Re: named chroot rcNG devfs
On Sun, 16 Feb 2003 03:09:46 +0100 [EMAIL PROTECTED] wrote: On the other hand shared libraries are needed (or a port that supports linking bind statically...) cd /usr/ports/net/bind[89] make clean make CFLAGS+=-static -DPORT_REPLACES_BASE_BIND8 make install i don't like ports installing to locations of base system binaries, i.e. /usr/sbin etc., and in the case of bind i don't see a reason why the port should be installed in place of the base bind only to get copied over to the chroot. wouldn't it be fine if the bind ports would support '-DPORT_INSTALL_CHROOT' or something only installing static binaries directly to the chroot? on the other hand Or something: copy the needed files (named, named-xfer) based upon echo $(dirname ${named_program})|sed -e 's:/sbin::' /etc/rc.d/named probably should also support running chrooted with the base bind which would either require copying the required libs or a statically linked base bind... well, i'm looking forward to your improved version. lines=$(($(ldd ${program} | wc -l) - 1)) for lib in $(ldd ${program} | tail -${lines} | sed -e 's:.*= ::g;s: (.*::g'); do cp $lib done I also think we should have a look at the output of rcNG in general and decide which style we want to use. At the moment we have the old style Configuring syscons: fontX Y Z foo bar and also Starting sshd., Starting lpd., ... and also /usr/local/etc/rc.d with the old style start messages. This is inconsistent. Bye, Alexander. -- It's not a bug, it's tradition! http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: named chroot rcNG devfs
On Fri, 14 Feb 2003 09:31:57 -0800 Gordon Tetlow [EMAIL PROTECTED] wrote: On Tue, Feb 11, 2003 at 06:59:31PM +0100, Alexander Leidinger wrote: Hi, /etc/rc.d/named copies /dev with pax to the named chroot directory. This is obviously wrong with devfs, isn't it? You should read the script a little closer. That code path is only taken on NetBSD. ---snip--- case ${OSTYPE} in FreeBSD) ! checkyesno named_rcng return 0 # Is the user using a sandbox? if [ -z $named_chrootdir ]; then rc_flags=-u $nuser -g $ngroup $rc_flags return 0 fi # Do the following checks only if the user wants them done checkyesno named_chroot_autoupdate chroot_autoupdate ;; ---snip--- I read this as: If there's a non null named_chrootdir, then check if we want the autoupdate, else just run with user/group. BTW.: What does a '!' as the first character of a command in a /bin/sh script mean (I know what it means in zsh/tcsh/bash when used interactively, but the above use of it is unknown to me)? Bye, Alexander. -- Yes, I've heard of decaf. What's your point? http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: named chroot rcNG devfs
On Tue, 11 Feb 2003 [EMAIL PROTECTED] wrote: /etc/rc.d/named is quite bogus, especially when it comes to running bind chrooted. Correct. I'm working on an improved method of dealing with this. E.g. /dev/null isn't needed by bind8 at all Incorrect. /dev/null is needed for bind 8. /dev/null and /dev/random are needed for bind 9. Depending on what you're doing, /dev/random is probably a good idea for bind 8 as well. On the other hand shared libraries are needed (or a port that supports linking bind statically...) cd /usr/ports/net/bind[89] make clean make CFLAGS+=-static -DPORT_REPLACES_BASE_BIND8 make install Doug -- The last time France wanted more evidence, it rolled right through Paris with a German flag. - David Letterman To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: named chroot rcNG devfs
On Sat, Feb 15, 2003 at 05:09:19PM -0800, Doug Barton wrote: On Tue, 11 Feb 2003 [EMAIL PROTECTED] wrote: /etc/rc.d/named is quite bogus, especially when it comes to running bind chrooted. Correct. I'm working on an improved method of dealing with this. great! E.g. /dev/null isn't needed by bind8 at all Incorrect. /dev/null is needed for bind 8. /dev/null and /dev/random are needed for bind 9. Depending on what you're doing, /dev/random is probably a good idea for bind 8 as well. hrm, i thought to have checked properly when i set up the chroots. may this have changed througout version 8? anyway, they still run happily without /dev/null. On the other