Hello all,
I use rdomains to split routing domains per company and also separate
administration interfaces from routing interfaces on my routers (sshd,
bacula, postfix and puppetd running on a dedicated rdomain)

Actually there is a problem with rdomains, we need to modify /etc/rc.d
scripts to add rdomain execution environment to the specified service.
If rc.subr have support to rdomains, we can let the rc.d scripts clean.

To resolve those rdomain issues, I created a patch and I added a new
variable we could use on rc.conf(.local), ${_name}_rdomain. (This
variable needs a signed integer and use an existing rdomain, this is
checked by rc.subr.

I want to contribute to OpenBSD and I give you this patch. If you have
any suggestions to improve it, tell me.

--- /etc/rc.d/rc.subr.orig      Thu Jul 10 17:34:18 2014
+++ /etc/rc.d/rc.subr   Thu Jul 10 18:36:19 2014
@@ -54,7 +54,7 @@
 }
 
 rc_start() {
-       ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
+       ${rcexec} "${_rdomain_cmd} ${daemon} ${daemon_flags} ${_bg}"
 }
 
 rc_check() {
@@ -105,7 +105,7 @@
 }
 
 rc_cmd() {
-       local _bg _n
+       local _bg _n _rdomain_cmd
 
        [ "$(id -u)" -eq 0 ] || \
                [ X"${rc_usercheck}" != X"NO" -a X"$1" = "Xcheck" ] || \
@@ -134,6 +134,21 @@
                        rc_err "$0: need -f to force $1 since
${_name}_flags=NO"
                        exit 1
                fi
+
+               printf '%d' ${daemon_rdomain} 1>/dev/null 2>&1
+               if [ ! "$?" -eq "0" ] || [ "${daemon_rdomain}" -lt "0"
]; then
+                       rc_err "$0: ${_name}_rdomain must be numeric and
signed. Found ${_name}_rdomain=${daemon_rdomain}"
+                       exit 1
+               fi
+
+               /sbin/route -T${daemon_rdomain} exec printf ''
1>/dev/null 2>&1
+               if [ ! "$?" -eq "0" ]; then
+                       rc_err "$0: rdomain ${daemon_rdomain} doesn't
exists."
+                       exit 1
+               fi
+
+               _rdomain_cmd="$(printf '/sbin/route -T%d exec'
${daemon_rdomain})"
+
                [ -z "${INRC}" ] && rc_do rc_check && exit 0
                echo $_n "${INRC:+ }${_name}"
                while true; do  # no real loop, only needed to break
@@ -203,22 +218,25 @@
 
 eval _rcflags=\${${_name}_flags}
 eval _rcuser=\${${_name}_user}
+eval _rcrdomain=\${${_name}_rdomain}
 
 getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \
        daemon_class=${_name}
 
 [ -z "${daemon_class}" ] && daemon_class=daemon
 [ -z "${daemon_user}"  ] && daemon_user=root
+[ -z "${daemon_rdomain}"  ] && daemon_rdomain=0
 
 [ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags
 [ -n "${_rcflags}" ] && daemon_flags=${_rcflags}
 [ -n "${_rcuser}"  ] && daemon_user=${_rcuser}
+[ -n "${_rcrdomain}"  ] && daemon_rdomain=${_rcrdomain}
 
 # sanitize
 daemon_flags=$(printf ' %s' ${daemon_flags})
 daemon_flags=${daemon_flags## }
 readonly daemon_class
-unset _rcflags _rcuser
+unset _rcflags _rcuser _rcrdomain
 
 pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
 rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"

-- 
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr





Reply via email to