r204076:
Please welcome HAST - Highly Avalable Storage.
HAST allows to transparently store data on two physically separated machines
connected over the TCP/IP network. HAST works in Primary-Secondary
(Master-Backup, Master-Slave) configuration, which means that only one of the
cluster nodes can be active at any given time. Only Primary node is able to
handle I/O requests to HAST-managed devices. Currently HAST is limited to two
cluster nodes in total.
HAST operates on block level - it provides disk-like devices in /dev/hast/
directory for use by file systems and/or applications. Working on block level
makes it transparent for file systems and applications. There in no difference
between using HAST-provided device and raw disk, partition, etc. All of them
are just regular GEOM providers in FreeBSD.
For more information please consult hastd(8), hastctl(8) and hast.conf(5)
manual pages, as well as http://wiki.FreeBSD.org/HAST.
Sponsored by: FreeBSD Foundation
Sponsored by: OMCnet Internet Service GmbH
Sponsored by: TransIP BV
r204077:
Remove some lines left over by accident.
r204083:
Add missing KEYWORD line.
Pointed out by: dougb
r205279 sys:
Simplify loops.
Use an unique directory name instead of hardcoded /tmp/.diskless.
A malicious user could create a file named /tmp/.diskless and cause
the script to misbehave.
PR: conf/141258
Add rc.d script for the rtsold(8) daemon.
The rtsol(8) handles just one RA then exit. So, the OtherConfig flag
may not be handled well by rtsol(8) in the environment where there are
multiple RA servers on the segment. In such case, rtsold(8) will be
your friend.
Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.
Submitted by: Yuri Kurenkov <y dot kurenkov at init dot ru>
Reviewed by: rhodes, rc@
Don't complain when we encounter the "cache" source, it's valid. Also fix
the error message to include a line feed and not include a stray comma.
Submitted by: Artis Caune artis.caune gmail.com
While here, change "> /dev/stderr" for more usual ">&2"
Submitted by: jilles
PR: bin/121671
Approved by: ed (mentor, implicit)
Since the change to rc.subr in r198162 it's not necessary to specify
command in the rc.d script if we have a corresponding ${name}_program
entry, which we do for named.
Rename named_precmd to named_prestart to make it more clear and match
convention.
Move the command_args definition related to -u up into _prestart().
It (and the associated $named_uid value) are only used there, and
unlike required_* and pidfile don't need to be used until this stage.
Fix a silly bug that would only have affected people who were using
the new named_wait or named_auto_forward features, AND had set up an
rndc.conf file instead of using the automatically generated rndc.key.
For named_conf:
Add "-c $named_conf" to command_args if it's not set to the
default. If it is set to the default and we're using the base
BIND it's not necessary. If we're using BIND from the ports
the user is likely to have included it in _flags (due to long
necessity for doing so) so don't duplicate that if it's set.
Add $named_conf to required_files
MFC r200563:
The named process needs to have a "working directory" that it can
write to. This is specified in "options { directory }" in named.conf.
So, create /etc/namedb/working with appropriate permissions, and
update the entry in named.conf to match.
In addition to specifying the working directory, file and path names
in named.conf can be specified relative to the directory listed.
However, since that directory is now different from /etc/namedb
(where the configuration, zone, rndc.*, and other files are located)
further update named.conf to specify all file names with fully
qualified paths. Also update the comment about file and path names
so users know this should be done for all file/path names in the file.
This change will eliminate the 'working directory is not writable'
messages at boot time without sacrificing security. It will also
allow for features in newer versions of BIND (9.7+) to work as
designed.
Add a new rc.d script, static_arp, which enables the administrator to
statically bind IPv4 <-> MAC address at boot time.
In order to use this, the administrator needs to configure the following
rc.conf(5) variable:
- static_arp_pairs: A list of names for static bind pairs, and,
- a series of static_arp_(name): the arguments that is being passed to
``arp -S'' operation.
Example:
static_arp_pairs="gw"
static_arp_gw="192.168.1.1 00:01:02:03:04:05"
See the rc.conf(5) manual page for more details.
In regards to the "Starting foo:" type messages at boot time, create
and employ a more generic solution, and use it in the individual rc.d
scripts that also have an $rc_quiet test:
1. Add check_startmsgs() to rc.subr.
2. In the rc.d scripts that use rc_quiet (and rc.subr) substitute
variations of [ -z "$rc_quiet" ] with check_startmsgs
3. In savecore add a trailing '.' to the end of the message to make it
more consistent with other scripts.
4. In newsyslog remove a : before the terminal '.' since we do not
expect there to be anything printed out in between to make it more
consistent.
5. In the following scripts change "quotes" to 'quotes' where no
variables exist in the message: savecore pf newsyslog
6. [Does not apply in RELENG_8]
7. In the following scripts separate the "Starting foo:" from the
terminal '.' to make them more consistent: moused hostname pf
8. In nfsclient move the message to its own line to avoid a style bug
9. In pf rc_quiet does not apply to the _stop method, so remove the
test there.
10. In motd add 'quotes' around the terminal '.' for consistency
Approved by: re (kib)
Fix the typo mentioned in the PR, and one additional.
Fix caps while I'm here.
