Commit Graph

4930 Commits

Author SHA1 Message Date
keramida
f3b33ac21f Add defaults for /etc/rc.d/gssd
Approved by:	dfr
2008-11-05 10:20:33 +00:00
delphij
e07ee09f61 Correct a typo that prevented my laptop from starting
devd.
2008-11-04 23:03:36 +00:00
rpaulo
85b1030aa8 Add support for Asus A8Sr notebooks.
PR:		128553
Submitted by:	Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Reviewed by:	philip
MFC after:	2 months
2008-11-04 11:52:50 +00:00
dfr
2fb03513fc Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month
2008-11-03 10:38:00 +00:00
pjd
1893f5dd32 ifconfig(8) can take only one interface at a time. 2008-10-30 20:24:25 +00:00
mp
d76979f7aa Explicitly set the shell to /bin/sh when MK_TCSH == no.
Not objected to by:	sam
2008-10-29 18:46:47 +00:00
thompsa
cfd906dfd7 Add ucomX shortcuts just like its uart sibling. 2008-10-27 17:19:14 +00:00
thompsa
306c95be6d Make a note about the notify codes for the four special function keys above the
keyboard on the EeePC.
2008-10-27 16:20:40 +00:00
sam
4c8cff4868 o fix MK_TCSH == no: the default master.passwd sets up root to use /bin/csh
but there won't be one so root won't be able to login; edit the installed
  file to use /bin/sh in this case.
o while here split csh-related files apart from sh and only install them
  when requested
2008-10-27 16:13:28 +00:00
thompsa
ecabe5a4df Show which rc script is running since the default ^T just shows 'sh' as the
process.
2008-10-27 01:05:09 +00:00
ed
4405dea5ac Sort `mount -p' output by name before checking for any differences.
I noticed on a system at home that restarting named(8) causes the
/var/named/dev mount to be moved to the bottom of the mount list,
because it gets remounted. When I received the daily security email this
morning, I was quite amazed to see that the security report listed the
differences, while it was nothing out of the ordinary.

If we just throw the `mount -p' output through sort(1), we'll only
receive notifications about changes to mounts if something has really
changed.
2008-10-25 18:45:40 +00:00
imp
b4339512ce Add entries for uart based serial ports. All the serial ports on mips
so far are uart subclasses.  Also, turn uart0 on by default.
2008-10-12 06:58:03 +00:00
des
af5b3ad794 Create separate cat directories for en.UTF-8. This, together with r183697,
allows users in en.UTF-8 locales to see non-ascii characters in man pages.

MFC after:	1 week
2008-10-08 13:28:02 +00:00
brooks
ab1e647ba6 Remove compat support for vaps_<ifn> and vap_create_<ifn> variables as
promised in r178527.  These variables were never in a release version.

Reminded by:	sam
2008-10-01 18:46:46 +00:00
ru
821d9baa1c Allow a jail's IP alias to be created with an arbitrary netmask.
MFC after:	3 days
2008-09-24 15:18:27 +00:00
sam
ddf12ae897 add back regdomain.xml
Noticed by:	jhay
2008-09-22 15:37:47 +00:00
sam
9c3d2ffcdf add new build knobs and jigger some existing controls to improve
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd

Reviewed by:	various (posted to arch)
MFC after:	1 month
2008-09-21 22:02:26 +00:00
thompsa
09662c68f9 Allow a jail to be started with a specific route fib.
Reviewed by:	secteam (simon)
Reviewed by:	brooks, bz
2008-09-16 20:18:25 +00:00
bms
67bb59274c Add support to rc.initdiskless for /conf/T/M/remount_subdir.
This allows the location of the configuration data to be relocated
within the filesystem containing it. A nullfs mount is used in order
to achieve this.

Obtained from:	XORP, Inc.
2008-09-09 18:40:50 +00:00
gshapiro
1d76251369 A no-op commit to simulate the effect of a forced commit so the file
has a new timestamp as needed for mergemaster.  A more long term
solution to this is needed since svn doesn't support forced commits.
2008-08-31 18:21:15 +00:00
jhb
ff9581861d Add the ability to run /usr/sbin/crashinfo on a new core dump automatically
during boot.  Right now this is disabled by default, but it can be enabled
by setting 'crashinfo_enable=YES' in rc.conf.

