Hello all,
I use rdomains to split routing domains per company and also separate
administration interfaces from routing interfaces on my routers (sshd,
bacula, postfix and puppetd running on a dedicated rdomain)
Actually there is a problem with rdomains, we need to modify /etc/rc.d
scripts to add rdomain execution environment to the specified service.
If rc.subr have support to rdomains, we can let the rc.d scripts clean.
To resolve those rdomain issues, I created a patch and I added a new
variable we could use on rc.conf(.local), ${_name}_rdomain. (This
variable needs a signed integer and use an existing rdomain, this is
checked by rc.subr.
I want to contribute to OpenBSD and I give you this patch. If you have
any suggestions to improve it, tell me.
--- /etc/rc.d/rc.subr.orig Thu Jul 10 17:34:18 2014
+++ /etc/rc.d/rc.subr Thu Jul 10 18:36:19 2014
@@ -54,7 +54,7 @@
}
rc_start() {
- ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
+ ${rcexec} "${_rdomain_cmd} ${daemon} ${daemon_flags} ${_bg}"
}
rc_check() {
@@ -105,7 +105,7 @@
}
rc_cmd() {
- local _bg _n
+ local _bg _n _rdomain_cmd
[ "$(id -u)" -eq 0 ] || \
[ X"${rc_usercheck}" != X"NO" -a X"$1" = "Xcheck" ] || \
@@ -134,6 +134,21 @@
rc_err "$0: need -f to force $1 since
${_name}_flags=NO"
exit 1
fi
+
+ printf '%d' ${daemon_rdomain} 1>/dev/null 2>&1
+ if [ ! "$?" -eq "0" ] || [ "${daemon_rdomain}" -lt "0"
]; then
+ rc_err "$0: ${_name}_rdomain must be numeric and
signed. Found ${_name}_rdomain=${daemon_rdomain}"
+ exit 1
+ fi
+
+ /sbin/route -T${daemon_rdomain} exec printf ''
1>/dev/null 2>&1
+ if [ ! "$?" -eq "0" ]; then
+ rc_err "$0: rdomain ${daemon_rdomain} doesn't
exists."
+ exit 1
+ fi
+
+ _rdomain_cmd="$(printf '/sbin/route -T%d exec'
${daemon_rdomain})"
+
[ -z "${INRC}" ] && rc_do rc_check && exit 0
echo $_n "${INRC:+ }${_name}"
while true; do # no real loop, only needed to break
@@ -203,22 +218,25 @@
eval _rcflags=\${${_name}_flags}
eval _rcuser=\${${_name}_user}
+eval _rcrdomain=\${${_name}_rdomain}
getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \
daemon_class=${_name}
[ -z "${daemon_class}" ] && daemon_class=daemon
[ -z "${daemon_user}" ] && daemon_user=root
+[ -z "${daemon_rdomain}" ] && daemon_rdomain=0
[ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags
[ -n "${_rcflags}" ] && daemon_flags=${_rcflags}
[ -n "${_rcuser}" ] && daemon_user=${_rcuser}
+[ -n "${_rcrdomain}" ] && daemon_rdomain=${_rcrdomain}
# sanitize
daemon_flags=$(printf ' %s' ${daemon_flags})
daemon_flags=${daemon_flags## }
readonly daemon_class
-unset _rcflags _rcuser
+unset _rcflags _rcuser _rcrdomain
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr
