git: e97ad33a89a7 - main - Add an implementation of the 9P filesystem
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=e97ad33a89a78f55280b0485b3249ee9b907a718 commit e97ad33a89a78f55280b0485b3249ee9b907a718 Author: Doug Rabson AuthorDate: 2022-12-06 13:07:46 + Commit: Doug Rabson CommitDate: 2024-06-19 12:12:04 + Add an implementation of the 9P filesystem This is derived from swills@ fork of the Juniper virtfs with many changes by me including bug fixes, style improvements, clearer layering and more consistent logging. The filesystem is renamed to p9fs to better reflect its function and to prevent possible future confusion with virtio-fs. Several updates and fixes from Juniper have been integrated into this version by Val Packett and these contributions along with the original Juniper authors are credited below. To use this with bhyve, add 'virtio_p9fs_load=YES' to loader.conf. The bhyve virtio-9p device allows access from the guest to files on the host by mapping a 'sharename' to a host path. It is possible to use p9fs as a root filesystem by adding this to /boot/loader.conf: vfs.root.mountfrom="p9fs:sharename" for non-root filesystems add something like this to /etc/fstab: sharename /mnt p9fs rw 0 0 In both examples, substitute the share name used on the bhyve command line. The 9P filesystem protocol relies on stateful file opens which map protocol-level FIDs to host file descriptors. The FreeBSD vnode interface doesn't really support this and we use heuristics to guess the right FID to use for file operations. This can be confused by privilege lowering and does not guarantee that the FID created for a given file open is always used for file operations, even if the calling process is using the file descriptor from the original open call. Improving this would involve changes to the vnode interface which is out-of-scope for this import. Differential Revision: https://reviews.freebsd.org/D41844 Reviewed by: kib, emaste, dch MFC after: 3 months Co-authored-by: Val Packett Co-authored-by: Ka Ho Ng Co-authored-by: joyu Co-authored-by: Kumara Babu Narayanaswamy --- share/man/man5/Makefile |1 + share/man/man5/p9fs.5 | 127 +++ sys/conf/files|7 + sys/conf/options |1 + sys/dev/virtio/p9fs/virtio_p9fs.c | 511 + sys/dev/virtio/p9fs/virtio_p9fs.h | 39 + sys/fs/p9fs/p9_client.c | 1311 ++ sys/fs/p9fs/p9_client.h | 168 +++ sys/fs/p9fs/p9_debug.h| 45 + sys/fs/p9fs/p9_protocol.c | 632 +++ sys/fs/p9fs/p9_protocol.h | 280 + sys/fs/p9fs/p9_transport.c| 70 ++ sys/fs/p9fs/p9_transport.h| 53 + sys/fs/p9fs/p9fs.h| 203 sys/fs/p9fs/p9fs_proto.h | 42 + sys/fs/p9fs/p9fs_subr.c | 411 +++ sys/fs/p9fs/p9fs_vfsops.c | 602 +++ sys/fs/p9fs/p9fs_vnops.c | 2148 + sys/kern/vfs_mountroot.c |1 + sys/modules/Makefile |1 + sys/modules/p9fs/Makefile |8 + sys/modules/virtio/Makefile |2 +- sys/modules/virtio/p9fs/Makefile | 32 + 23 files changed, 6694 insertions(+), 1 deletion(-) diff --git a/share/man/man5/Makefile b/share/man/man5/Makefile index bc345b42717c..465cc85a3feb 100644 --- a/share/man/man5/Makefile +++ b/share/man/man5/Makefile @@ -35,6 +35,7 @@ MAN= acct.5 \ nsmb.conf.5 \ nsswitch.conf.5 \ os-release.5 \ + p9fs.5 \ passwd.5 \ pbm.5 \ periodic.conf.5 \ diff --git a/share/man/man5/p9fs.5 b/share/man/man5/p9fs.5 new file mode 100644 index ..5c110e3dc963 --- /dev/null +++ b/share/man/man5/p9fs.5 @@ -0,0 +1,127 @@ +.\" +.\" Copyright (c) 2022-present Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE
Re: git: e97ad33a89a7 - main - Add an implementation of the 9P filesystem