hand shared libraries are needed (or a port that supports linking bind statically...) cd /usr/ports/net/bind[89] make clean make CFLAGS+=-static -DPORT_REPLACES_BASE_BIND8 make install i don't like ports installing to locations of base system binaries, i.e. /usr/sbin etc., and in the case of bind i don't see a reason why the port should be installed in place of the base bind only to get copied over to the chroot. wouldn't it be fine if the bind ports would support '-DPORT_INSTALL_CHROOT' or something only installing static binaries directly to the chroot? on the other hand /etc/rc.d/named probably should also support running chrooted with the base bind which would either require copying the required libs or a statically linked base bind... well, i'm looking forward to your improved version. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: named chroot rcNG devfs
On Tue, Feb 11, 2003 at 06:59:31PM +0100, Alexander Leidinger wrote: Hi, /etc/rc.d/named copies /dev with pax to the named chroot directory. This is obviously wrong with devfs, isn't it? You should read the script a little closer. That code path is only taken on NetBSD. -gordon msg52349/pgp0.pgp Description: PGP signature
named chroot rcNG devfs
Hi, /etc/rc.d/named copies /dev with pax to the named chroot directory. This is obviously wrong with devfs, isn't it? Bye, Alexander. -- Where do you think you're going today? http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: named chroot rcNG devfs
On Tue, Feb 11, 2003 at 06:59:31PM +0100, Alexander Leidinger wrote: Hi, /etc/rc.d/named copies /dev with pax to the named chroot directory. This is obviously wrong with devfs, isn't it? /etc/rc.d/named is quite bogus, especially when it comes to running bind chrooted. E.g. /dev/null isn't needed by bind8 at all (also checked with ktrace), not sure about bind9 though as it uses daemon(3) which tries to open it. On the other hand shared libraries are needed (or a port that supports linking bind statically...) and a copy of named itself if `ndc restart` shall work. Moreover, due to the hardcoded patch for copy- ing named-xfer it also doesn't work with the bind[8,9] ports, tweaking rc-scripts to run with ports is NetBSD-style but not as FreeBSD used to be... A designated option to make syslogd(8) pick up an additional /etc/namedb/var/run/log would also be nice. Mike Makonnen is aware of the brokenness at least I mailed him about it quite some time ago, before rcNG was turned on by default. FYI, a working bind8-chroot I use on 4-stable boxes looks like this: quad# ls -R /etc/namedb/ PROTO.localhost-v6.rev PROTO.localhost.rev etc localhost-v6.rev localhost.rev make-localhost master.conf named.conf named.conf.orig named.root slave slave.conf slave_xws.conf usr var /etc/namedb/etc: localtime /etc/namedb/slave: ... /etc/namedb/usr: lib libexec local /etc/namedb/usr/lib: libc.so.4 libm.so.2 libutil.so.3 /etc/namedb/usr/libexec: ld-elf.so.1 /etc/namedb/usr/local: libexec sbin /etc/namedb/usr/local/libexec: named-xfer /etc/namedb/usr/local/sbin: named /etc/namedb/var: db run /etc/namedb/var/db: named_dump.db /etc/namedb/var/run: log named.pid ndc To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: named chroot rcNG devfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2003-02-11 at 20:29:17 [EMAIL PROTECTED] wrote: mafd E.g. /dev/null isn't needed by bind8 at all (also checked with mafd ktrace), not sure about bind9 though as it uses daemon(3) which mafd tries to open it. On my 4.7-STABLE box, bind9 uses /dev/null and /dev/random. It probably dups stdin, stdout and stderr to /dev/null at startup, and it obviously uses /dev/random for random data. :) I presume this behaviour will be exactly the same on -CURRENT. Cheers, - -- Dimitry Andric [EMAIL PROTECTED] PGP Key: http://www.xs4all.nl/~dim/dim.asc Fingerprint: 7AB462D2CE35FC6D42394FCDB05EA30A2E2096A3 Lbh whfg ivbyngrq gur QZPN naq jvyy or cebfrphgrq -BEGIN PGP SIGNATURE- Version: 6.5.8ckt http://www.ipgpp.com/ Comment: http://duncan.gn.apc.org/stoa_cover.htm iQA/AwUBPklGK7BeowouIJajEQLoZgCgh3/Pdz7cpQ2C0uWXSZJuVjObIO0AnjKB pJMDUoSn/QuzG+87MhgarKQg =4qh8 -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message