On Thu, Jul 10, 2014 at 06:51:01PM +0200, Loïc BLOT wrote:
> Hello all,
> I use rdomains to split routing domains per company and also separate
> administration interfaces from routing interfaces on my routers (sshd,
> bacula, postfix and puppetd running on a dedicated rdomain)
>
> Actually there is a problem with rdomains, we need to modify /etc/rc.d
> scripts to add rdomain execution environment to the specified service.
> If rc.subr have support to rdomains, we can let the rc.d scripts clean.
>
> To resolve those rdomain issues, I created a patch and I added a new
> variable we could use on rc.conf(.local), ${_name}_rdomain. (This
> variable needs a signed integer and use an existing rdomain, this is
> checked by rc.subr.
>
> I want to contribute to OpenBSD and I give you this patch. If you have
> any suggestions to improve it, tell me.
I don't use rdomain so someone knowledgeable should comment here.
But it does look like a nice idea.
> --- /etc/rc.d/rc.subr.orig Thu Jul 10 17:34:18 2014
> +++ /etc/rc.d/rc.subr Thu Jul 10 18:36:19 2014
> @@ -54,7 +54,7 @@
> }
>
> rc_start() {
> - ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
> + ${rcexec} "${_rdomain_cmd} ${daemon} ${daemon_flags} ${_bg}"
> }
>
> rc_check() {
> @@ -105,7 +105,7 @@
> }
>
> rc_cmd() {
> - local _bg _n
> + local _bg _n _rdomain_cmd
>
> [ "$(id -u)" -eq 0 ] || \
> [ X"${rc_usercheck}" != X"NO" -a X"$1" = "Xcheck" ] || \
> @@ -134,6 +134,21 @@
> rc_err "$0: need -f to force $1 since
> ${_name}_flags=NO"
> exit 1
> fi
> +
> + printf '%d' ${daemon_rdomain} 1>/dev/null 2>&1
> + if [ ! "$?" -eq "0" ] || [ "${daemon_rdomain}" -lt "0"
> ]; then
> + rc_err "$0: ${_name}_rdomain must be numeric and
> signed. Found ${_name}_rdomain=${daemon_rdomain}"
> + exit 1
> + fi
> +
> + /sbin/route -T${daemon_rdomain} exec printf ''
> 1>/dev/null 2>&1
> + if [ ! "$?" -eq "0" ]; then
> + rc_err "$0: rdomain ${daemon_rdomain} doesn't
> exists."
> + exit 1
> + fi
> +
> + _rdomain_cmd="$(printf '/sbin/route -T%d exec'
> ${daemon_rdomain})"
> +
> [ -z "${INRC}" ] && rc_do rc_check && exit 0
> echo $_n "${INRC:+ }${_name}"
> while true; do # no real loop, only needed to break
> @@ -203,22 +218,25 @@
>
> eval _rcflags=\${${_name}_flags}
> eval _rcuser=\${${_name}_user}
> +eval _rcrdomain=\${${_name}_rdomain}
>
> getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \
> daemon_class=${_name}
>
> [ -z "${daemon_class}" ] && daemon_class=daemon
> [ -z "${daemon_user}" ] && daemon_user=root
> +[ -z "${daemon_rdomain}" ] && daemon_rdomain=0
>
> [ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags
> [ -n "${_rcflags}" ] && daemon_flags=${_rcflags}
> [ -n "${_rcuser}" ] && daemon_user=${_rcuser}
> +[ -n "${_rcrdomain}" ] && daemon_rdomain=${_rcrdomain}
>
> # sanitize
> daemon_flags=$(printf ' %s' ${daemon_flags})
> daemon_flags=${daemon_flags## }
> readonly daemon_class
> -unset _rcflags _rcuser
> +unset _rcflags _rcuser _rcrdomain
>
> pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
> rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
>
> --
> Best regards,
> Loïc BLOT,
> UNIX systems, security and network engineer
> http://www.unix-experience.fr
>
>
>
>
>
--
Antoine