PR: conf/138087
Submitted by: Chris Petrik <c.petrik.sosa@gmail.com>
Approved by: re (kib)
Move is_wired_interface() from rc.d/wpa_supplicant into network.subr,
simplify it a bit, and make use of that method to determine if an
interface is a candidate for IPv6 rtsol rather than listing all of the
possible wireless interfaces that should _not_ get rtsol'ed.
This change is only relevant for 8.0+ unless the "wlan mandatory" code
gets ported back to RELENG_7.
Approved by: re (kib)
top of ZVOLs. The problem is that rc.d/fsck runs before rc.d/zfs. The
latter makes ZVOLs to appear in /dev/. In such case rc.d/fsck cannot
find devfs entry and aborts. We cannot simply move rc.d/zfs before
rc.d/fsck, because we first want kern.hostid to be configured (by
rc.d/hostid). If we won't wait (hostid will be 0) we can reuse disks
which are in use by different systems (eg. in SAN/NAS environment).
We also cannot move rc.d/hostid before rc.d/fsck, because rc.d/hostid on
first system start stores generated kern.hostuuid in /etc/hostid file,
so it needs root file system to be mounted read-write.
The fix is to split rc.d/hostid so that rc.d/hostid (which will now run
before rc.d/fsck) only generates hostid and sets up sysctls, but doesn't
touch root file system and rc.d/hostid_save (which is run after
rc.d/root) and only creates /etc/hostid file.
With that in place, we can move ZVOL initialization to dedicated
rc.d/zvol script which runs before rc.d/fsck.
PR: conf/120194
Reported by: James Snow <snow@teardrop.org>
Reviewed by: brooks
Approved by: re (kib)
MFC after: 2 weeks
allow them to start after netif. There were too many problems reported
with this change in the short period of time that it lived in HEAD, and
we are too late in the release cycle to properly shake it out.
IMO the issue of having the firewalls up before the network is still a
valid concern, particularly for pf whose default state is wide open.
However properly solving this issue is going to take some investment
on the part of the people who actually use those tools.
This is not a strict reversion of all the changes for r193198 since it
also included some simplification of the BEFORE/REQUIRE logic which is
still valid for ipfilter and ip6fw.
- Remove redundant debugging of consolelog.
- Use `while :', instead of `while [ true ]'. This is done in other
places as well.
Submitted by: Jille Timmermans <jille quis cx> (not jilles)
Reviewed by: jilles
/etc/rc.d. They use the following new rc variables:
nfsv4_server_enable - set to "YES" to run the experimental server
nfsuserd_enable - set to "YES" to run nfsuserd for NFSv4 client and
server
nfsuserd_flags - command line flags for nfsuserd
nfscbd_enable - set to "YES" to run the experimental nfs client's
NFSv4 callback daemon
nfscbd_flags - command line flags for nfscbd
Reviewed by: dougb
Approved by: kib (mentor)
happen right after ypbind, and before anything that uses NIS. The only
change in rcorder accomplished by this patch is make that happen.
PR: conf/117555
Submitted by: John Marshall <john@rwsrv05.mby.riverwillow.net.au>
(localhost by default) can be successfully looked up. Off by default.
2. New feature: option to create a forwarder configuration file based on
the contents of /etc/resolv.conf. This allows you to utilize a local
resolver for better performance, less network traffic, custom zones, etc.
while still relying on the benefits of your local network resolver.
Off by default.
3. Add named-checkconf into the startup routine. This will prevent named
from trying to start in a situation where it would not be possible to do
so.
arbitrary commands (outside the jail) associated with said events,
e.g. to bring up/down CARP interfaces representing services run in
jails.
Reviewed by: simon
is set and "natd_enable" is NOT set;
- Accept and pass firewall type to the external firewall script.
Submitted by: Yuri Kurenkov < y -dot- kurenkov -at- init -dot- ru >
MFC after: 3 days
No response from: freebsd-rc
the jail case specifically. In case we find a proper pre-seeded
devfs in the chroot path (mounted from the base system) permit
starting chrooted else give proper warn/error messages.
PR: conf/103489
Reviewed by: dougb
MFC after: 5 days
time to boot an unplugged system 30 sec. longer for no good reason. Therefore,
add a check to make sure that any DHCP interfaces are plugged in before
waiting.
the -g and -q options. They do a slightly different thing and
both are necessary when the time difference is large.
Noticed by: danger, in the forums
Approved by: roberto
MFC after: 1 week
Note: this is only really necessary because of the ifconfig
logic to add/remove the jail IPs upon start/stop.
Consensus among simon and I is that the logic should
really be factored out from the startup script and put
into a proper management solution.
- We now support starting of no-IP jails.
- Remove the global jail_<jname>_netmask option as it is only
helpful to set netmasks/prefixes for the right address
family and per address.
- Implement jail_<jname>_ip options to support both
address familes with regard to ifconfig logic.
- Implement _multi<n> support suffix to the jail_<jname>_ip
option to configure additional addresses to avoid overlong,
unreadbale jail_<jname>_ip lines with lots of addresses.
Submitted by: initial work from Ruben van Staveren
Discussed on: freebsd-jail in Nov 2008.
Reviewed by: simon, ru (partial, older version)
MFC after: 1 week
newline when it fails to obtain an address via DHCP. This made the next
rc script begin its output on the same line.
PR: conf
Submitted by: Bruce Cran <bruce at cran dot org dot uk>
MFC after: 3 days
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month