From owner-freebsd-arch Thu Oct 18 15:12:38 2001 Delivered-To: freebsd-arch@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 4788937B407 for ; Thu, 18 Oct 2001 15:12:33 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id B607214C2E; Fri, 19 Oct 2001 00:12:31 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Will Andrews Cc: arch@FreeBSD.org Subject: Re: New rc.d init script roadmap References: <20011018163033.C57251@squall.waterspout.com> <20011018164026.A25747@squall.waterspout.com> From: Dag-Erling Smorgrav Date: 19 Oct 2001 00:12:31 +0200 In-Reply-To: <20011018164026.A25747@squall.waterspout.com> Message-ID: Lines: 47 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Will Andrews writes: > On Thu, Oct 18, 2001 at 11:38:28PM +0200, Dag-Erling Smorgrav wrote: > > What pidfile is /etc/rc.d/ipfilter going to leave behind? Part of the > > sequence for starting ipfilter is "ipf -E -Fa", so you defintely do > > *not* want to run it by accident. > Well, obviously there will be some different interpretations of > the "start", "stop", "restart", etc. arguments. But everything > that starts a daemon should have a corresponding pidfile. My point is that the service you want to start may depend on another service that just configures something, but doesn't start a daemon (ipfilter is an example), so you can't always just check the pidfile to see if a service has ben started. Also, the presence of a pidfile does not necessarily mean the process is actually running (rc.subr is smart enough to check if the PID listed in the pidfile exists, but that's no guarantee either). Currently, NetBSD's rc system has no way of checking if ipfilter is already configured before starting it, but ipfilter is a prerequisite for network, which is a prerequisite for just about everything, including nfsd, which was the example Gordon brought up, so trying to start nfsd "and all its dependencies" will flush all ipfilter rules, including dynamic rules, which means killing all established connections if you're using stateful inspection. Not the kind of thing you'd enjoy discovering the hard way by typing "/etc/rc.d/nfsd start" in an ssh session to a server that's on the other side of town. (it'll also flush the routing table as a side effect of starting the "network" service, btw, so you're screwed even if you don't use stateful inspection) This issue is sufficiently complex that I actually think a small well-thought-out special-purpose script language would be better suited to this task that a bunch of shell scripts + rcorder, but that is probably a far too politically controversial suggestion. (it's all a matter of interdependent objects on which you can perform various operations, so a Real Hacker would come up with a lightweight object-oriented script language that could not only manage the startup sequence but replace make(1) as well. ... why are you all looking at me like that?) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message