MFC after:	2 weeks
2008-08-29 20:30:30 +00:00
gshapiro
76e027f22f Google changed the location of the blacklists again.
Submitted by:	Tim Pozar
2008-08-28 07:03:13 +00:00
des
01bdd42de6 Make obrien happy #2 2008-08-25 16:31:53 +00:00
des
4da9acb2ce Make obrien happy 2008-08-25 16:28:54 +00:00
ed
6224eb8ee1 Restore 256 pty(4) entries.
As discussed with Robert Watson on the src-committers list, it is safer
to keep at least some pty(4) entries in /etc/ttys, for applications that
roll their own PTY allocation routine and only search for BSD-style
PTY's.

This means we've now just toggled the amount of entries for pts(4) and
pty(4).

Requested by:	rwatson
2008-08-24 08:41:29 +00:00
ed
4cc510ad6a Remove old BSD-style entries from /etc/ttys and increase pts(4) to 512.
Because we now use pts(4)-style PTY's exclusively, there is no use for
these entries in /etc/ttys. Right now the pts(4) entries only go from 0
to 255. Because we're going to touch these files anyway, increase the
number to 511.

Discussed with:	philip (ex-mentor)
2008-08-23 14:36:39 +00:00
rpaulo
4bfcd9ff65 Cope with the file rename by changing rc variables. 2008-08-21 00:04:19 +00:00
ed
cc3116a938 Integrate the new MPSAFE TTY layer to the FreeBSD operating system.
The last half year I've been working on a replacement TTY layer for the
FreeBSD kernel. The new TTY layer was designed to improve the following:

- Improved driver model:

  The old TTY layer has a driver model that is not abstract enough to
  make it friendly to use. A good example is the output path, where the
  device drivers directly access the output buffers. This means that an
  in-kernel PPP implementation must always convert network buffers into
  TTY buffers.

  If a PPP implementation would be built on top of the new TTY layer
  (still needs a hooks layer, though), it would allow the PPP
  implementation to directly hand the data to the TTY driver.

- Improved hotplugging:

  With the old TTY layer, it isn't entirely safe to destroy TTY's from
  the system. This implementation has a two-step destructing design,
  where the driver first abandons the TTY. After all threads have left
  the TTY, the TTY layer calls a routine in the driver, which can be
  used to free resources (unit numbers, etc).

  The pts(4) driver also implements this feature, which means
  posix_openpt() will now return PTY's that are created on the fly.

- Improved performance:

  One of the major improvements is the per-TTY mutex, which is expected
  to improve scalability when compared to the old Giant locking.
  Another change is the unbuffered copying to userspace, which is both
  used on TTY device nodes and PTY masters.

Upgrading should be quite straightforward. Unlike previous versions,
existing kernel configuration files do not need to be changed, except
when they reference device drivers that are listed in UPDATING.

Obtained from:		//depot/projects/mpsafetty/...
Approved by:		philip (ex-mentor)
Discussed:		on the lists, at BSDCan, at the DevSummit
Sponsored by:		Snow B.V., the Netherlands
dcons(4) fixed by:	kan
2008-08-20 08:31:58 +00:00
obrien
19743e2df1 Rename the RCng 'kernel' script to 'kernel_symlink'. 2008-08-20 03:02:06 +00:00
obrien
5c4a4c1479 Rename the RCng 'kernel' script to 'kernel_symlink'.
Requested by: many
2008-08-19 14:23:31 +00:00
jhb
6bfca819a4 Allow the network addresses and interface names for the "client" and
"workstation" firewall types to be set from rc.conf so that rc.firewall
no longer needs local patching to be usable for those types.  For now
I've set the variables in /etc/defaults/rc.conf to the previous defaults
in /etc/rc.firewall.

