From owner-freebsd-ports@FreeBSD.ORG Tue Sep 14 07:15:25 2010 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28F69106567A; Tue, 14 Sep 2010 07:15:25 +0000 (UTC) (envelope-from swhetzel@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 598FA8FC13; Tue, 14 Sep 2010 07:15:23 +0000 (UTC) Received: by bwz13 with SMTP id 13so1302bwz.13 for ; Tue, 14 Sep 2010 00:15:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=Q0GsMHdqzNKPytoxqcwQPZpcPferCEg9v5LovKWRw3A=; b=LqV7cekVKzBKdXoglRxvkmnStEjQnqrdd4ufRDJRyBH32WweCiTtP8fNzfk4rzKxrf JjewhOpYsKsHvPJhS7hr+F9L7/oa7J0UTiKPhTmlfAZka6w59yPSfJjKkZCWQdFmcfuR wWJd3piXktn2CNRhicTKfYJRUtiRC3wF0sss8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=YWfRyWvyVFG7rNb6AkBWLIX1m2GKHA/L39+4qTRmkSkGXhkmQiowBu9OsdJdUkN8UJ LKQ0Dzou93pQUsHVRrn/1m7A9kJKW0tKgSVx6nz4Nt6KcFQGjVG3BVQmYy3R9r7q1M4g e7+PQdd2rloR3obf7FyJGfQfM7uSPrwDabN2c= MIME-Version: 1.0 Received: by 10.239.129.206 with SMTP id 14mr297098hbg.213.1284447096968; Mon, 13 Sep 2010 23:51:36 -0700 (PDT) Received: by 10.239.181.81 with HTTP; Mon, 13 Sep 2010 23:51:36 -0700 (PDT) In-Reply-To: <20100911173359.68d71af6@it.buh.tecnik93.com> References: <20100911222902.bb57444a.nork@FreeBSD.org> <20100911173359.68d71af6@it.buh.tecnik93.com> Date: Tue, 14 Sep 2010 01:51:36 -0500 Message-ID: From: Scot Hetzel To: Ion-Mihai Tetcu , Norikatsu Shigemura Content-Type: text/plain; charset=ISO-8859-1 Cc: ports@freebsd.org Subject: Re: [ports/net/isc-dhcp*] Don't stop DHCP related daemons X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2010 07:15:25 -0000 On Sat, Sep 11, 2010 at 9:33 AM, Ion-Mihai Tetcu wrote: > On Sat, 11 Sep 2010 22:29:02 +0900 > Norikatsu Shigemura wrote: > >> Hi wxs and jpaetzel. >> >> I noticed that dhcpd server stoped after portupgrade, >> sometimes. It's a painful accident on my network. Because I didn't >> notice some troubles:-(. >> >> Why do you stop the daemons? Is it really absolutely necessary >> to stop a service before it's files go away? >> >> SEE ALSO: >> http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/rc-scripts.html#AEN5402 >> >> $ grep forcestop isc-dhcp*/pkg-plist >> isc-dhcp31-relay/pkg-plist:@unexec %D/etc/rc.d/isc-dhcrelay.sh >> forcestop 2>/dev/null || true isc-dhcp31-relay/pkg-plist:@unexec >> %D/etc/rc.d/isc-dhcrelay forcestop 2>/dev/null || true >> isc-dhcp31-server/pkg-plist:@unexec %D/etc/rc.d/isc-dhcpd.sh >> forcestop 2>/dev/null || true isc-dhcp31-server/pkg-plist:@unexec >> %D/etc/rc.d/isc-dhcpd forcestop 2>/dev/null || true >> isc-dhcp41-relay/pkg-plist:@unexec %D/etc/rc.d/isc-dhcrelay.sh >> forcestop 2>/dev/null || true isc-dhcp41-relay/pkg-plist:@unexec >> %D/etc/rc.d/isc-dhcrelay forcestop 2>/dev/null || true >> isc-dhcp41-server/pkg-plist:@unexec %D/etc/rc.d/isc-dhcpd forcestop >> 2>/dev/null || true >> >> I want to remove these lines in pkg-plist. These lines are needed to ensure that the daemon has been stopped upon uninstalling the port > This 'stop the service before we install' seems to be a new fashion, > usually unneeded/disruptive. The service is not stopped before the install, it is stopped before uninstalling the service during a pkg_delete. This ensures that the service has stopped running when the package is pkg_deleted. > IMO this should only happen when it's really needed, and with some big > warning printed. > The problem is that your using tools such as portupgrade, or portmaster, etc.. These tools don't check if the service was running when it started the upgrade process. Instead they just pkg_delete the old port and then build or pkg_install the newest version of the port. Consider thess senarios: 1. A system admin installs package foo-1.3, adds the appropriate foo_enable to /etc/rc.conf, and then executes ${PREFIX}/etc/rc.d/foo start. He tests the foo package and decides that it doesn't meet his requirements and wants to use bar-1.7 instead. So he goes to uninstall foo-1.3 without stopping the service (pkg_delete foo-1.3) and installs bar-1.7. Now, if the pkg-plist didn't have the @unexec %D/etc/rc.d/foo forcestop, the foo daemon would still be running until the system was rebooted. So when he goes to starts the bar service, he gets a suprise because he is connecting to the foo daemon, and the bar daemon failed to start. 2. A system admin installs package foo-1.3, after running the service for a while a security hole is found in foo-1.3. So he uses his favorite ports management tool (pkg_delete/pkg_install, portupgrade, or portmaster, ...) to upgrade to foo-1.4. If the pkg-plist didn't have the @unexec %D/etc/rc.d/foo forcestop, the security vulnerable foo-1.3 daemon would still be running, even though the latest version has been installed. This would cause the system to still be vulnerable to the security risk. The main problem with upgrading ports that install daemon startup scripts is that the ports management tools are not checking if the service is running before they start the upgrade process. These tools should print a warning at the end of the upgrade process that states which daemons were stopped due to the upgrade process. The ports management tools should not automatically restart the daemons that it had stopped. The reason is that there could be a configuration change in the new ports sample config files that should be migrated to the old modified config files before restarting the service. Scot