Hello all, I use rdomains to split routing domains per company and also separate administration interfaces from routing interfaces on my routers (sshd, bacula, postfix and puppetd running on a dedicated rdomain)
Actually there is a problem with rdomains, we need to modify /etc/rc.d scripts to add rdomain execution environment to the specified service. If rc.subr have support to rdomains, we can let the rc.d scripts clean. To resolve those rdomain issues, I created a patch and I added a new variable we could use on rc.conf(.local), ${_name}_rdomain. (This variable needs a signed integer and use an existing rdomain, this is checked by rc.subr. I want to contribute to OpenBSD and I give you this patch. If you have any suggestions to improve it, tell me. --- /etc/rc.d/rc.subr.orig Thu Jul 10 17:34:18 2014 +++ /etc/rc.d/rc.subr Thu Jul 10 18:36:19 2014 @@ -54,7 +54,7 @@ } rc_start() { - ${rcexec} "${daemon} ${daemon_flags} ${_bg}" + ${rcexec} "${_rdomain_cmd} ${daemon} ${daemon_flags} ${_bg}" } rc_check() { @@ -105,7 +105,7 @@ } rc_cmd() { - local _bg _n + local _bg _n _rdomain_cmd [ "$(id -u)" -eq 0 ] || \ [ X"${rc_usercheck}" != X"NO" -a X"$1" = "Xcheck" ] || \ @@ -134,6 +134,21 @@ rc_err "$0: need -f to force $1 since ${_name}_flags=NO" exit 1 fi + + printf '%d' ${daemon_rdomain} 1>/dev/null 2>&1 + if [ ! "$?" -eq "0" ] || [ "${daemon_rdomain}" -lt "0" ]; then + rc_err "$0: ${_name}_rdomain must be numeric and signed. Found ${_name}_rdomain=${daemon_rdomain}" + exit 1 + fi + + /sbin/route -T${daemon_rdomain} exec printf '' 1>/dev/null 2>&1 + if [ ! "$?" -eq "0" ]; then + rc_err "$0: rdomain ${daemon_rdomain} doesn't exists." + exit 1 + fi + + _rdomain_cmd="$(printf '/sbin/route -T%d exec' ${daemon_rdomain})" + [ -z "${INRC}" ] && rc_do rc_check && exit 0 echo $_n "${INRC:+ }${_name}" while true; do # no real loop, only needed to break @@ -203,22 +218,25 @@ eval _rcflags=\${${_name}_flags} eval _rcuser=\${${_name}_user} +eval _rcrdomain=\${${_name}_rdomain} getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \ daemon_class=${_name} [ -z "${daemon_class}" ] && daemon_class=daemon [ -z "${daemon_user}" ] && daemon_user=root +[ -z "${daemon_rdomain}" ] && daemon_rdomain=0 [ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags [ -n "${_rcflags}" ] && daemon_flags=${_rcflags} [ -n "${_rcuser}" ] && daemon_user=${_rcuser} +[ -n "${_rcrdomain}" ] && daemon_rdomain=${_rcrdomain} # sanitize daemon_flags=$(printf ' %s' ${daemon_flags}) daemon_flags=${daemon_flags## } readonly daemon_class -unset _rcflags _rcuser +unset _rcflags _rcuser _rcrdomain pexp="${daemon}${daemon_flags:+ ${daemon_flags}}" rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c" -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr