Two issues here:
* The 'split-usr' meson option wasn't doing anything, it tried to check
if /bin was a symlink, but nothing acted on this information.
* The actual rootprefix default was decided based on whether /bin was a symlink
which is flaky if e.g. building on a merged-usr system for use on a non-merged-usr
system.
People can set -Drootprefix=/usr if they wish.
There's no real advantage to installing to /usr over / as the compat. symlinks
are really here to stay. If someone really does care about this, they can bring
it back and do it properly, but it doesn't seem worth it to me at all.
Bug: https://bugs.gentoo.org/927776
Fixes: cc0037e9ca
Fixes: f2362cc277Fixes: #696
Some services, like docker, creates and manages /sys/fs/cgroup/<service>
themselves. Avoid conflict with the openrc created cgroup path by adding
a `openrc.` prefix.
Fixes: https://github.com/OpenRC/openrc/issues/680
Fixes the problem described in https://bugs.gentoo.org/916947 -
start-stop-daemon hangs in infinite loop when stopping some daemons on
linux 6.6+
It appears linux 6.6 reworked tmpfs, and since then it triggers this
problem in openrc: when iterating over files via readdir, running rename
on a file could result in reading the same file again with next readdir
call.
The Open Group manual for readdir explicitly states "If a file is
removed from or added to the directory after the most recent call to
opendir() or rewinddir(), whether a subsequent call to readdir() returns
an entry for that file is unspecified.". Linux man page don't seem to
mention that, but don't seem to say anything to contradict that either.
So I presume we can't rely on some specific behaviour here.
Bug: https://bugs.gentoo.org/916947
965de92b37 changed the default cgroup mode which
exposes an issue in init.d/cgroups.in.
While mount_cgroups defaults to 'unified' if rc_cgroup_mode is unset, cgroup2_controllers
has no default and therefore has a mismatch with the logic in mount_cgroups. The
two should be consistent so the flow makes sense, as mount_cgroups expects a certain
path to be taken in cgroup2_controllers.
Make cgroup2_controllers default to 'unified' if rc_cgroup_mode is unset, just
like mount_cgroups.
Bug: https://bugs.gentoo.org/916964
Thanks-to: acab@digitalfuture.it
When building on embedded SDKs such as Buildroot or Yocto, if OpenRC has a
previous installation, the package will fail the installation step as the
openrc-init is already a symlink to "${DESTDIR}/${sbindir}"/init. Force
symlinking to prevent errors when reinstalling the package.
With the addition of logger process redirect in supervise-daemon,
pipes.c and pipes.h are now included in both s-s-d and supervise-daemon.
Thus it makes sense to move the source files to the src/shared dir.
Allows redirecting process stdin and stdout to another process,
just like is already possible with start-stop-daemon.
Also added --stdout-logger and --stderr-logger to the man page.
Add fallback for the close_range syscall wrapper. This is needed for
musl libc, which currently does not have a close_range wrapper.
Also set errno on errors.
Set file descriptors to CLOEXEC instead of closing them before exec,
similar to what we do in supervise-daemon.
Use the share cloexec_fds_from() helper for this.
closefrom() is no longer used so remove the test.
Move logic to set file descriptors to a cloexec_fds_from() function in
misc.c so it can be shared by both supervisor-daemon and
start-stop-daemon, and hide the details behind.
Use HAVE_CLOSE_RANGE to tell if system provides a close_range(2)
wrapper, which better explains the purpose.
Add a compat inline which returns -1 if close_range is unavailable.
It is apparently for a piece of code that no longer exist.
There don't seem to be any part of the code referring to this directory (anymore, if there was).
`>=glibc-2.38` implements strlcpy, strlcat, etc so check for those functions
with Meson and don't provide conflicting prototypes.
Technically, it doesn't need _GNU_SOURCE, but it's easier because it's not
clear right now what glibc wants to guard it with. Note that these are in
POSIX next anyway.
Fixes: https://github.com/OpenRC/openrc/issues/643
Signed-off-by: Sam James <sam@gentoo.org>
Commit fc4f15d6cd broke the automatic restart of
services having runlevel-specific conf.d files.
The double dirname() was not a mistake, but the way of getting from the
service script in init.d to the upper directory containing the conf.d
directory. dirname() modifies the argument in-place, so the second call
operated on a modified value. To make it more obvious what is going on,
have the second call operate on the returned value from the first call.
Fixes: fc4f15d ("openrc: fix double-assignment to dir")
Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
It breaks bash-completion.
It's not necessary to set extglob as patterns in '[[' after '=='
are always matched as if extglob were set.
Closes: #636
Signed-off-by: Jernej Jakob <jernej.jakob@gmail.com>
This commit removes the secondary mention of the -2/--stderr flag in the
start-stop-daemon man page. The flag's functionality was already
sufficiently described in an earlier section of the text.
Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
This was originally introduced in 14625346c0 with
an example list (just one for rc_parallel) of options. Let's add in rc_interactive
as it's a pretty obvious thing one might want to override.
See https://forums.gentoo.org/viewtopic-p-8694588.html.
svc_exec waits until SIGCHLD comes in to close its input, but in
rc_parallel case the SIGCHLD might be unrelated.
Checking the proper pid is found in signal handler and only signaling
signal_pipe the status code directly avoids this problem.
restarting a service with --no-deps ran into a "hairy workaround", which
had a few problems discussed in [1]:
- it ignores --dry-run, really restarting the requested service
- if the service was stopped, the program is started but the service
status stays stopped. This makes long-lived services impossible to
(re)start again (pid already exists and running), and the service also
won't stop on shutdown.
The kludge had a long comment describing the following situation:
- openvpn needs net and dns
- net restarts dns
- dns needs net
If the restart in net handled deps, openrc would deadlock waiting for
net in dns' restart, as net won't be started until that is done.
Restarting with --nodeps works around the deadlock, but can display
errors without the kludge (note that the services did start properly
anyway, the problem is that the default service path tries to lock dns
twice from openvn's dep's start and net's start's restart):
---
alpine:~# rc-service openvn start
openvn | * Caching service dependencies ... [ ok ]
net |net starting
net |dns | * Call to flock failed: Resource temporarily unavailable
net |dns | * ERROR: dns stopped by something else
net |net started
dns |dns started
openvn |openvn started
alpine:~# rc-status | grep s[1-3]
net [ started ]
dns [ started ]
openvn [ started ]
---
Locking again in restart --nodep can fail in two patterns:
- openvpn's need dependency start was first, and the restart in net
failed (case above): we can just silence locking failures and exit quietly
with restart --no-deps, which is not worse than trying to restart while
another process hold the lock.
- the restart in net's start was first, and openvpn's need dependency
start failed: not much can be done here short of adding a new status
that a no-deps restart is in progress as in the comment, but this case
can actually just be solved by adjusting dependencies -- and it actually
has already been fixed: the current openvpn init script in alpine only
'use dns', so it will not try to start it, and that will start just
fine with openvpn -> net -> dns only each starting each other once
sequentially.
Another failure pattern is just starting dns directly: that will start
net, which will try to restart dns while we are starting it.
Silencing messages on restart also solves this.
Link: https://github.com/OpenRC/openrc/issues/224 [1]
according to the linux manpage, the "safe" variant may not be available
on all platform. however we bundle our own `queue.h` so this should not
be an issue.
`free` is not async-signal-safe and calling it inside a signal handler
can have bad effects, as reported in the musl ML:
https://www.openwall.com/lists/musl/2023/01/23/1
the solution:
- keep track of weather remove_pid() is being called from inside a
signal handler or not.
- if it's inside a signal handler then DO NOT call free - instead put
that pointer into a "to be freed later" list.
- if it's not inside a signal handler then take the "to be freed later"
list and free anything in it.
Bug: https://github.com/OpenRC/openrc/issues/589
Reported-by: Dominique MARTINET <dominique.martinet@atmark-techno.com>
problem:
* vfork has been removed from POSIX [0].
* clang-tidy flags the `strerror` and `eerror` call inside the vfork-ed
child as undefined behavior.
solution: use posix_spawnp, which is serves similar purpose and is
specified in posix. and as an added bonus, it's also easier to use and
less lines of code.
[0]: https://www.man7.org/linux/man-pages/man2/vfork.2.html#CONFORMING_TO
`seed_dir` gets allocated via xstrdup but never gets freed - which
clang-tidy flags as a memory leak.
instead of free-ing the allocation, just don't allocate to begin with
since there's no need for it.
also bump the copyright year.
this was reported by codeql's scan as a TOCTOU bug. while that's true in
theory, i don't believe it would've had any practical effect.
a better justification for this change might be the fact that it
upgrades from `utime` (which is depreciated by POSIX [0]) to `futimens`.
[0]: https://www.man7.org/linux/man-pages/man3/utime.3p.html#FUTURE_DIRECTIONS
malloc (called by xasprintf) is not async-signal-safe. beside, the
string here is constant, so there's no need to malloc it all.
eerrorx isn't async-signal-safe either (due to calling fprintf and exit)
but consequence of them are _typically_ not as grave as calling malloc
while it's internal state is inconsistent.
Bug: https://github.com/OpenRC/openrc/issues/589
From scan-build w/ clang-16.0.0_pre20230107:
```
../src/librc/librc.c:759:14: warning: Potential leak of memory pointed to by 'init' [unix.Malloc]
return false;
^~~~~
```
It's already initialised to false at the start and it's clear when reading
what the flow is.
While at it, fix some indentation and adjust whitespace to make more readable.
These become fine with C23 because () starts to mean (void) then, but for
previous language versions, it's deprecated, and it causes an annoying
warning when building with Clang by default.
Plus, GCC lacks specific flags to trigger what C23 *does* ban, so a lot
of people are going around building with -Wstrict-prototypes, so let's
just fix this to be consistent with the rest of the codebase anyway
to fend off false positive reports.
On systems with a very large RLIMIT_NOFILE, calling close() in a loop
from 3 to getdtablesize() effects an enormous number of system calls.
There are better alternatives. Both BSD and Linux have the closefrom()
system call that closes all file descriptors with indices not less than
a specified minimum. Have start-stop-daemon call closefrom() on systems
where it's implemented, falling back to the old loop elsewhere.
Likewise, calling fcntl(i, F_SETFD, FD_CLOEXEC) in a loop from 3 to
getdtablesize() raises a similar performance concern. Linux 5.11 and
onward has a close_range() system call with a CLOSE_RANGE_CLOEXEC flag
that sets the FD_CLOEXEC flag on all file descriptors in a specified
range. Have supervise-daemon utilize this feature on systems where it's
implemented, falling back to the old loop elsewhere.
1364e6631c exempted the write end of the
synchronization pipe from the close() loop in the child process, but
this is unnecessary, as the pipe is opened with O_CLOEXEC, and the child
process calls execvp() soon after the close() loop, with the intervening
code not needing the pipe. Indeed, the pipe only needs to remain open in
the child process until after the call to setsid(), which occurs well
before the close() loop. So, eliminate the needless carve-out from the
close() loop, in preparation for introducing closefrom().
dirfd is uninitialized at this point, and even if it were, it doesn't
make sense to use since the path is "/" -- the dirfd is ignored when
the path is absolute. Switch to AT_FDCWD to avoid all that.
The default behavior of check: false is going to change to true in the
future, see <https://github.com/mesonbuild/meson/issues/9300>.
Thus we are explicit about the desired behavior. The error in uname is
important but with test we check ourselves using returncode().
This fixes#556.
If supervise_daemon_args is not set *or empty*, it defaults to
`start_stop_daemon_args`. This is bad because supervise-daemon doesn't
accept the same options as `start-stop-daemon`. So if we set e.g.
`start_stop_daemon_args="--wait 50"`, but not `supervise_daemon_args`,
and the user adds `supervisor=supervise-daemon` to the corresponding
/etc/conf.d/<service> file, the service will fail to start due to
unrecognized option "wait".
It would be best to remove this fallback, but that might break some
existing scripts that depend on it. So this commit just changes it to
use `start_stop_daemon_args` as the default for `supervise_daemon_args`
only if `supervise_daemon_args` is not set at all, but not if it's
empty.
This at least simplifies workarounds; we can just add
`supervise_daemon_args="$supervise_daemon_args"` to init scripts.
This fixes#558.
Despite this being a 'deptree', it's actually
xmalloc'd in the same function (rc_deptree_update),
and so should be free'd, not rc_deptree_free'd,
as rc_deptree_load* wasn't used to allocate it.
```
[71/213] Compiling C object src/librc/librc.so.1.p/librc-depend.c.o
../src/librc/librc-depend.c: In function ‘rc_deptree_update’:
../src/librc/librc-depend.c:1077:9: warning: ‘rc_deptree_free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
1077 | rc_deptree_free(deptree);
| ^~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../src/shared/misc.h:29,
from ../src/librc/librc.h:57,
from ../src/librc/librc-depend.c:21:
In function ‘xmalloc’,
inlined from ‘rc_deptree_update’ at ../src/librc/librc-depend.c:775:12:
../src/shared/helpers.h:64:23: note: returned from ‘malloc’
64 | void *value = malloc(size);
| ^~~~~~~~~~~~
```
This fixes#563.
Starting with grep version 3.8, the hwclock init script logs warnings
about stray backslashes:
> hwclock | * Setting system clock using the hardware clock [UTC] ...
> hwclock |grep: warning: stray \ before -
> hwclock |grep: warning: stray \ before -
This is caused by the check for existence of the `--noadjfile` argument
in function `get_noadjfile()`.
Replacing the affected logic with an explicit argument denoting the
pattern as such resolves the issue.
Fixes#548
As described in "Why nice levels are a placebo and have been for a very
long time, and no one seems to have noticed"[1], the Linux kernel in its
default configuration on many Linux distributions autogroups tasks by
session ID and "fairly" allocates CPU time among such autogroups. The
nice levels of tasks within each autogroup are only relative to
other tasks within the same autogroup. Effectively, this means that the
traditional nice level is rendered moot for tools like start-stop-daemon
and supervise-daemon, which start each daemon in its own session and
thus in its own autogroup. Linux does provide a means to change the
niceness of autogroups relative to each other, so let's have start-stop-
daemon and supervise-daemon make use of this feature where available so
that -N,--nicelevel/SSD_NICELEVEL will actually do what the user
intends. On systems where autogroups are not supported or are disabled,
this commit introduces no change in behavior.
Note that the setsid() call in the child process of start-stop-daemon is
moved to much earlier. This is necessary so that the new process will be
assigned to a new autogroup before the autogroup nicelevel is set. To
avoid inadvertently acquiring /dev/tty as the controlling terminal of
the new session after setsid() has given up the controlling terminal
inherited from the parent process, tty_fd is opened before the call to
setsid().
[1] https://www.reddit.com/r/linux/comments/d7hx2c/why_nice_levels_are_a_placebo_and_have_been_for_a/
This fixes#542.
While refactoring the changes proposed in #533 a minor error was
introduced were the root service will now attempt to remount swap.
This will fail with the error message `mountinfo: 'swap' is not a
mountpoint`.
This fixes#546
Without this commit, the root OpenRC service remounts all mounted
filesystems (except /) with the options defined in /etc/fstab via
fstabinfo. It is presently unclear to me why / was excluded from
remounting in 497ff7ee41 and unfortunately
neither the commit nor the associated Bugzilla issue [1] provides
further information on this.
At Alpine, our initramfs does currently not remount / with all options
defined in /etc/fstab [2]. As part of the discussion on the Alpine side
of things we wondered why OpenRC does not remount / since this would be
the easier solution for us. For this reason, this commit changes the
behavior of the OpenRC root services accordingly to also remount / with
the options defined in /etc/fstab.
[1]: https://bugs.gentoo.org/401573
[2]: https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/103
This fixes#533.
While running `rc-service start docker` on Gentoo,
I found that the command does not start the service 90% of the time,
with an enigmatic 'service crashed' message.
The root cause of this is apparently rc-service spawning a pty,
running start-stop-daemon inside that pty, and exitting,
before start-stop-daemon child process calls setsid(),
which results in the child process being killed with SIGHUP (SI_KERNEL).
Theoretically this bug was present ever since the file was created in
5af58b4514 ("Rewrite the core parts in C. We now provide...")
(or even before that), but it should have been only a minor issue before
45bd125dcc ("Use a pty for prefixed output instead of pipes for...").
Not sure why nobody has had the issue so far (it has been present for
almost 15 years).
As here setsid() is the last call before execve(), the most natural
locking mechanism is vfork(), as it gives back control to parent
process only after execve() or process termination.
So this way the bug can be fixed by adding a single letter. :-)
Another way to ensure this would be using an O_CLOEXEC file descriptor
or some custom lock, which would need to be released not before setsid().
Fixes: 5af58b4514 ("Rewrite the core parts in C. We now provide...")
Fixes#532.
The two lines seem to both belong to --override, but made into seperate
array elements accidentally, making options after --override and their
help mismatch. This fixes it.
previously broken in 6034866d1c
caused *_logger options to be passed unquoted, so
`error_logger="logger -t .."` would pass -t to s-s-d and fail to start
the service.
Fixes: #531
- use _ throw-away variable to get rid of a shellcheck warning
- remove tests for /etc/hostname and just try to read it
- drop reference to bash HOSTNAME variable.
- make source of host name more accurate
X-Gentoo-Bug: 850577
X-Gentoo-Bug-URL: https://bugs.gentoo.org/850577
```
=================================================================
==22862==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 4096 byte(s) in 1 object(s) allocated from:
#0 0x7f1fd5b12cb7 in __interceptor_malloc /usr/src/debug/sys-devel/gcc-11.2.1_p20220312/gcc-11-20220312/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55556abecea7 in xmalloc ../src/includes/helpers.h:64
#2 0x55556abecea7 in xasprintf ../src/includes/helpers.h:149
#3 0x55556abeb6fb in do_check ../src/rc/checkpath.c:206
#4 0x55556abeb6fb in main ../src/rc/checkpath.c:443
#5 0x7f1fd58576cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s).
```
Signed-off-by: Sam James <sam@gentoo.org>
```
Direct leak of 4 byte(s) in 1 object(s) allocated from:
#0 0x7f49539534a7 in __interceptor_strdup /usr/src/debug/sys-devel/gcc-11.2.1_p20220312/gcc-11-20220312/libsanitizer/asan/asan_interceptors.cpp:454
#1 0x55d76fa66867 in xstrdup ../src/includes/helpers.h:91
#2 0x55d76fa66867 in get_dirfd ../src/rc/checkpath.c:111
#3 0x55d76fa66867 in do_check ../src/rc/checkpath.c:206
#4 0x55d76fa66867 in main ../src/rc/checkpath.c:442
#5 0x7f49536f06cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
```
Signed-off-by: Sam James <sam@gentoo.org>
(This is analogous to the rc_stringlist change.)
This gives a hint to the compiler that allocations (return values)
from this function should be paired with a corresponding dealloc/free
function.
Signed-off-by: Sam James <sam@gentoo.org>
This gives a hint to the compiler that allocations (return values)
from this function should be paired with a corresponding dealloc/free
function
In this case, it means that every rc_stringlist that rc_stringlist_new()
returns should eventually be freed by calling rc_stringlist_free(ptr)
where ptr is the relevant rc_stringlist.
We have to add a test for this into the build system
because only GCC supports this for now. In future, we might
be able to use meson's has_function_attribute (it does support
'malloc', just not AFAICT 'malloc with arguments').
Signed-off-by: Sam James <sam@gentoo.org>
'services' is still referenced by the list
which gets returned. We can't free it.
Thanks to GCC 11's -fanalyzer.
Signed-off-by: Sam James <sam@gentoo.org>
Seen on running rc-status.
```
=================================================================
==14636==ERROR: LeakSanitizer: detected memory leaks
Indirect leak of 72 byte(s) in 3 object(s) allocated from:
#0 0x7f443412dcb7 in __interceptor_malloc /usr/src/debug/sys-devel/gcc-11.2.1_p20220312/gcc-11-20220312/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f443400c727 in xmalloc ../src/includes/helpers.h:64
#2 0x7f443400d1f4 in rc_stringlist_add ../src/librc/librc-stringlist.c:32
#3 0x7f4433fecc34 in get_runlevel_chain ../src/librc/librc.c:390
#4 0x7f4433fedc00 in rc_runlevel_stacks ../src/librc/librc.c:519
#5 0x7f4433ff1d8e in rc_services_in_runlevel_stacked ../src/librc/librc.c:976
#6 0x55be0e8f9517 in main ../src/rc/rc-status.c:407
#7 0x7f44334736cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
```
Signed-off-by: Sam James <sam@gentoo.org>
The value of ${seed_dir} may have spaces in it, making the current
argument string building method unsafe. Instead, use positional
parameters to pass these arguments safely.
There have been a number of subtle improvements and cleanups to seedrng,
including using openat and locking the directory fd instead of a
separate lock file. Also various stylistic cleanups.
This fixes#519.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* rewrite tests to work with meson
This ports our tests to meson and makes them able to be run in parallel.
* add tests to ci
* rewrite test/check-trailing-newlines in bash
This test was using a GNU sed command which does not work on Alpine Linux.
- drop old build system
- move shared include and source files to common directory
- drop "rc-" prefix from shared include and source files
- move executable-specific code to individual directories under src
- adjust top-level .gitignore file for new build system
This closes#489.
The RNG can't actually be seeded from a shell script, due to the
reliance on ioctls. For this reason, the seedrng project provides a
basic script meant to be copy and pasted into projects like OpenRC and
tweaked as needed: https://git.zx2c4.com/seedrng/about/
This commit imports it into OpenRC and wires up /etc/init.d/urandom to
call it. It shouldn't be called by other things on the system, so it
lives in rc_sbindir.
Closes#506.
Closes#507.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This add No New Privs flag for start-stop-daemon and supervise-daemon
by adding --no-new-privs flag. As a result, the user set the No New
Privs flag for the program should run with.
see PR_SET_NO_NEW_PRIVS prctl(2)
This adds securebits flags for start-stop-daemon and supervise-daemon
by adding --secbits option. As a result, the user can specify
securebits the program should run with. see capabilities(7)
During boot if the "previous_dmesg" setting is enabled in
/etc/conf.d/bootmisc then during the 1st boot of a machine the
bootmisc init.d script will attempt to move a nonexistant dmesg
file, so generating an error on the console.
Modify the script to only move an existing file.
This is a partial revert of commit 8e02406d ("rc-misc.c: remove
references to PATH_MAX"), which changed 'file' to a null pointer with no
associated storage.
../openrc-0.44.10/src/rc/rc-misc.c: In function ‘_rc_deptree_load’:
../openrc-0.44.10/src/rc/rc-misc.c:392:33: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
392 | eerror("Clock skew detected with `%s'", file);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 8e02406d ("rc-misc.c: remove references to PATH_MAX")
Closes: #493
This adds capabilities for start-stop-daemon by adding --capabilities
option. As a result, the user can specify the inheritable, ambient and
bounding set by define capabilities in the service script.
This fixes#314.
This commit adds a new --oom-score-adj option to start-stop-daemon and
supervise-daemon, as well as an equivalent SSD_OOM_SCORE_ADJ environment
variable. If either of these are specified (with the command-line
option taking precedence), then the specified adjustment value is
written to /proc/self/oom_score_adj after forking but prior to exec'ing
the daemon (at the time when nice and ionice are applied).
Additionally, per a suggestion by Mike Frysinger, the suggested values
for the SSD_NICELEVEL, SSD_IONICELEVEL, and SSD_OOM_SCORE_ADJ variables
in the example config file are now given as zeros, which are the
kernel's default values of these process knobs for the init process at
boot. Note that uncommenting any of these zero-valued suggestions will
cause SSD/SD to set the corresponding process knob affirmatively to
zero, whereas leaving the variable unset (and the equivalent command-
line option unspecified) means SSD/SD will not change the corresponding
process knob from its inherited value.
See: https://github.com/OpenRC/openrc/pull/435#discussion_r688310672
This fixes#435.
Newer gcc reports:
broadcast.c: In function 'broadcast':
broadcast.c:132:15: warning: variable 'tp' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
132 | FILE *tp;
Move the storage off the stack to avoid. This makes the function
not safe for multithread use, but we don't do that anywhere, so
who cares!
This allows containers using OpenRC based services to be configured to
allow open tcp connections to be closed before they are shut down.
This fixes#476.
Much like PAM, not all implementations of libcrypt provide a pkg-config
file, and hence we can't find it using the old logic.
Let's fall back to the standard AC_SEARCH_LIBS-style check if the pkg-config-style
detection fails.
This fixes finding e.g. musl's libcrypt.
X-Gentoo-Bug: 827074
X-Gentoo-Bug-URL: https://bugs.gentoo.org/827074
We only need libcrypt if we're building _with_ SELinux and
_without_ PAM. We don't use libcrypt for general SELinux
with PAM.
This is mostly a correctness change as libcrypt should
generally be available (as opposed to the previous
change which fixed some real-world cases).
Fixes: f3f0fde861Fixes: #478
Clang was failing with:
```
/zroot/jenkins/workspace/update_ghsotbsd-13_poudriere_jail/sbin/openrc/../../contrib/openrc/src/rc/rc.c:70:2: error: suspicious concatenation of string literals in an array initialization; did you mean to separate the elements with a comma? [-Werror,-Wstring-concatenation]
"when leaving single user or boot runlevels",
^
/zroot/jenkins/workspace/update_ghsotbsd-13_poudriere_jail/sbin/openrc/../../contrib/openrc/src/rc/rc.c:69:2: note: place parentheses around the string literal to silence warning
"override the next runlevel to change into\n"
^
```
This fixes#469.
While the s6-svscan runscript belongs to OpenRC, the user is required to
install s6 before it can actually be used, potentially leading to
confusion. Check for the existence of $command in start_pre and, if it does not
exist, bail out with an error that makes this observation.
X-Gentoo-Bug: 816978
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=816978
This github action runs a build on each of the following platforms on a
push or pull request.
- Ubuntu LTS with gcc and glibc
- Ubuntu LTS with clang and glibc
- Alpine with gcc and musl
This fixes#463.
strlen's return value isn't enough to be used
directly for (x)malloc; it doesn't include
the null byte at the end of the string.
X-Gentoo-Bug: 816900
X-Gentoo-Bug-URL: https://bugs.gentoo.org/816900Fixes: #459Fixes: #462
Currently, we run sv start immediately after linking the service.
The runsv process may not be up at the moment, as a result of which
openrc will mark the service as stopped, even though it may be brought up
by runit at the next scan.
This is documented in the gentoo wiki:
https://wiki.gentoo.org/wiki/Runit#OpenRC.27s_runit_integration_feature
This PR adds a timeout so that correct process state can be reported.
Before:
* Starting netdata-runit ...
fail: /run/openrc/sv/netdata: runsv not running
* Failed to start netdata-runit
After:
* Starting netdata-runit ...
fail: /run/openrc/sv/netdata: runsv not running
ok: run: /run/openrc/sv/netdata: (pid 9042) 0s
This fixes#253.
Fix the following error:
broadcast.c:41:21: error: '__UT_LINESIZE' undeclared (first use in this function); did you mean 'UT_LINESIZE'?
#define UT_LINESIZE __UT_LINESIZE
^~~~~~~~~~
Constant UT_LINESIZE is defined in <utmp.h> provided by musl.
Busybox timeout does not support the `-k` flag. As such, invoking fuser
from do_unmount never worked without this patch. This went unnoticed as
standard error is redirected to /dev/null. This patch fixes this by
simply removing the incompatible `-k` flag.
[Ariadne: the `-k` is redundant anyway, since we are sending the KILL
signal to begin with.]
Since musl 1.2 time_t is a 64 bit value, even on 32 bit systems. A
hotfix for printing the value is simply using PRIu64 from inttypes.h
in the format string.
This fixes#446.
supervise-daemon was apparently overlooked when support for the
SSD_IONICELEVEL environment variable was added. This commit brings
supervise-daemon up to parity with start-stop-daemon with respect to
this environment variable.
Newer devices have multiple power_supply devices in sysfs:
$ grep ^ /sys/class/power_supply/*/type
/sys/class/power_supply/AC/type:Mains
/sys/class/power_supply/BAT0/type:Battery
/sys/class/power_supply/ucsi-source-psy-USBC000:001/type:USB
/sys/class/power_supply/ucsi-source-psy-USBC000:002/type:USB
There are two "USB" Type-C ports than can supply power and both are
aggregated into the "Mains" power supply by the firmware. The "Battery"
also counts as a power supply, but is missing the online attribute.
The -f check with a wildcard pattern results in an error, when multiple
devices are present:
/lib/rc/bin/on_ac_power: line 21: [: too many arguments
When the power_supply class is registered, check for a "Mains" device.
Fixes#427.
Since commit 6b475ab269, openrc tries to load
modules twice which have been defined in /etc/conf.d/modules via modules=
variable when /bin/sh points to dash shell.
The reason is that when the "modules-load" service was merged into "modules"
service, the "modules" variable name got used in both, load_modules()
function and in Linux_modules() function which both get called when modules
service is started. Although "modules" variable is marked as local in
load_modules(), dash simply ignores this.
Avoid the issue by renaming "modules" variable to "_modules" in
load_modules() function.
This fixes#419.
In legacy cgroups mode, we were running `mountinfo -q ""` which was
generating an error message. If we return immediately when
cgroup2_find_path returns an empty value, we avoid this message.
The previous fix excludes PIDs of processes running in a different namespace
regardless of whether the PID has been explicitly stored in a PID file mentioned
in the --pidfile parameter. The correct behavior is to only exclude the pid if
it is not stored in a pidfile.
X-Gentoo-Bug: 776010
X-Gentoo-Bug-URL: https://bugs.gentoo.org/776010
The cgroups v2 setup required the rc_cgroups_controllers variable
to be set to the list of controllers to enable regardless of whether the
mode was hybrid or unified.
This makes sense for hybrid mode since the controllers can't be in both
the cgroups v1 and v2 hierarchies, but for unified mode we should enable
all controllers that are configured in the kernel.
The test `[ -h "${ifname}" ] && continue` skips the symlinks while it is
the opposite that is the expected: ignoring files that are not symlinks.
Fixes commit f42ec82f21.
This fixes#391.
Otherwise this would create the following output:
rc-status -f ini
* Caching service dependencies ... [ ok ]
[default]
dbus = started
NetworkManager = started
syslog-ng = started
...
This fixes#364.
I found the original note a little confusing, since using rc-update will
add it to a runlevel so it *is* auto-started when the system reaches
that runlevel again, but I don't think that was the intended meaning of
'auto-start', so hopefully this makes it a little more clear.
Currently when osclock is enabled as a init.d service the following
messages appear during boot when osclock starts:
* The command variable is undefined.
* There is nothing for osclock to start.
* If this is what you intend, please write a start function.
* This will become a failure in a future release.
osclock is activated whenever a machine's system clock is automatically
configured from a RTC by the kernel and the osclock's only purpose is to
satisfy the "clock" dependency defined by other init.d services.
Adding a stub start() function prevents OpenRC from showing warnings but
continues to ensure that the osclock service still does not actually do
anything.
This fixes#377.
The do_check() function recently gained some defenses against symlink
replacement attacks that involve the use of *at functions in place of
their vanilla counterparts; openat() instead of open(), for example.
One opportunity to replace mkdir() with mkdirat() was missed, however,
and this commit replaces it.
This fixes#386.
start-stop-daemon and supervise-daemon parse usernames and group names
passed via the --user argument as numeric UID/GID if they start with a
number (e.g. user "4foo" will be treated as UID 4). This results in the
process that is being started to run under a totally unexpected user if
that UID exists.
Even though the result of the sscanf calls are tested for a result of
exactly 1, which means exactly one value was extracted, because sscanf's
format string only contains only one placeholder, it will never return
a value greater than 1, even if there are still characters left to be
parsed. This causes start-stop-daemon and supervise-daemon to assume
that usernames starting with a number are just that number. Adding a
second placeholder "%1s" to the format string, which matches a string of
length 1, makes sure that sscanf can distinguish between pure numbers
(in which case it will return 1) and strings either starting with a
number (in which case it will return 2) and any other string (in which
case it will return 0).
This fixes#379.
This fixes#380.
Starting program: /sbin/start-stop-daemon --start --exec i-dont-exist
Program received signal SIGSEGV, Segmentation fault.
0x0000555555559053 in main (argc=1, argv=0x7fffffffdc20)
at start-stop-daemon.c:631
631 *exec_file ? exec_file : exec);
This fixes#385.
This walks the directory path to the file we are going to manipulate to make
sure that when we create the file and change the ownership and permissions
we are working on the same file.
Also, all non-terminal symbolic links must be owned by root. This will
keep a non-root user from making a symbolic link as described in the
bug. If root creates the symbolic link, it is assumed to be trusted.
On non-linux platforms, we no longer follow non-terminal symbolic links
by default. If you need to do that, add the -s option on the checkpath
command line, but keep in mind that this is not secure.
This fixes#201.
When executable is provided just by name (and therefore searched in a
path), exec_file is reset to NULL every time. exists() handles it being
NULL just fine, but dereferencing it in eerror does not work.
Fixes#326Fixes#327
It looks like some stray text was left at the bottom of the file:
```
package.
migrating your system to openrc-init.
```
There's a subsection on migrating a system to `openrc-ini`; perhaps this was
an embryonic section title?
This fixes#347.
prior to cgroups getting mounted, /sys/fs/cgroup will still exist,
but attempts to make directories in it will fail, change cgroup2_set_limits() to
verify that cgroups are mounted instead of just checking that /sys/fs/cgroup
exists.
This fixes#307.
This fixes#321.
This allows openrc to direct sysvinit to shut down the system by setting
the INIT_HALT environment variable appropriately. Also, we do not try to
communicate with sysvinit if its fifo does not exist.
I am removing this on the advice of a member of the Gentoo toolchain
team. It was explained to me that this doesn't offer any significant
benefits to OpenRC.
If anyone ffeels differently, please open a pull request reverting
this and adding an explanation of what it does and how to know which
functions to mark hidden in the future.
This fixes#301.
The do_openrc() function was not waiting properly for the child process
which started the runlevel to return. We need to repeatedly call
waitpid() until its return value matches the pid of the child process or
the child process does not exist.
This fixes#216.
This fixes#300.
The 'readelf'-based tests cover a few situations:
1. undefined symbols in shared libraries
2. unexpected exports in shared libraries
Bug #575958 shows that [2.] implementation is too simplistic
in assuming that presence of relocation equals to export presence.
It is incorrect for PLT stubs and local symbols.
Let's just drop these tests.
If one needs to cover [1.] it is better to use LDFLAGS=-Wl,--no-undefined.
This closes#292.
X-Reported-by: Benda Xu
X-Gentoo-Bug: https://bugs.gentoo.org/575958
X-Gentoo-Bug-URL: https://bugs.gentoo.org/575958
The -f option can be used when showing the status of services in
runlevels to allow making the output more easily parsable.
Currently, the .ini format is the only one supported.
The .Dt header is supposed to be all caps. This was mixing case.
The options block was being incorrectly indented due to a missing .El.
Some of the new options were missing the .It block, so add that.
Finally, the -D option was missing capitalization.
readlink(3) does not nul-terminate the result it sticks
into the supplied buffer. Consequently, the code
rc = readlink(path, buf, sizeof(buf));
does not necessarily produce a C string.
The code in rc_find_pid() produces some C strings this way
and passes them to strlen() and strcmp(), which can lead
to an out-of-bounds read.
In this case, since the code already takes care to
zero-initialize the buffers before passing them
to readlink(3), only allow sizeof(buf)-1 bytes to
be returned.
(While fixing this issue, I fixed two other locations that
used the same problematic pattern.)
This fixes#270.
The contents of /proc/<pid>/cmdline are read into
a stack buffer using
bytes = read(fd, buffer, sizeof(buffer));
followed by appending a null terminator to the buffer with
buffer[bytes] = '\0';
If bytes == sizeof(buffer), then this write is out-of-bounds.
Refactor the code to use rc_getfile instead, since PATH_MAX
is not the maximum size of /proc/<pid>/cmdline. (I hit this
issue in practice while compiling Linux; it tripped the
stack-smashing protector.)
This is roughly the same buffer overflow condition
that was fixed by commit 0ddee9b7d2
This fixes#269.
The following will cause a segfault due to NULL being
passed to strcmp(3)
$ RC_SVCNAME=foo supervise-daemon
Fix the bounds check on argc in main. If argc<=1, then
it is not safe to dereference argv[1].
The statement
ll = strlen(applet);
appears twice in the same block without any
intervening assignment to the variables
'll' or 'applet'
Remove the second (duplicate) statement.
We have used /run for some time now and we have had this migration
script for 6 years. Linux users should have upgraded by now to a version
of OpenRC which stores its information in /run.
In order to run healthcheck() and the unhealthy() function, add an
exec_command call to the supervisor.
Another difference is This function also logs errors instead of
attempting to display them.
This is for #271.
I do not know of a need to have the default shell be a build-time
configurable setting. All *nix systems I am aware of have /bin/sh as a
default posix compatible shell.
If some systems running OpenRC do not make that assumption about
/bin/sh, I will consider bringing this back, so feel free to open an
issue.
Without a respawn period setting, the supervisor will give up on
respawning agetty after it is respawned respawn_max times. For most
daemons giving up like this is reasonable, but not for agettys. Agettys
should always be respawned unless they are respawning too fafst,.
If an agetty is respawning faster than 10 times in 60 seconds, this
seems to be too fast.
Since the pid file is internal to us, start moving toward deprecating it
by not requiring the user to specify it.
In the next release, I plan on working on code to start phasing out the
use of a pid file if this is possible.
This is needed in preparation for adding support for a fifo to allow us
to communicate with the supervisor to ask it to signal the child it is
supervising.
This reverts commit 2af0cedd59.
After speaking with Luis Ressel on the Gentoo selinux team, I am reverting
this commit for the following reasons:
- Luis told me that he feels this is not the solution we need to address
the concern with checkpath; I will be working with him on another
solution.
- There are concerns about the way the path variable was handled
and the assert() call.
The path variable should be dynamically allocated using xasprintf
instead of defining a length at compile time. This would eliminate the
need for the assert() call.
- It introduces the definition of _GNU_SOURCE which makes it
easier to introduce portability concerns in the future (see #262).
The pidfile of the supervisor doesn't need to be adjustable by the
service script. It is only used so the supervisor can stop itself when
the --stop option is used.
In start-stop-daemon and rc-schedules, we were printing out a warning if
the nanosleep call was interrupted by a signal, but we did not treat
this as an error situation other than displaying the message, so there
is no need for the message.
These services represent the parts of the keymaps and termencoding
services which saved the settings back to the root file system so they
can be loaded very early in the boot process.
These are needed to allow keymaps and termencoding to run earlier in the
boot sequence.
X-Gentoo-Bug: 446018
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=446018
On Linux, kernel modules should be loaded once during boot, either in an
initramfs or by this service.
This does not change anything other than printing out messages if a
module is loaded more than once.
X-Gentoo-Bug: 659530
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=659530
Health checks are a way to monitor a service and make sure it stays
healthy.
If a service is not healthy, it will be automatically restarted after
running the unhealthy() function to clean up.
You can now schedule a shutdown for a certain time or a cpecific number
of minutes into the future.
When a shutdown is running, you can now cancel it with ^c from the
keyboard or by running "openrc-shutdown -c" from another shell.
Fix the comparison between respawn_count and respawn_max so that
respawn_max = 1 will allow for one respawn. Since respawn_count is
incremented before the comparison, use a 'greater than' comparison
so that respawn will be triggered when respawn_count is equal to
respawn_max.
Fixes: https://github.com/OpenRC/openrc/issues/247
Fixes: https://github.com/OpenRC/openrc/issues/248
We do not need to do this any longer since all supported linux kernels
make efivarfs immutable and the tools that manipulate it are aware of
this feature.
This fixes https://github.com/openrc/openrc/issues/238.
Use errno != EACCES to fix false-positive for non-root users
with grsecurity kernels.
Fixes: 37e2944272 ("librc: Add check for crashed state")
This fixes#237
This test to find if we could see pid 1 was being used inconsistently in
rc-status and mark_service_crashed to decide whether we could test to
see if the daemon for the service was crashed, and it was not part of
the librc library.
I am removing it from the executables because of inconsistent usage. I
will add it to the library if it is needed there.
Gentoo was changing some of our installation modes from 0444 to 0644.
There isn't a reason to install things 0444, so we are switching these
to 0644 so the Gentoo ebuild doesn't need this extra step.
This removes localmount from the dependencies of the consolefont,
keymaps, numlock and procfs services.
These services are Linux only and the default modern linux system has /
and /usr on the same file system.
This also fixes the following issue.
X-Gentoo-Bug: 651998
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=651998
If pidfile does not exist when we are stopping the daemon, assume it is
already stopped, and report success.
hostapd is an example of a daemon which removes its pidfile when it is
exiting. If this daemon terminates prematurely, that is, without s-s-d
involvement, then openrc fails to restart it, because s-s-d "stop"
command fails when pidfile is missing.
X-Gentoo-Bug: 646274
X-Gentoo-Bug-URL: https://bugs.gentoo.org/646274
The current check only tries to detect whether /sys/fs/cgroup exists and
whether it is writable or not. But when the init system doesn't mount
cgroups then /sys/fs/cgroup will just be an empty directory. When paired
with unprivileged containers that mount sysfs this will cause misleading
errors to be printed since /sys/fs/cgroup will be owned by user
nobody:nogroup in this case. Independent of this specific problem this
check will also be misleading when the /sys/fs/cgroup exists and is in
fact writable by the init system but isn't actually a mountpoint.
Note from William. "grep -qs" doesn't need to redirect output to
/dev/null since it is completely silent.
This fixes#209.
This is our own version of asprintf(). This original code was written by
Mike Frysinger, and I was able to modify it to use our memory helper
functions.
We need a version of this code because it is not available on glibc at
least without defining _GNU_SOURCE, and I would rather not do that.
This is the first step in improving string handling in OpenRC for #207.
The "Ar" tag for the mountinfo command contained a typo (leading
space) that resulted in the tag being output verbatim; that is,
mountinfo ... .Ar mount1 mount2
rather than e.g.
mountinfo ... <mount1> <mount2>
This commit deletes the leading space to fix the output.
This fixes#204.
The BUILTINS are all surrounded by Xo...Xc tags, but the opening "Xo"
was missing from the two commands fstabinfo and mountinfo. This commit
adds them, and thereby fixes the spacing when viewed by man.
This is for #204.
Refer to /var/run in the documentation instead of /run, and make it
clear at the top of the pidfile section that we use /run under Linux.
This is for #202.
This is related to #195.
This is an attempt to shorten the window for the first two issues
discussed by using a file descriptor which does not follow symbolic
links and using the fchmod and fchown calls instead of chown and chmod.
with.
rc_deptree_update_needed would return early as soon as it found
any file newer than the existing dependency cache. Unfortunately,
the first file found may not be the newest one there; so the
clock skew workaround in rc-misc:_rc_deptree_load would be given
a timestamp that was still too old.
This fix forces a full scan of all relevant files, so as to
ensure that we return a timestamp that will allow the clock skew
fix to operate. The runtime cost is no worse than the case where
the cache is up to date (ie. we must check every possible file).
This fixes#161.
Add the following variables to expose more arguments that can be passed
to start-stop-daemon or supervise-daemon:
- directory will be passed to --chdir
- error_log will be passed to --stderr
- output_log will be passed to --stdout
- umask will be passed to umask
This is for #184.
Add the ability to force-kill a service if it does not go down
successfully. Also, adjust the default wait time for an s6 service to go
down to 60 seconds.
The OpenRC team does not currently know of any modern linux tools that
require /etc/mtab to be a flat file, so this puts users on notice that
the mtab service will be removed in the future.
localmount had mtab in its "use" dependencies; however, it makes more
sense to add "before localmount" to the mtab service and remove
"use mtab" from the localmount service.
Ignore namespaces if there are errors reading either the pid namespace
for the current process or the process we aare testing.
This fixes https://github.com/openrc/openrc/issues/180.
This is to be used if the service is being supervised and the
supervisor is somehow killed.
Currently, this is very linux specific, but I will expand to other
platforms, patches are welcome.
- Harden against dying by handling all signals that would terminate the
program and adding --reexec support
- factor the supervisor into its own function
- fix test for whether we are already running
Prior to this change, we were logging unexpected terminations of daemons
we were supervising at the info level. This change moves the logs to
warnings.
The sysfs init script referred to @LIBEXECDIR@ before this change, but
it is better to refer to RC_LIBEXECDIR so that we get rid of a sed
substitution.
The service binary was just a synonym for rc-service, so use rc-service
instead of service. If you want a "service" binary, it should be
something that can determine which service manager you are running and
run the appropriate service manager commands.
rc-selinux.c: In function ‘selinux_setup’:
rc-selinux.c:361:9: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
curr_t = context_type_get(curr_con);
^
Instead of looping and sending multiple signals to child processes in
cgroup_cleanup, we send sigterm followed by sleeping one second then
sigkill.
This brings us more in line with systemd's "control group" killmode
setting.
Also, this commit includes several shellcheck cleanups.
The --retry option for supervise-daemon defines how the supervisor will
attempt to stop the child process it is monitoring. It is defined when
the supervisor is started since stopping the supervisor just sends a
signal to the active supervisor.
This fixes#160.
This makes the halt wrapper sysvinit compatible. It ignores several
command line switches which are not currently implemented; however,
those can be implemented if we need to do so.
This fixes https://github.com/openrc/openrc/issues/146.
The syntax for expanding a variable with a default value is
${parameter:-word}
not
${parameter-word}
although the latter still works for a reason I could not explain.
This fixes#143.
Sysvinit shutdown has a default of single user mode, but openrc-shutdown
makes you choose a default action. Because of this, the shutdown wrapper
needs to pass --single to openrc-shutdown.
How to reproduce 1-byte overflow:
```
$ FEATURES=-test CFLAGS="-fsanitize=address -O0 -ggdb3" emerge -1 openrc
=================================================================
==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0efd8710
at pc 0x000000402076 bp 0x7fff0efd7d50 sp 0x7fff0efd7d40
WRITE of size 1 at 0x7fff0efd8710 thread T0
#0 0x402075 (/sbin/openrc-init+0x402075)
#1 0x3cf6e2070f in __libc_start_main (/lib64/libc.so.6+0x3cf6e2070f)
#2 0x4013b8 (/sbin/openrc-init+0x4013b8)
Address 0x7fff0efd8710 is located in stack of thread T0 at offset 2432 in frame
#0 0x401cfb (/sbin/openrc-init+0x401cfb)
This frame has 3 object(s):
[32, 160) 'signals'
[192, 344) 'sa'
[384, 2432) 'buf' <== Memory access at offset 2432 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
```
The problem here is in the code handling reads from 'init.ctl':
```
int main(int argc, char **argv) {
...
char buf[2048];
for (;;) {
/* This will block until a command is sent down the pipe... */
fifo = fopen(RC_INIT_FIFO, "r");
count = fread(buf, 1, 2048, fifo);
buf[count] = 0;
...
}
```
`buf[count] = 0;` writes outside the buffer when `fread()` returns non-truncated read.
This fixes#138.
rc-status now shows the amount of time a supervised daemon has been
active as well as the number of times it has been respawned during the
current respawn period.
This creates --respawn-delay, --respawn-max and --respawn-period. It was
suggested that it would be easier to follow if the options were
separated.
This is for #126.
Allow limiting the number of times supervise-daemon will attempt to respawn a
daemon once it has died to prevent infinite respawning. Also, set a
reasonable default limit (10 times in a 5 second period).
This is for issue #126.
openrc-init.c and openrc-shutdown.c are based on code which was written by
James Hammons <jlhamm@acm.org>, so I would like to publically
thank him for his work.
We do not need to care about the path on the shebang line of a service
script as long as the shebang line ends with "openrc-run".
This fixes#119 and #120.
The clock services had a very long list of "before" dependencies that
referred to other services within OpenRC. For ease of maintenance,
convert these to "after clock" dependencies in the individual services.
Using wildcards in dependencies causes issues when rc_parallel is set to
yes because it can lead to deadlocks.
All dependencies need to be explicit rather than implicit.
This is the first stage of moving this direction.
Since we check for /sys/firmware/efi/efivars, we do not need to check
for /sys/firmware/efi
Since Failing to mount efivarfs is not critical, we silence the error
message from mount.
My understanding is that the kernel can autoload this module. If it
doesn't, the module should be built in or loaded from an initramfs.
This fixes https://github.com/openrc/openrc/pulls/112.
- switch from attempting to ping the default gateway to a host outside
the local network, defaulting to google.com.
- along with this, change the name of the variable that requests a ping
test to include_ping_test so the meaning is more clear.
These files have been in the distribution for some time but haven't been
installed. They are good examples of how to do things, so we should
install them.
Since deptree2dot and the perl requirement are completely optional, we
can move this tool to the support folder. This gives the user the option
of using it if they have perl installed, and means we do not have an
optional runtime dependency on perl.
Documentation for this tool has also been added to the support folder.
X-Gentoo-Bug: 600742
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=600742
The test environment previously used the system default paths instead of installing the necessary $PATH environment
variable to make finding eval_ecolors work.
This closes#117.
X-Gentoo-Bug: 374191.
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=374191.
This path should not be hard coded in the open call.
Linux prior to 2.4.19 did not have /proc/self/mounts, so for now I'm
making this value /proc/mounts everywhere, but that may change to
/proc/self/mounts on linux; I'm not sure we should care about <2.4.19.
X-Gentoo-Bug: 604646
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=604646
Now that we respect the module blacklists, don't print every module we
try to load, because it might not end up loaded due to the blacklist,
and modprobe doesn't consider that a failure.
Supervisor setups break easily when start/stop/status functions are not
default.
Applications that write multiple PIDs to a pidfile (eg HAProxy as
described in bug 601540), can also benefit from being able to call the
default start/stop/status with modified environment variables.
Expose the default start/stop/status functions as
default_start/stop/status, and use them for the defaults
start/stop/status.
Trivial usage example:
```
stop()
{
t=$(mktemp)
for pid in $(cat $pidfile) ; do
echo $pid >$t
pidfile=$t default_stop
done
rm -f $t
}
```
X-Gentoo-Bug: 601540
X-Gentoo-Bug-URL: https://bugs.gentoo.org/601540
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
The /etc/init.d/localmount script has a syntax error that causes it to
attempt to mount remote filesystems, causing the boot to fail. The
script appends a "no" to each remote filesystem type, but it should only
be append the "no" to the beginning of the list. This patch fixes
localmount on FreeBSD 12.0. A review of the mount(8) manpage on Ubuntu
12.04 suggests that this patch is correct for Linux, too.
The documentation implied that if you stop a daemon we handle multiple
pids in a pid file. This is not correct. We only handle the first pid.
X-Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=601540
Busybox does not support the 'scope' argument on 'ip address add' or 'ip
route add', this is documented in BUSYBOX.md, but is no longer actually
needed, as the kernel does get it right without manual specification,
and the ifconfig variant already relies on the kernel to get it right.
This is part of #103.
X-Gentoo-Bug: 487208
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=487208
Separate loading the module, if it isn't built in or loaded, from
mounting the file system.
This also makes sure the warning about configuring the module in
/etc/conf.d/modules or building it in is displayed only if it is loaded
successfully.
X-Gentoo-Bug: 595836
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=595836
This allows us to avoid the warnings from bash-4.4 about null bytes in
command substitutions.
If you have separate /usr, are not using an initramfs, and have a file
called /proc/self/environ on your root file system, this will break.
X-Gentoo-Bug: 594534
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=594534
This reverts commit 8b4fc05ff2.
The original commit did not explain why this feature was disabled, and I
now have a request to enable it.
This fixes#24.
The $RC_UNAME "Linux" had been misspelled as "linux".
As a consequence, entries in e.g. /etc/modules-load.d failed to
load any module succesfully under Linux(!)
In the hwclock, procfs and sysfs service scripts, we automatically
attempt to load the kernel modules we need before we take any action. We
shouldn't do this, because there are systems which do not use kernel
modules and do not have the kmod package installed.
With this change, we continue to load the modules ourselves, but we warn
the admin that they need to be added to /etc/conf.d/modules or built
into the kernel.
In the future, this automatic loading will be dropped.
X-Gentoo-Bug: 342313
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=342313
The original auto detection of Docker containers assumed the presence of
a container environment variable. However, Docker-1.12 does not
implement this, and I'm not sure which versions of docker implemented
it.
The new test is for the presence of a file named .dockerenv in the
root directory.
btrfs support is not implemented yet (for q Q v), but at least tmpfiles.sh
no longer chokes about tmpfiles.d lines of recent systemd versions
This fixes#87.
We had separate sysctl scripts for each operating system. However, there
is no need to do this since we can detect the operating system at
runtime with $RC_UNAME.
When we use the --utc or --localtime switch, also use --noadjfile if it
is available. This means hwclock will not use a drift file.
X-Gentoo-Bug: 584722
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=584722
1. remove default /bin:/sbin:/usr/bin:/usr/sbin
2. PKG_PREFIX should be defaulted to $(PREFIX)/usr
3. LOCAL_PREFIX should be defaulted to $(PREFIX)/usr/local
X-Gentoo-Bug:583634
X-Gentoo-Bug-URL:https://bugs.gentoo.org/show_bug.cgi?id=583634
These warnings were inserted in verbose only mode in OpenRC-0.13.A
Now, we are making them more visible in preparation for removing these
compatibility binaries in the future.
Traditional System V reserves runlevel 2 for multiuser with no
networking. We add support for this which is already defined in
the inittab as
l2:2:wait:/sbin/rc nonetwork
X-Gentoo-Bug: 533828
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=533828
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
In previous releases, we either treated no mount points as critical or
all of them.
Now both localmount and netmount support a critical_mounts setting. If
mount points listed in this setting fail to mount, localmount and
netmount will fail.
Before this commit, on Linux, we were always trying to mount file
systems marked with _netdev, even when the previous mount command
failed. Now, we do not run the second mount if the first fails.
X-Gentoo-Bug: 579876
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=579876
The read builtin in most shells will interpret backslash characters
as escapes, and they are lost when reading binfmt files line-by-line.
This causes magic strings containing backslashes to be mangled and
become invalid, resulting in erroneous 'invalid entry' messages.
The -r option to read disables special handling of backslashes and
keeps all lines intact.
X-Gentoo-Bug: 575114
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=575114
Netifrc is no longer part of OpenRC, so we shouldn't save its dep tree
as part of savecache.
This should have been removed when netifrc was split out. also, it
might be related to the following bug.
X-Gentoo-Bug: 563720
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=563720
The s6-svc syntax changed for wait-up, wait-ready, wait-down, and
wait-finished. This changes the s6 handling script to use the current
valid syntax.
This fixes#65.
The whitelist of environment variables we pass to service scripts
included several unnecessary variables.
The default whitelist now includes EERROR_QUIET, EINFO_QUIET,
IN_BACKGROUND and IN_HOTPLUG.
X-Gentoo-Bug: 569542
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=569542
In the past, OpenRC was a hybrid of a centralized and file-scope
license/copyright structure.
I followed the instructions from the Software Freedom Law Center [1] to
convert to a Centralized structure where possible, for easier future
maintenance.
[1] https://softwarefreedom.org/resources/2012/ManagingCopyrightInformation.html
add in parsing of fstab to determine if nfsclient should be automatically
started so that netmount can mount nfs without adding nfsclient
to the default runlevel
This fixes#71.
- gendepends.sh needs to read this directory to allow dependencies to be
overridden
- init.sh for Linux and Bsd need to read it to allow config settings
they use to be overridden.
These functions replace rc_sys so that we can detect containers and vms
separately.
Also, we copy file_regex() to rc-misc.c and open it to all operating
systems.
In src/rc/_usage.c, we were using bootlevel as the variable to hold the
return value of rc_sys.
This changes the variable name to systype because this function returns
a system type, not a runlevel.
These functions were never meant to be used outside of OpenRC, and they
were added when we thought we were going to do away with the automatic
detection of subsystems. Since the autodetection is not going away, we
can combine these functions into rc_sys.
The want dependency is similar to the use dependency. If a service
script, for example called service1, adds "want service2" to its depend
function, OpenRC will attempt to start service2, if it exists on the
system, when service1 is started.
However, service1 will start regardless of the status of
service2.
X-Gentoo-Bug: 406021
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=406021
Rename the rc_conf_override function to describe its purpose better,
drop one conditional compile by making it available everywhere, and move
the call to it after the optional rc.conf.d directory is processed.
This makes it possible to override settings in rc.conf by adding a
directory @SYSCONFDIR@/rc.conf.d and putting files in this directory.
The files will be processed in lexical order, and the last setting in
these files will be used.
This advises users to remove mtab from their runlevels if /etc/mtab is a
symlink, and it creates the symlink if /etc/mtab does not exist on a
system.
X-Gentoo-Bug: 560060
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=560060
We were starting the value we write to the cgroup setting file with
leading spaces and this was causing issues. This change makes sure that
we aren't adding leading spaces to the value.
X-Gentoo-Bug: 562354
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=562354
On Linux, the --netdev and --nonetdev switches were not working. They
were both returning false. After this change, they operate based on the
presence or abscence of the _netdev option in mount options.
The default start-stop-daemon start function expects the command
variable to be defined to point to the daemon we want to start.
If the variable is undefined, this means that there will be nothing to
start, and in this case we should complain because it is possible that
the script writer made a typo in the variable name.
All of the dependency type lists had the types_ prefix in their names;
this has been changed to deptypes_ to make them more self documenting.
Along the same lines, the setup_types function was renamed
setup_deptypes.
The following return codes are returned by mount -a:
0: all file systems mounted.
32: no file systems mounted.
64: some file systems mounted.
The localmount/netmount services should fail if all file systems that
should mount did not mount.
The tmpfiles "d" entry will create a full path and only the last dir in
the path will have its SELinux label set correctly. This patch will
restorecon the parents as well so that the selinux labels are correct.
eg, "d /run/libvirt/lxc", then "lxc" would have the correct SELinux
label but "libvirt" would not.
Signed-off-by: Jason Zaman <jason@perfinion.com>
This change does NOT implement btrfs subvol creation. Instead, it
treats 'v' the same as 'd', which is an acceptable fallback
according to the manual.
Fixes#58
When bash is used in posix mode for the shell, the ulimit command uses
a block size of 512 bytes for the -c and -f options.
X-Gentoo-Bug: 549238
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=549238
This changes the default s6 service directory to /var/svc.d, also
it changes the code to work with the individual services instead of
forcing a rescan when a service is started or stopped.
The original way of doing this allowed users to change the supervisor in
conf.d/*. This changes this so that the supervisor setup can be done in
the service script itself.
If a service has the same name as the runlevel it is in, openrc will
crash on changing to such runlevel. It goes in a recursive madness and
eventually gets a SEGV while in snprintf (don't know why).
This fixes two errors:
1. ls_dir stats files not with full path -> stat always returns != 0
2. ls_dir adds files to list if stat failed
This fixes#53.
X-Gentoo-Bug: 537304
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=537304
This adds the -systemd-nspawn keyword to service scripts which are not
intended to run in systemd-nspawn containers.
This fixes#52.
X-Gentoo-Bug: 548058
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=548058
The dist target now creates an archive based on the version setting.
This makes it possible to create an archive identical to the ones github
generates once the release is tagged.
This changes the mtab service in the following way:
- If /etc/mtab is a symbolic link, success is returned.
- If /etc is not writable, we warn that we could not update /etc/mtab
and return success.
- If /etc/mtab does not exist, we create a symbolic link from
/etc/mtab to /proc/self/mounts.
- Otherwise, we warn that updating /etc/mtab as a file is
deprecated and continue to update it after outputting instructions to
the user for how to move it to a symbolic link.
The cache directory should be created via mkdir -p instead of
mkdir. This makes sure all parent directories are created.
Also, we now display an error message explaining that we were unable to
create the cache directory if creation fails.
We were originally checking to see if $RC_LIBEXECDIR/cache was writable. For
a new install, this check will fail since this path does not exist. This
is also incorrect because later we create $RC_LIBEXECDIR/cache.
The correct check is checkpath -W $RC_LIBEXECDIR, and this fixes the
issue.
X-Gentoo-Bug: 544632
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=544632
This makes binfmt processing behave like tmpfiles processing which
follows the same specification as systemd.
This fixes#48.
X-Gentoo-Bug: 545162
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=545162
It appears that the only reason we were force loading the usbcore
module was to facilitate mounting usbfs. Since we no longer mount
usbfs, this is no longer necessary.
X-Gentoo-Bug: 480312
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=480312
The usbfs and usbdevfs file systems have been deprecated since
Linux-2.6.32, so we remove the code to automount them.
X-Gentoo-Bug: 480312
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=480312
The selinux file system is mounted under /sys, so move the code for it
to the appropriate service.
X-Gentoo-Bug: 546290
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=546290
Tmpfiles.d processing had /run overriding /usr/lib and /etc, but this is
not correct. The correct order, from lowest to highest, for tmpfiles
processing is:
* /usr/lib/tmpfiles.d/*.conf
* /run/tmpfiles.d/*.conf
* /etc/tmpfiles.d
This means /run/tmpfiles.d/*.conf can override /etc/tmpfiles.d/*.conf,
but /etc/tmpfiles.d/*.conf can override both of them.
This fixes#49.
The local service should use eval when it executes scripts since it has
the redirection set up in a variable.
This fixes#50.
X-Gentoo-Bug: 545012
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=545012
If selinux is disabled, then stub methods will be provided instead of
calling the real methods. This removes some warnings about unused
parameters which used to be covered up with #ifdef HAVE_SELINUX.
Signed-off-by: Jason Zaman <jason@perfinion.com>
The previous fix to --test (PR #34) prevented reading one too many
arguments when --exec -or --name was not specified, but created a
regression where the last argument would not print if either of those
arguments was specified. This corrects the issue.
Fixes#41.
checkpath -W can fail if the specified path doesn't actually exist yet.
In this case savecache script should attempt to create the path if it is
missing, however it is pre-empted by the checkpath call. This patch adds
an explicit existence test before executing checkpath.
This fixes#36.
If /tmp or / are read-only, the clean_run function can fail in some very
bad ways.
1. dir=$(mktemp -d) returns an EMPTY string on error.
2. "mount -o bind / $dir", and don't check the result of that,
3. "rm -rf $dir/run/*", which removes the REAL /run contents
4. box gets very weird from this point forward
Signed-Off-By: Robin H. Johnson <robbat2@gentoo.org>
Signed-Off-By: Chip Parker <infowolfe@gmail.com>
Reported-by: Chip Parker <infowolfe@gmail.com>
Tested-by: Chip Parker <infowolfe@gmail.com>
This is another security fix. If you use chown() or chmod() on a
symbolic link, it affects the referenced file, not the symbolic link
itself.
X-Gentoo-Bug: 540006
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006
The local service now redirects stdout and stderr for the scripts it
runs to /dev/null unless it is run in verbose mode.
X-Gentoo-Bug: 537444
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=537444
Do not change permissions on the target if it is a file and has multiple
hard links. This is necessary because a hard link can be an attack
vector to gain privilege escalation.
X-Gentoo-Bug: 540006
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006
sysfs now mounts all related sysfs file systems and returns success,
like netmount and localmount.
Also, we now check to make sure the cgroups are not mounted before we
mount them.
X-Gentoo-Bug: 530138
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=530138
runscript used to dlopen() runscript_selinux.so. This adds equivalent
functionality directly in to runscript instead. It authenticates with
either PAM or shadow and optionally has a dep on audit.
X-Gentoo-Bug: 517450
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=517450
Fixes#25
Note from William Hubbs:
The original patch overwrote CFLAGS. I modified this patch to add the
ncurses cflags to CPPFLAGS instead of overwriting CFLAGS.
Check for __FreeBSD_kernel instead of __GLIBC__ in source files.
note from William Hubbs:
I was told this is a better check for GNU/kFreeBSD than checking the
C library the source is being compiled against.
GNU/kFreeBSD than checking which library we are using.
This adds support for a chroot variable which will be passed to the
start-stop-daemon --chroot switch to runscript.sh when starting a
daemon. This also needs to be saved so it can be used in locating the
pid file when stopping the daemon.
X-Gentoo-Bug: 524388
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=524388
Fix gentoo bug #427996 correctly.
We should attempt to mount the file systems, but not try to start the
daemons. The previous fix removed mounting the file systems as well as
starting the daemons.
X-Gentoo-Bug: 508574
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=508574
Note from William Hubbs:
I spoke with Roy about this, and he pointed out that user-defined
functions may need the limits applied, so it is better to go with a
method that uses exceptions to determine which functions apply the
limits.
X-Gentoo-Bug: 522408
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=522408
Originally, we aborted all of the cgroup setup if /sys/fs/cgroup/openrc
was already mounted. This caused an issue in lxc containers, so we
should always allow the subsystems to be mounted.
X-Gentoo-Bug: 520606
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=520606
ewend 1 "Fileystem errors left uncorrected, aborting"
ewend 1 "Filesystem errors left uncorrected, aborting"
_abort
else
ewend 1 "Filesystems repaired, but reboot needed"
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.