auditdistd (distributed audit daemon) to the build:
- Manual cross references
- Makefile for auditdistd
- rc.d script, rc.conf entrie
- New group and user for auditdistd; associated aliases, etc.
The audit trail distribution daemon provides reliable,
cryptographically protected (and sandboxed) delivery of audit tails
from live clients to audit server hosts in order to both allow
centralised analysis, and improve resilience in the event of client
compromises: clients are not permitted to change trail contents
after submission.
Submitted by: pjd
Sponsored by: The FreeBSD Foundation (auditdistd)
This has the following advantages:
- During boot, the BOOT_TIME record is now written right after the file
systems become writable, but before users are allowed to log in. This
means that they can't cause `hidden logins' by logging in right before
init(8) kicks in.
- The pututxline(3) function may potentially block on file locking,
though this is very rare to occur. By placing it in an rc script, the
user can still kill it with ^C if needed.
- Most importantly: jails don't use init(8). This means that a force
reboot of a system running jails will leave stale entries in the
accounting database of the jails individually.
with FreeBSD easier for vendors.
- For optional files use variables starting with underscore.
Both changes make rc.d/Makefile look similar to sys/modules/Makefile.
Reviewed by: dim
Make sure that static ARP and NDP bindings are set before NETWORKING.
As static_ndp is based on static_arp, pass copyright to the project with
permission of the original author (delphij@).
Reviewed by: delphij@FreeBSD.org
MFC after: 3 days
longer used by /etc/rc.d/nfsd and it is no longer necessary
to load the old nfs server by default, when nfs_server_enable="YES".
Tested by: sgk at troutmask.apl.washington.edu
Reviewed by: rc (Andrzej Tobola)
- looking for partition with 'bootonce' attribute alone (without 'bootme'
attribute), removing it and logging that we successfully booted from this
partition.
- looking for partitions with 'bootfailed' attribute, removing it and
logging that we failed to boot from this partition.
Reviewed by: arch (Message-ID: <20100917234542.GE1902@garage.freebsd.pl>)
Obtained from: Wheel Systems Sp. z o.o. http://www.wheelsystems.com
MFC after: 2 weeks
HAST allows to transparently store data on two physically separated machines
connected over the TCP/IP network. HAST works in Primary-Secondary
(Master-Backup, Master-Slave) configuration, which means that only one of the
cluster nodes can be active at any given time. Only Primary node is able to
handle I/O requests to HAST-managed devices. Currently HAST is limited to two
cluster nodes in total.
HAST operates on block level - it provides disk-like devices in /dev/hast/
directory for use by file systems and/or applications. Working on block level
makes it transparent for file systems and applications. There in no difference
between using HAST-provided device and raw disk, partition, etc. All of them
are just regular GEOM providers in FreeBSD.
For more information please consult hastd(8), hastctl(8) and hast.conf(5)
manual pages, as well as http://wiki.FreeBSD.org/HAST.
Sponsored by: FreeBSD Foundation
Sponsored by: OMCnet Internet Service GmbH
Sponsored by: TransIP BV
The rtsol(8) handles just one RA then exit. So, the OtherConfig flag
may not be handled well by rtsol(8) in the environment where there are
multiple RA servers on the segment. In such case, rtsold(8) will be
your friend.
Reviewed by: hrs
MFC after: 2 weeks
- Add rc.d/stf and rc.d/faith for stf(4) and faith(4).
- Remove rc.d/auto_linklocal and rc.d/network_ipv6.
- Move rc.d/sysctl to just before FILESYSTEMS because rc.d/netif
depends on some sysctl variables.
Reviewed by: brooks
MFC after: 3 days
statically bind IPv4 <-> MAC address at boot time.
In order to use this, the administrator needs to configure the following
rc.conf(5) variable:
- static_arp_pairs: A list of names for static bind pairs, and,
- a series of static_arp_(name): the arguments that is being passed to
``arp -S'' operation.
Example:
static_arp_pairs="gw"
static_arp_gw="192.168.1.1 00:01:02:03:04:05"
See the rc.conf(5) manual page for more details.
Reviewed by: -rc@
MFC after: 2 weeks
top of ZVOLs. The problem is that rc.d/fsck runs before rc.d/zfs. The
latter makes ZVOLs to appear in /dev/. In such case rc.d/fsck cannot
find devfs entry and aborts. We cannot simply move rc.d/zfs before
rc.d/fsck, because we first want kern.hostid to be configured (by
rc.d/hostid). If we won't wait (hostid will be 0) we can reuse disks
which are in use by different systems (eg. in SAN/NAS environment).
We also cannot move rc.d/hostid before rc.d/fsck, because rc.d/hostid on
first system start stores generated kern.hostuuid in /etc/hostid file,
so it needs root file system to be mounted read-write.
The fix is to split rc.d/hostid so that rc.d/hostid (which will now run
before rc.d/fsck) only generates hostid and sets up sysctls, but doesn't
touch root file system and rc.d/hostid_save (which is run after
rc.d/root) and only creates /etc/hostid file.
With that in place, we can move ZVOL initialization to dedicated
rc.d/zvol script which runs before rc.d/fsck.
PR: conf/120194
Reported by: James Snow <snow@teardrop.org>
Reviewed by: brooks
Approved by: re (kib)
MFC after: 2 weeks
/etc/rc.d. They use the following new rc variables:
nfsv4_server_enable - set to "YES" to run the experimental server
nfsuserd_enable - set to "YES" to run nfsuserd for NFSv4 client and
server
nfsuserd_flags - command line flags for nfsuserd
nfscbd_enable - set to "YES" to run the experimental nfs client's
NFSv4 callback daemon
nfscbd_flags - command line flags for nfscbd
Reviewed by: dougb
Approved by: kib (mentor)
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
parts relied on the now removed NET_NEEDS_GIANT.
Most of I4B has been disconnected from the build
since July 2007 in HEAD/RELENG_7.
This is what was removed:
- configuration in /etc/isdn
- examples
- man pages
- kernel configuration
- sys/i4b (drivers, layers, include files)
- user space tools
- i4b support from ppp
- further documentation
Discussed with: rwatson, re
mode at boot time. Multiple profiles can be started at the same time.
The whole idea is very similar to the ppp rc script.
Document Bluetooth knobs in rc.conf(5)
MFC after: 1 week
scripts at boot. This is currently disabled by default. /etc/ddb.conf
contains some potentially reasonable default scripts.
PR: conf/119995
Submitted by: Scot Hetzel <swhetzel at gmail dot com> (Earlier version)
X-MFC after: textdumps
This commit includes the following core components:
* sample configuration file for sensorsd
* rc(8) script and glue code for sensorsd(8)
* sysctl(3) doc fixes for CTL_HW tree
* sysctl(3) documentation for hardware sensors
* sysctl(8) documentation for hardware sensors
* support for the sensor structure for sysctl(8)
* rc.conf(5) documentation for starting sensorsd(8)
* sensor_attach(9) et al documentation
* /sys/kern/kern_sensors.c
o sensor_attach(9) API for drivers to register ksensors
o sensor_task_register(9) API for the update task
o sysctl(3) glue code
o hw.sensors shadow tree for sysctl(8) internal magic
* <sys/sensors.h>
* HW_SENSORS definition for <sys/sysctl.h>
* sensors display for systat(1), including documentation
* sensorsd(8) and all applicable documentation
The userland part of the framework is entirely source-code
compatible with OpenBSD 4.1, 4.2 and -current as of today.
All sensor readings can be viewed with `sysctl hw.sensors`,
monitored in semi-realtime with `systat -sensors` and also
logged with `sensorsd`.
Submitted by: Constantine A. Murenin <cnst@FreeBSD.org>
Sponsored by: Google Summer of Code 2007 (GSoC2007/cnst-sensors)
Mentored by: syrinx
Tested by: many
OKed by: kensmith
Obtained from: OpenBSD (parts)
in most cases, except one. The 'restart' case was not working as expected. Specifically,
it would stop both lockd and statd, but it would restart only statd (which appears first
in the script). This is because rc.subr(8) contains code to guard against infinite
recursion in the 'restart' casae.
To fix this use the traditional approach of controlling only one server from one script by
breaking out rc.d/nfslocking into its contituent parts: rc.d/lockd and rc.d/statd. Keep
rc.d/nfslocking around but don't include it in the boot rcorder(8)ing.
PR: conf/107316
Approved by: re (bmah)
MFC after: 2 weeks
UUID and stores it in /etc/hostid ($hostid_file) as well as sets kern.hostuuid
and kern.hostid sysctls on every boot.
Hostid can be reset using '/etc/rc.d/hostid reset' command.
Hostid generation and setting can be turned off by setting variable
hostid_enable to "NO" in /etc/rc.conf.
Reviewed by: mlaier, rink, brooks, rwatson
and takes over mountcritlocal's role as the early / late divider. This
makes it far easier to add rc scripts which need to run early, such as a
startup script for zfs, which is right around the corner.
This change should be a no-op; I have verified that the only change in
rcorder's output is the insertion of FILESYSTEMS immediately after
mountcritlocal.
MFC after: 3 weeks
automaticly add it to an Ethernet bridge. This is intended for applications
such as qemu, vmware, openvpn, ... which open tap interfaces and need them
bridged with the hosts network adapter, the user can set up a glob for
interfaces to be automatically added (eg tap*).
scripts. These scripts handle vnode backed md(4) devices.
Old ramdisk{,-own} scripts will stay a bit in CVS to allow some time for
migration since variable names have changed (ramdisk_* -> mdconfig_*).
Two new variables have been introduced to be able to populate the md(4)
device once it has been mounted (mdconfig_*_files and mdconfig_*_cmd).
Use should be as easy as:
mdconfig_md0="-t malloc -s 10m"
mdconfig_md1="-t vnode -f /var/foo.img"
See rc.conf(5) for more information and description of the additional
variables.
Approved by: cperciva