PR:		bin/65258
Submitted by:	Valentin Nechayev  netch of netch.kiev.ua
Silence from:	net
MFC after:	2 weeks
2008-08-15 19:20:59 +00:00
jhb
879012b8bd For the "client" and "simple" network types, collapse the separate "net"
and "mask" variables into a single "net" variable that contains a full
network address (including either a netmask or prefix length at the user's
choice).  Update the example settings to match.

MFC after:	2 weeks
2008-08-15 19:14:25 +00:00
jhb
358e19cca4 Use 'me' rather than explicit IP addresses for the "simple" and "client"
firewall configurations.

PR:		bin/65258
Silence on:	net@
MFC after:	1 week
2008-08-15 18:58:15 +00:00
jhb
cc5c2abb08 For the firewall_* variables that are specific to the "workstation"
firewall type, note that property in their description.

MFC after:	1 week
2008-08-15 18:48:29 +00:00
antoine
e5067d55c3 Improve periodic/security/550.ipfwlimit a bit:
- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
- handle rules without logging limit correctly [1]
(those rules show up without logamount in "ipfw -a list")

PR:		conf/126060 [1]
MFC after:	1 month
2008-08-10 18:11:24 +00:00
obrien
0475264d7b Only symlink booted kernel directory to /boot/kernel if user has explicitly
requested it.  This is too dangerous to just do behind the admin's back.
2008-08-09 01:19:00 +00:00
cperciva
606619cde8 Add /usr/share/man/whatis, /var/db/locate.database, and /var/log to the
list of paths which `freebsd-update IDS` should ignore by default.
2008-08-08 10:36:16 +00:00
danger
b6a62e0a11 - back out my last commit as it seems to be wrong.
Spotted by: das
2008-08-03 19:01:07 +00:00
cperciva
3319cd19d3 Make freebsd-update IDS not complain about /usr/share/man/cat* by
default.
2008-08-02 00:11:43 +00:00
dougb
6f04a5d9f3 When using SRV records the protocols and services files need to be in the
chroot /etc directory.

PR:		conf/121101
Submitted by:	Stefan `Sec` Zehl <sec@42.org>
2008-08-01 06:11:33 +00:00
dougb
97559f39b4 Add the -c option for named_flags (still commented out) that is
relevant for ports users, and change the comment to match.

While I'm here fix the capitalization of the named_program comment.
2008-08-01 05:15:54 +00:00
jhb
9c7525b3ac Oops, restore the recent changes to make startup messages quieter. 2008-07-31 22:13:14 +00:00
jhb
4072a30fef Parse sysctl settings from /etc/sysctl.conf.local after /etc/sysctl.conf
if it exists.  This mirrors similar behavior for /boot/loader.conf and
/etc/rc.conf.

Obtained from:	Yahoo!
MFC after:	1 week
2008-07-31 21:57:35 +00:00
antoine
2288482a5b Remove an empty directory that is already in ObsoleteFiles.inc from
mtree/BSD.usr.dist
2008-07-28 17:42:37 +00:00
thompsa
412a8c5e97 Change the module example to kldload since this is the resume side. 2008-07-21 22:55:40 +00:00
marcel
c1cdcb99f3 Remove sioX as an alias for uartX. It is believed to be
more confusing than helpful.

Suggested by: jhb
2008-07-21 22:38:00 +00:00
marcel
daf2fe9d15 With uart(4) default, change sio# to uart# so that
out-of-the-box FreeBSD is consistent.
2008-07-19 20:12:33 +00:00
marcel
be01d3a915 With uart(4) default, change /dev/cuad# to /dev/cuau# and
sio# to uart# so that out-of-the-box FreeBSD is consistent.
2008-07-19 20:12:02 +00:00
marcel
6043671e8a With uart(4) default, change /dev/cuad# to /dev/cuau# and
sio# to uart# so that out-of-the-box FreeBSD is consistent.
2008-07-19 20:11:33 +00:00
marcel
f97f068bca With uart(4) default, change /dev/cuad# to /dev/cuau# so that
out-of-the-box FreeBSD is consistent.
2008-07-19 20:00:18 +00:00