The branch main has been updated by netchild:
URL:
https://cgit.FreeBSD.org/src/commit/?id=cb57f50e6404389e4314025caea487d63ddf0ee4
commit cb57f50e6404389e4314025caea487d63ddf0ee4
Author: Alexander Leidinger <netch...@freebsd.org>
AuthorDate: 2023-11-13 08:48:51 +0000
Commit: Alexander Leidinger <netch...@freebsd.org>
CommitDate: 2023-11-13 08:48:51 +0000
defaults: oomprotect sshd and local_unbound
Add sshd and local_unbound to the oom protected services.
syslogd is protected by default already, document it.
This was discussed on arch@, see
https://lists.freebsd.org/archives/freebsd-arch/2023-November/000543.html
sshd is protected to be able to investigate and fix oom issues on systems
which don't have out-of-band console access.
local_unbound is protected as it may be enabled for local use and without
DNS a lot grinds to a halt (including sshd).
Relnotes: yes
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D42544
---
libexec/rc/rc.conf | 2 ++
share/man/man5/rc.conf.5 | 20 +++++++++++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 26e189953044..3269288728b6 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -318,6 +318,7 @@ ggated_config="/etc/gg.exports" # ggated(8) exports
file.
ggated_flags="" # Extra parameters like which port to
bind to.
ctld_enable="NO" # CAM Target Layer / iSCSI target daemon.
local_unbound_enable="NO" # Local caching DNS resolver
+local_unbound_oomprotect="YES" # Don't kill local_unbound when swap space is
exhausted.
local_unbound_tls="NO" # Use DNS over TLS
blacklistd_enable="NO" # Run blacklistd daemon (YES/NO).
blacklistd_flags="" # Optional flags for blacklistd(8).
@@ -364,6 +365,7 @@ pppoed_provider="*" # Provider and ppp(8) config
file entry.
pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled).
pppoed_interface="em0" # The interface that pppoed runs on.
sshd_enable="NO" # Enable sshd
+sshd_oomprotect="YES" # Don't kill sshd when swap space is exhausted.
sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one.
sshd_flags="" # Additional flags for sshd.
ftpd_enable="NO" # Enable stand-alone ftpd.
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index a76cb1a04e0a..ad84bcbd576c 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -22,7 +22,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd September 18, 2023
+.Dd November 13, 2023
.Dt RC.CONF 5
.Os
.Sh NAME
@@ -2318,6 +2318,12 @@ If set to
run the
.Xr syslogd 8
daemon.
+Note, the
+.Va syslogd_oomprotect
+variable is set to
+.Dq Li YES
+by default in
+.Pa /etc/defaults/rc.conf .
.It Va syslogd_program
.Pq Vt str
Path to
@@ -2381,6 +2387,12 @@ If set to
run the
.Xr unbound 8
daemon as a local caching DNS resolver.
+Note, the
+.Va local_unbound_oomprotect
+variable is set to
+.Dq Li YES
+by default in
+.Pa /etc/defaults/rc.conf .
.It Va nscd_enable
.Pq Vt bool
Set to
@@ -3840,6 +3852,12 @@ Set to
to start
.Xr sshd 8
at system boot time.
+Note, the
+.Va sshd_oomprotect
+variable is set to
+.Dq Li YES
+by default in
+.Pa /etc/defaults/rc.conf .
.It Va sshd_flags
.Pq Vt str
If
