> Am 02.06.2022 um 22:42 schrieb Pantelis Roditis <prodi...@echothrust.com>:
>
> Hi everyone,
>
> I recently started running multiple pflogd instances and noticed that
> /etc/rc.d/pflogd killed/restarted every running instance.
> The same happened from newsyslog rotations as well.
I think the issue is more general. It applies whenever multiple instances of
any service are needed.
I have a similar issue with php_fpm which I am using in multiple PHP versions
and with different settings (chroot(2) for httpd(8) or without chroot(2) for
Apache httpd).
I some cases the fix may be a more specific pexp. However this depends, as you
have noted, on what parameters the executable is called with and whether they
are sufficient to differentiate between the running service instances.
In general running multiple instances of the same service does not seem to be
supported out of the box by OpenBSD and specifically by the rc(8)
infrastructure. It can be made to work in some cases but it feels kind of like
a hack.
>
> After suggestions by brynet, sthen and ajacoutot (thank you guys)
> I updated pexp to use a combination of `[running]` and `daemon_flags`
>
> pexp="pflogd: \[running\]${daemon_flags:+ ${daemon_flags}}“
I used a similar solution for php_fpm, differentiating on the names of the
different config files used for the alternate versions of the service (which
are specified using rcctl set <service> flags ….
An alternate solution would require duplicating the binaries under different
names. But that becomes a maintenance nightmare when there are updates. Note:
Symlinks don’t work for this. And using hard links may also have issues if the
inode changes when updating.
>
> However, the default pflogd does not start with any flags set, so in
> order to make this work I had to either set the flags for pflogd
>
> rcctl set pflogd flags -s 160 -i pflog0 -f /var/log/pflog
>
> or add something like this to /etc/rc.d/pflogd
>
> : ${daemon_flags:="-s 160 -i pflog0 -f /var/log/pflog"}
> pexp="pflogd: \[running\]${daemon_flags:+ ${daemon_flags}}"
>
> It was suggested by stehn that a diff may worth submitting, but i dont
> know which of the two options is preferred, if any
>
> In the first case we have to set flags for pflogd which no other base
> daemon does at the moment, other than maybe amd_master?
>
> In the second case we set default flags inside the rc script and this
> introduces an unnecessary dependency to update this script whenever the
> default flags or their order changes.
>
> These changes are only needed for when someone needs to run more than
> one instance of pflogd, in which case they will have to copy the
> default /etc/rc.d/pflogd and/or modify it anyways (e.g. for the interface
> name in rc_pre).
Right! So the choices are:
1) Leave /etc/rc.d/<service> as is, and only run modified duplicates.
2) Modify /etc/rc.d/<service> to ensure a unique pexp when dealing with
multiple instances, but you still need to create modified duplicates for the
additional instances.
My choice would be (1). It does not change the things installed by the base
system or from packages. Whenever something is updated, manual checks and
potentially adjustments may be required anyway. Seems a bit cleaner that way.
Less dependencies on the defaults.
Note: For the general case you also need to watch out for configured (or
compiled-in) resources, such as sockets, network ports, log files, config
files, etc.
>
> The diff for the script follows, suggestions/ideas are more than welcome
>
> diff --git etc/rc.d/pflogd etc/rc.d/pflogd
> index 963616775..620d2daef 100644
> --- etc/rc.d/pflogd
> +++ etc/rc.d/pflogd
> @@ -6,7 +6,9 @@ daemon="/sbin/pflogd"
>
> . /etc/rc.d/rc.subr
>
> -pexp="pflogd: \[priv\]"
> +: ${daemon_flags:="-s 160 -i pflog0 -f /var/log/pflog"}
> +
> +pexp="pflogd: \[running\]${daemon_flags:+ ${daemon_flags}}"
>
> rc_pre() {
>
> if pfctl -si | grep -q Enabled; then
That would be similar to option (2) which I would not prefer.
Just my 2¢…
Mike
