On Thu, Jul 10, 2014 at 06:51:01PM +0200, Loïc BLOT wrote: > Hello all, > I use rdomains to split routing domains per company and also separate > administration interfaces from routing interfaces on my routers (sshd, > bacula, postfix and puppetd running on a dedicated rdomain) > > Actually there is a problem with rdomains, we need to modify /etc/rc.d > scripts to add rdomain execution environment to the specified service. > If rc.subr have support to rdomains, we can let the rc.d scripts clean. > > To resolve those rdomain issues, I created a patch and I added a new > variable we could use on rc.conf(.local), ${_name}_rdomain. (This > variable needs a signed integer and use an existing rdomain, this is > checked by rc.subr. > > I want to contribute to OpenBSD and I give you this patch. If you have > any suggestions to improve it, tell me.
I don't use rdomain so someone knowledgeable should comment here. But it does look like a nice idea. > --- /etc/rc.d/rc.subr.orig Thu Jul 10 17:34:18 2014 > +++ /etc/rc.d/rc.subr Thu Jul 10 18:36:19 2014 > @@ -54,7 +54,7 @@ > } > > rc_start() { > - ${rcexec} "${daemon} ${daemon_flags} ${_bg}" > + ${rcexec} "${_rdomain_cmd} ${daemon} ${daemon_flags} ${_bg}" > } > > rc_check() { > @@ -105,7 +105,7 @@ > } > > rc_cmd() { > - local _bg _n > + local _bg _n _rdomain_cmd > > [ "$(id -u)" -eq 0 ] || \ > [ X"${rc_usercheck}" != X"NO" -a X"$1" = "Xcheck" ] || \ > @@ -134,6 +134,21 @@ > rc_err "$0: need -f to force $1 since > ${_name}_flags=NO" > exit 1 > fi > + > + printf '%d' ${daemon_rdomain} 1>/dev/null 2>&1 > + if [ ! "$?" -eq "0" ] || [ "${daemon_rdomain}" -lt "0" > ]; then > + rc_err "$0: ${_name}_rdomain must be numeric and > signed. Found ${_name}_rdomain=${daemon_rdomain}" > + exit 1 > + fi > + > + /sbin/route -T${daemon_rdomain} exec printf '' > 1>/dev/null 2>&1 > + if [ ! "$?" -eq "0" ]; then > + rc_err "$0: rdomain ${daemon_rdomain} doesn't > exists." > + exit 1 > + fi > + > + _rdomain_cmd="$(printf '/sbin/route -T%d exec' > ${daemon_rdomain})" > + > [ -z "${INRC}" ] && rc_do rc_check && exit 0 > echo $_n "${INRC:+ }${_name}" > while true; do # no real loop, only needed to break > @@ -203,22 +218,25 @@ > > eval _rcflags=\${${_name}_flags} > eval _rcuser=\${${_name}_user} > +eval _rcrdomain=\${${_name}_rdomain} > > getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \ > daemon_class=${_name} > > [ -z "${daemon_class}" ] && daemon_class=daemon > [ -z "${daemon_user}" ] && daemon_user=root > +[ -z "${daemon_rdomain}" ] && daemon_rdomain=0 > > [ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags > [ -n "${_rcflags}" ] && daemon_flags=${_rcflags} > [ -n "${_rcuser}" ] && daemon_user=${_rcuser} > +[ -n "${_rcrdomain}" ] && daemon_rdomain=${_rcrdomain} > > # sanitize > daemon_flags=$(printf ' %s' ${daemon_flags}) > daemon_flags=${daemon_flags## } > readonly daemon_class > -unset _rcflags _rcuser > +unset _rcflags _rcuser _rcrdomain > > pexp="${daemon}${daemon_flags:+ ${daemon_flags}}" > rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c" > > -- > Best regards, > Loïc BLOT, > UNIX systems, security and network engineer > http://www.unix-experience.fr > > > > > -- Antoine