with recent change nuageinit always create a "freebsd" user, if no
users are specified, which means we do need to get the rootdir in the
testsuite containing a group file otherwise pw complains and the tests
fails.
The "default" user should only be created when:
- the `users` key is missing
- or the `default` string is present in the `users` list
Since the `public_keys` is extracted from the meta-data, this patch has
to slightly adjust the way they are loaded.
The change simplify the logic around the default user SSH key injection.
Both `ssh_authorized_keys` and `public_keys` are handled at the same time.
MFC After: 1 week
Signed-off-by: Gonéri Le Bouder <goneri@lebouder.net>
Pull Request: https://github.com/freebsd/freebsd-src/pull/1952
Clarify that both `sudo` and `doas` are not part of the base system and
they need to be listed in the `packages` section if the user wants to
enable them.
MFC After: 1 week
Signed-off-by: Gonéri Le Bouder <goneri@lebouder.net>
Pull Request: https://github.com/freebsd/freebsd-src/pull/1944
This change enhances `config2_network()` to honor the DNS
configuration, when it's defined through the `services` section.
The `network_data.json` file can hold DNS configuration at two different
places:
- within a network configuration entry
- or `dns` entry in the `services` section, in this case the configuration is global.
An example of such configuration:
{"links": [{"id": "interface0", "type": "phy",
"ethernet_mac_address": "52:54:00:01:59:03"}], "networks": [{"id": "private-ipv4-0", "type": "ipv4", "link": "interface0",
"ip_address": "192.168.123.5", "netmask": "255.255.255.0", "routes": [{"network": "0.0.0.0", "netmask": "0.0.0.0", "gateway":
"192.168.123.1"}], "network_id": "9e5b1ed9-f5e6-4941-a90f-2e06bab858de", "dns_nameservers": ["192.168.123.1"], "services": [{"type":
"dns", "address": "192.168.123.1"}]}], "services": [{"type": "dns", "address": "192.168.123.1"}]}
See: https://docs.openstack.org/nova/latest/user/metadata.html
MFC After: 1 week
Signed-off-by: Gonéri Le Bouder <goneri@lebouder.net>
Pull Request: https://github.com/freebsd/freebsd-src/pull/1941
Since the initializer is used in other places where we can't just
replace it with a char-by-char initializer, this adds a macro for the
nonstring attribute (match the linuxkpi definition).
Reviewed by: emaste, jhb
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52535
ipfilter options are erased and reset to default when ipfilter is
disabled. This results in nullifying options from rc.conf that were
previously set.
8d6feaaaa2, which added this code, was incorrect as it was for a bug in
ipfilter 4.2.28 and no longer applies to ipfilter 5.1.2.
Fixes: 8d6feaaaa2
MFC after: 1 day
This rc script exists solely to create a file, so have it explicitly
require FILESYSTEMS. In its current form, it was as likely as not to
end up running before cleanvar, which would undo its work.
MFC after: 3 days
Fixes: 384d976725 ("rc.d: Add precious_machine rc.conf knob to create /var/run/noshutdown")
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D54119
Instead of having FILESYSTEMS require cleanvar, which doesn't really
make semantic sense, say that cleanvar needs to run before FILESYSTEMS.
MFC after: 3 days
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D54118
This prevents dumping the memory layout of setugid processes.
MFC after: 3 days
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D54033
As a safety precaution df381bec2d limits ippool hash table size to 1K.
This causes any legitimely large hash table to fail to load. The
htable_size_max ipf tuneable adjusts this but the adjustment is made
in the ipfilter rc script, invoked after the ippool script (because it
depends on ippool). Let's load the ipfilter_optionlist in ippool as well.
ipfilter_optionlist load will also occur in the ipfilter rc script in case
the user uses ipfilter without ippool.
Fixes: df381bec2d
MFC after: 3 days
In arch_fix_auxv(), remove local variable shadowing the argument,
remove write-only variable, and declare the loop variable.
The wrong patch was committed after series of local reverts and
re-apply.
Fixes: b2b3d2a962
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Add guards against attempting to process a user data file with an empty
first line or contents.
PR: 290395
Reviewed by: bapt (earlier), dtxdf, markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53239
When an unprivileged user restarts a service using, e.g., sudo, the
service runs with the audit user ID set to that of the unprivileged
user. This can have surprising effects: for instance, a user that
restarts a jail that is running sshd will end up with their UID attached
to all audit logs associated with users who log in via that sshd
instance. (sshd will set the audit user, but this is disallowed in
jails by default.)
Add support for rc.conf directives which cause rc to override the audit
user. Specifically, make <name>_audit_user=foo cause the audit user to
be set to "foo" for service <name>. A plain audit_user=foo directive
causes all services to be started as foo.
Note, like other similar rc features, this feature is limited to rc
services which are run by executing a command. Shell functions can't be
wrapped this way.
Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53747
When running an rc command, if the target rc script defines
<command>_cmd, e.g., start_cmd=..., then the run_rc_command() executes
that instead of $command. In general it's a shell function, and
"cpuset -l <n> <shell function>" doesn't work.
Moreover, it doesn't really make sense to run cpuset for anything other
than start_cmd.
Other optional isolation mechanisms (e.g., <name>_fib,
<name>_chroot) are only used when invoking $command directly as part of
the "start" command. Make <name>_cpuset consistent with everything else
by removing these extraneous cpuset invocations.
Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53746
Specifically, make this code fit in fewer columns:
- deindent cases to conform to the usual style,
- use a local variable to minimize duplication in each case.
No functional change intended.
Reviewed by: 0mp, netchild
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D53754
This periodic script only makes sense if mandoc is installed, so move
it to the mandoc package like other periodic scripts.
/usr/libexec/makewhatis.local only exists for the enjoyment of this
script, and doesn't work without mandoc installed, so move that as
well.
This change moves files between packages so, until we have a proper
policy on how to handle this in release/stable branches, it should
not be MFC'd.
MFC after: never
Reviewed by: ziaee, manu
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53609
Files read by '.' cannot workout for themselves where they are
or what they are called, so set dot_dir and dot_file to pass
this information to them.
Reviewed by: obrien, stevek
Differential Revision: https://reviews.freebsd.org/D53476
Instead of sleeping after pwait returns, use its new -p option to
obtain the list of processes that still have not terminated.
MFC after: 3 days
PR: 290357
Fixes: 5953e7c984 ("rc.subr: Move the sleep in wait_for_pids")
Reviewed by: 0mp, markj
Differential Revision: https://reviews.freebsd.org/D53294
This reverts commit 2347ca21d6.
A fix has been implemented in 99560fe98c ("pfctl: Do not warn if there
is no Ethernet anchor").
Revert this commit to avoid having differences with upstream.
MFC after: 2 days
This reverts commit 67ade69eb6.
A fix has been implemented in a943a96a50 ("libpfctl: Fix displaying
deeply nested anchors").
Revert this commit to avoid having differences with upstream.
The blocklist daemon depends on a packet filter in order to block.
Add all supported packet filters to the REQUIRE line, not just pf, to
indicate rcorder(8) that it should start after the packet filter service
has started.
While here, change the mode of the rc file to include the executable
bit, just like the rest of the files in the rc.d source directory.
Reviewed by: 0mp
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D53364
flua is a standalone third-party component that deserves its own
package. In particular, this means things can use flua without
having to depend on FreeBSD-utilities, which will be useful as
more base utilities use flua.
This saves ~500kB in FreeBSD-utilities for systems which don't
need flua.
MFC after: 3 days
Reviewed by: kevans
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53161
It has been reported as PR 290478. In the meantime, just sweep under
the carpet.
It is worth noting that neither commit:
2347ca21d6 ("blocklist-helper: Silence a bogus pf warning")
nor this one will be upstreamed, as this is a FreeBSD-specific issue.
PR: 290478
MFC after: 2 days
bfb202c455 addresses the CTRL-EVENT-SCAN-FAILED. Upstream d807e289d
caused FreeBSD regression in driver_bsd.c, which this rc.d patch
worked around. As of bfb202c455 this workaround is no longer needed.
052211e08c implemented this change for wpa_supplicant but not for
hostapd.
Reported by: avg
MFC after: 3 days
Allow umask to be configurable.
Being able to set the umask via an rc variable is useful when setting:
security.bsd.unprivileged_read_msgbuf=0
As it allows a user to configure:
dmesg_umask="066"
Without modifying the rc script, and preventing the contents of the
$dmesg_file (/var/run/dmesg.boot) from being publicly readable.
PR: 272552
Reviewed by: netchild
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D53169
This more accurately reflects its purpose, and its contents, since
everything in the package is prefixed with "local-".
While here, add a message on upgrade about regenerating the config.
MFC after: 3 seconds
Requested by: des
Reviewed by: des
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53056
Silence a bogus warning about (an ethernet) anchor not being found.
It has been reported as PR 280516. In the meantime, just sweep under
the carpet.
Approved by: emaste (mentor)
MFC after: 2 days
Follow up upstream rename from blacklist to blocklist.
- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anchor names should work, but emitting an ugly
warning
- Old MK_BLACKLIST* knobs are wired to the new ones
Although care has been taken not to break current configurations, this
is a large patch containing mostly duplicated code. If issues arise, it
will be swiftly reverted.
Reviewed by: ivy (pkgbase)
Approved by: emaste (mentor)
MFC after: 2 days
Relnotes: yes
sndiod is part of audio/sndio, so we should avoid referencing a port
utility from base.
We should also require NETWORKING for the service to start, since
virtual_oss can be configured to send audio through the network.
Sponsored by: The FreeBSD Foundation
MFC after: 1 day
Reviewed by: des, markj, emaste
Differential Revision: https://reviews.freebsd.org/D53019
After commit 900bc02063, zpool depends on mountcritlocal. zpoolreguid
and zpoolupgrade depend on zpool and want to run before mountcritcycle,
so we have a pair of cycles.
Update zpoolreguid and zpoolupgrade to avoid this.
Reviewed by: des
MFC after: 3 days
Fixes: 900bc02063 ("rc.d/zpool: change mountcritlocal dep from BEFORE to REQUIRE")
Differential Revision: https://reviews.freebsd.org/D52953
Replace .if statements with CONFGROUPS.${MK_FOO} where possible,
and also sort and re-indent the file for readability.
A couple of more complicated sections don't work with CONFGROUPS.yes
yet, so leave those as they are for now.
MFC after: 1 week
Reviewed by: imp
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D52974
Disable if IPv6 is not supported, and instead of 10 seconds, default to
one more than the value of net.inet6.ip6.dad_count.
Fixes: 5ead817c3b ("rc: Teach netwait to wait for DAD")
Reviewed by: bz
Differential Revision: https://reviews.freebsd.org/D52905
Local tree pollution let this escape. *sigh*.
Pointy hat: kevans
Pointy hat: kevans
Pointy hat: kevans
Fixes: 9c7db0931d ("flua: move lposix back into flua for now")
nuageinit largely already did this, but one spot was missed -- add the
necessary require() in to get the module loaded.
Fixes: b11a5709ec ("flua: kick out the remaining builtin modules")
