Alexander Bluhm <[email protected]> wrote:
> Hi,
>
> Every time we ship a libcrypto erratum, we have to relink isakmpd.
> I think that isakmpd and iked are in /sbin due to a historic mistake.
> Probably it is for people who mount /usr via NFS over IPsec.
That was the reason originally. Today I am not sure it makes sense.
Looking at the early daemons:
start_daemon syslogd ldattach pflogd nsd unbound ntpd
start_daemon iscsid isakmpd iked [...]
Some of these daemons can startup asyncronously, and if they are
configured to speak to the outside world, may end up outside a
configured vpn tunnel until the vpn routes are installed. It is a bit
weird. We could re-order a bit to make this better, maybe. Should
we bother?
It is kind of funny, because syslogd startup (enabled by default) is
obviously broken for nfs diskless with seperate /usr, and potentially
seperate /var.
I guess noone is doing diskless with seperate /usr? A part of me
wishes it kind of worked. Pushing nfs diskless people into single
partition non-shared is a regression, isn't it?
> Moving isakmpd to /usr/sbin is hard, linking dynamically is easy.
> Lines stolen from iked.
If we are going to do this, why not move them. We can install a
symbolic link from /sbin for a year or two, and then later stop
installing it, and basically all our users would be fine.