On Wed, 19 Jun 2024 at 13:23, Baptiste Daroussin wrote: > On Wed 19 Jun 12:13, Doug Rabson wrote: > > The branch main has been updated by dfr: > > > > URL: > https://cgit.FreeBSD.org/src/commit/?id=e97ad33a89a78f55280b0485b3249ee9b907a718 > > > > commit e97ad33a89a78f55280b0485b3249ee9b907a718 > > Author: Doug Rabson > > AuthorDate: 2022-12-06 13:07:46 + > > Commit: Doug Rabson > > CommitDate: 2024-06-19 12:12:04 + > > > > Add an implementation of the 9P filesystem > > > > This is derived from swills@ fork of the Juniper virtfs with many > > changes by me including bug fixes, style improvements, clearer > layering > > and more consistent logging. The filesystem is renamed to p9fs to > better > > reflect its function and to prevent possible future confusion with > > virtio-fs. > > > > Several updates and fixes from Juniper have been integrated into this > > version by Val Packett and these contributions along with the > original > > Juniper authors are credited below. > > > > To use this with bhyve, add 'virtio_p9fs_load=YES' to loader.conf. > The > > bhyve virtio-9p device allows access from the guest to files on the > host > > by mapping a 'sharename' to a host path. It is possible to use p9fs > as a > > root filesystem by adding this to /boot/loader.conf: > > > > vfs.root.mountfrom="p9fs:sharename" > > > > for non-root filesystems add something like this to /etc/fstab: > > > > sharename /mnt p9fs rw 0 0 > > > > In both examples, substitute the share name used on the bhyve command > > line. > > > > The 9P filesystem protocol relies on stateful file opens which map > > protocol-level FIDs to host file descriptors. The FreeBSD vnode > > interface doesn't really support this and we use heuristics to guess > the > > right FID to use for file operations. This can be confused by > privilege > > lowering and does not guarantee that the FID created for a given file > > open is always used for file operations, even if the calling process > is > > using the file descriptor from the original open call. Improving this > > would involve changes to the vnode interface which is out-of-scope > for > > this import. > > > > First of all: thanks a lot! you say the changes in the vnode interface are > out > of scope for this import, which makes perfectly sense, but it is part of > your > TODO for later? > It is something I would like to work on but I'm not sure exactly when. I may try a quick-and-dirty approximation to get a better idea about how much in vnode will need to change. Basically, we need to track state from the VOP_OPEN in struct file so that we can match the right 9P fid with each i/o operation. This seems possible since we already have an f_data member in struct file. Doug.
git: b2ebcd19f467 - main - p9fs: Fix the build for 32-bit kernels
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=b2ebcd19f467f518aa969b84527018c03fb0286e commit b2ebcd19f467f518aa969b84527018c03fb0286e Author: Doug Rabson AuthorDate: 2024-06-19 14:15:34 + Commit: Doug Rabson CommitDate: 2024-06-19 14:16:38 + p9fs: Fix the build for 32-bit kernels MFC after: 3 months --- sys/fs/p9fs/p9fs_vnops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/fs/p9fs/p9fs_vnops.c b/sys/fs/p9fs/p9fs_vnops.c index c1bea18d5eef..d17d7624aef1 100644 --- a/sys/fs/p9fs/p9fs_vnops.c +++ b/sys/fs/p9fs/p9fs_vnops.c @@ -1762,7 +1762,7 @@ p9fs_readdir(struct vop_readdir_args *ap) count = 0; clnt = np->p9fs_ses->clnt; - P9_DEBUG(VOPS, "%s: vp %p, offset %ld, resid %zd\n", __func__, vp, uio->uio_offset, uio->uio_resid); + P9_DEBUG(VOPS, "%s: vp %p, offset %jd, resid %zd\n", __func__, vp, (intmax_t) uio->uio_offset, uio->uio_resid); if (ap->a_uio->uio_iov->iov_len <= 0) return (EINVAL);
git: 56e4622588ed - main - p9fs: fix lookup of "." for lib9p-based 9P servers
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=56e4622588ed2eec0197ac47c3059d3db439f5c0
commit 56e4622588ed2eec0197ac47c3059d3db439f5c0
Author: Doug Rabson
AuthorDate: 2024-06-24 11:22:57 +
Commit: Doug Rabson
CommitDate: 2024-06-24 13:40:06 +
p9fs: fix lookup of "." for lib9p-based 9P servers
The lib9p implementation takes a strict interpretation of the Twalk RPC
call and returns an error for attempts to lookup ".". The workaround is
to fake the lookup locally.
Reviewed by: Val Packett
MFC after: 3 months
---
sys/fs/p9fs/p9fs_vnops.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/sys/fs/p9fs/p9fs_vnops.c b/sys/fs/p9fs/p9fs_vnops.c
index d17d7624aef1..77162c0a4aff 100644
--- a/sys/fs/p9fs/p9fs_vnops.c
+++ b/sys/fs/p9fs/p9fs_vnops.c
@@ -243,6 +243,12 @@ p9fs_lookup(struct vop_lookup_args *ap)
if (dnp == NULL)
return (ENOENT);
+ if (cnp->cn_nameptr[0] == '.' && strlen(cnp->cn_nameptr) == 1) {
+ vref(dvp);
+ *vpp = dvp;
+ return (0);
+ }
+
vses = dnp->p9fs_ses;
mp = vses->p9fs_mount;
git: daa2c99c89f2 - main - p9fs: implement working putpages (fix mmap write)
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=daa2c99c89f224200911aa6c8cdee07bc354947a
commit daa2c99c89f224200911aa6c8cdee07bc354947a
Author: Val Packett
AuthorDate: 2024-06-24 13:37:58 +
Commit: Doug Rabson
CommitDate: 2024-06-24 16:11:47 +
p9fs: implement working putpages (fix mmap write)
Mostly copied from smbfs. This driver in its current state has the exact
same issue that prevents the generic putpages implementation from
working.
Sponsored by: https://www.patreon.com/valpackett
Reviewed by:dfr
Differential Revision: https://reviews.freebsd.org/D45639
MFC after: 3 months
---
sys/fs/p9fs/p9fs_vfsops.c | 6
sys/fs/p9fs/p9fs_vnops.c | 79 +++
2 files changed, 85 insertions(+)
diff --git a/sys/fs/p9fs/p9fs_vfsops.c b/sys/fs/p9fs/p9fs_vfsops.c
index 6cc65aca35d3..f674c866ce9d 100644
--- a/sys/fs/p9fs/p9fs_vfsops.c
+++ b/sys/fs/p9fs/p9fs_vfsops.c
@@ -35,6 +35,7 @@
#include
#include
#include
+#include
#include
#include
@@ -53,6 +54,7 @@ static uma_zone_t p9fs_node_zone;
uma_zone_t p9fs_io_buffer_zone;
uma_zone_t p9fs_getattr_zone;
uma_zone_t p9fs_setattr_zone;
+uma_zone_t p9fs_pbuf_zone;
extern struct vop_vector p9fs_vnops;
/* option parsing */
@@ -106,6 +108,9 @@ p9fs_init(struct vfsconf *vfsp)
p9fs_setattr_zone = uma_zcreate("p9fs setattr zone",
sizeof(struct p9_iattr_dotl), NULL, NULL, NULL, NULL,
UMA_ALIGN_PTR, 0);
+ /* Create the putpages zone */
+ p9fs_pbuf_zone = pbuf_zsecond_create("p9fs pbuf zone", nswbuf / 2);
+
/*
* Create the io_buffer zone pool to keep things simpler in case of
* multiple threads. Each thread works with its own so there is no
@@ -126,6 +131,7 @@ p9fs_uninit(struct vfsconf *vfsp)
uma_zdestroy(p9fs_io_buffer_zone);
uma_zdestroy(p9fs_getattr_zone);
uma_zdestroy(p9fs_setattr_zone);
