
Differential Revision: https://reviews.freebsd.org/D33089
(cherry picked from commit e29711da23)
Variables must be quoted if they contain non-alphanumeric characters.
Warner noted in the review that the lack of quoting causing problems
here is rather an edge case. I believe that it's worth adding the quotes
here anyway because this is what the specification says and there is no
good reason not to follow it.
Reviewed by: imp
Approved by: imp (src)
MFC after: 7 days
(cherry picked from commit 169e06fa78)
Since vfs.nfsd.srvmaxio can only be set when nfsd.ko
is loaded, but nfsd is not running, setting it in
/etc/sysctl.conf is not feasible when "options NFSD"
was not specified for the kernel.
This patch adds a new rc variable nfs_server_maxio,
which sets vfs.nfsd.srvmaxio at the correct time.
rc.conf.5 will be patched separately.
(cherry picked from commit 5509bad74e)
