generates a configuration suitable for running unbound as a caching
forwarding resolver, and configures resolvconf(8) to update unbound's
list of forwarders in addition to /etc/resolv.conf. The initial list
is taken from the existing resolv.conf, which is rewritten to point to
localhost. Alternatively, a list of forwarders can be provided on the
command line.
To assist this script, add an rc.subr command called "enabled" which
does nothing except return 0 if the service is enabled and 1 if it is
not, without going through the usual checks. We should consider doing
the same for "status", which is currently pointless.
Add an rc script for unbound, called local_unbound. If there is no
configuration file, the rc script runs local-unbound-setup to generate
one.
Note that these scripts place the unbound configuration files in
/var/unbound rather than /etc/unbound. This is necessary so that
unbound can reload its configuration while chrooted. We should
probably provide symlinks in /etc.
Approved by: re (blanket)
except to document the hardcoded standard library search path for 32-bit
binaries. The third line performs the equivalent substitution for the
private library directory.
Ironically, these entries rely on functionality which is only available
in the COMPAT_32BIT version of rtld-elf.
Approved by: re (blanket)
we don't want to expose but which can't or shouldn't be static.
To mark a library as private, define PRIVATELIB in its Makefile. It
will be installed in LIBPRIVATEDIR, which is normally /usr/lib/private
(or /usr/lib32/private for 32-bit libraries on 64-bit platforms).
To indicate that a program or library depends on a private library,
define USEPRIVATELIB in its Makefile. The correct version of
LIBPRIVATEDIR will be added to its run-time library search path.
Approved by: re (blanket)
headrs.
Lots of third-party code expects to find C++03 headers under tr1 because that's
where GNU decided to hide them. This should fix ports that expect them there.
MFC after: 1 week
independently. There is no reason to leave their options
with the daily ones, so move them to their own section.
Move periodic scripts' options into their own section. Since r254974,
These are included unconditionally for now because bsdconfig
is currently installed unconditionally.
This fixes 'make -j 17 installworld' caused by a race
condition.
MFC candidate.
If we panic again shortly after boot (say, within 30 seconds), any core
dump we wrote out may be lost on reboot. In this situation, we really
want to keep that core file, as it may be the only way to have the issue
resolved. Call sync(8) after writing out the core file and running
crashinfo(8), in the hope that these will not be lost if we panic
again. sync(8) is only called in the case where there is a core dump
to be written out, so won't be called during normal boots.
Discovered by: Trying to debug an IPSEC panic
MFC after: 1 week
There are now six additional variables
weekly_status_security_enable
weekly_status_security_inline
weekly_status_security_output
monthly_status_security_enable
monthly_status_security_inline
monthly_status_security_output
alongside their existing daily counterparts. They all have the same
default values.
All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.
"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script. The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".
Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.
When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
myfbsd security run output -> myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.
Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section. I left them in
place for this commit to make reviewing easier.
Reviewed by: hackers@
"/etc/rc.d/netif stop XXX". The old globbing pattern failed to account for the
possibility of a tab occuring before "inet".
Reviewed by: will
Approved by: ken (mentor, implicit)
MFC after: Never (bug affects head only)
Sponsored by: Spectra Logic
Newly-configured systems should use $cloned_interfaces.
- Call clone_{up,down}() and ifnet_rename() in rc.d/netif {start,stop}.
ifnet_rename() now accepts an interface name list as its argument.
- Add rc.d/netif clear. The "clear" subcommand is basically equivalent to
"stop" but it does not call clone_down().
- Add "ifname:sticky" keyword into $cloned_interfaces. If :sticky is
specified, the interface will not be destroyed in rc.d/netif stop.
- Add cloned_interfaces_sticky={YES,NO}. This variable globally sets
:sticky keyword above for all interfaces. The default value is NO.
When cloned_interfaces_sticky=YES, :nosticky keyword can be used to
override it on per interface basis.
- inet 192.0.2.1-10 netmask 255.255.255.0 (inet range spec + ifconfig options)
- inet6 2001:db8:1::1-f prefixlen 60 (inet6 range spec + ifconfig options)
If prefixlen or netmask option is specified with CIDR notation at
the same time, the option is used.
Tested by: Michael Grimm
MFC after: 3 days
notation like 2001:db8:1:1.
- Use eui64 flag in ifconfig(8) instead of network6_getladdr()[*] for
interface indentifier part.
Suggested by: ume [*]
MFC after: 3 days