+ uma_zdestroy(p9fs_pbuf_zone);
return (0);
}
diff --git a/sys/fs/p9fs/p9fs_vnops.c b/sys/fs/p9fs/p9fs_vnops.c
index 77162c0a4aff..5556e60f4bae 100644
--- a/sys/fs/p9fs/p9fs_vnops.c
+++ b/sys/fs/p9fs/p9fs_vnops.c
@@ -39,10 +39,14 @@
#include
#include
#include
+#include
+#include
#include
#include
#include
+#include
+#include
#include
#include
@@ -62,6 +66,7 @@ static MALLOC_DEFINE(M_P9UIOV, "uio", "UIOV structures for
strategy in p9fs");
extern uma_zone_t p9fs_io_buffer_zone;
extern uma_zone_t p9fs_getattr_zone;
extern uma_zone_t p9fs_setattr_zone;
+extern uma_zone_t p9fs_pbuf_zone;
/* For the root vnode's vnops. */
struct vop_vector p9fs_vnops;
@@ -2126,6 +2131,79 @@ out:
return (error);
}
+/*
+ * Put VM pages, synchronously.
+ * XXX: like smbfs, cannot use vop_stdputpages due to mapping requirement
+ */
+static int
+p9fs_putpages(struct vop_putpages_args *ap)
+{
+ struct uio uio;
+ struct iovec iov;
+ int i, error, npages, count;
+ off_t offset;
+ int *rtvals;
+ struct vnode *vp;
+ struct thread *td;
+ struct ucred *cred;
+ struct p9fs_node *np;
+ vm_page_t *pages;
+ vm_offset_t kva;
+ struct buf *bp;
+
+ vp = ap->a_vp;
+ np = P9FS_VTON(vp);
+ td = curthread;
+ cred = curthread->td_ucred;
+ pages = ap->a_m;
+ count = ap->a_count;
+ rtvals = ap->a_rtvals;
+ npages = btoc(count);
+ offset = IDX_TO_OFF(pages[0]->pindex);
+
+ /*
+* When putting pages, do not extend file past EOF.
+*/
+ if (offset + count > np->inode.i_size) {
+ count = np->inode.i_size - offset;
+ if (count < 0)
+ count = 0;
+ }
+
+ for (i = 0; i < npages; i++)
+ rtvals[i] = VM_PAGER_ERROR;
+
+ bp = uma_zalloc(p9fs_pbuf_zone, M_WAITOK);
+ kva = (vm_offset_t) bp->b_data;
+ pmap_qenter(kva, pages, npages);
+
+ VM_CNT_INC(v_vnodeout);
+ VM_CNT_ADD(v_vnodepgsout, count);
+
+ iov.iov_base = (caddr_t) kva;
+ iov.iov_len = count;
+ uio.uio_iov = &iov;
+ uio.uio_iovcnt = 1;
+ uio.uio_offset = offset;
+ uio.uio_resid = count;
+ uio.uio_segflg = UIO_SYSSPACE;
+ uio.uio_rw = UIO_WRITE;
+ uio.uio_td = td;
+
+ P9_DEBUG(VOPS, "of=%jd,resid=%zd\n", (intmax_t)uio.uio_offset,
uio.uio_resid);
+
+ error = VOP_WRITE(vp, &uio, vnode_pager_putpages_ioflags(ap->a_sync),
+ cred);
+
+ pmap_qremove(kva, npages);
+ uma_zfree(p9fs_pbuf_zone, bp);
+
+ if (error == 0)
+ vnode_pager_undirty_pages(pages, rtvals, count - uio.uio_resid,
+ np->inode.i_size - offset, npages * PAGE_SIZE);
+
+ return (rtvals[0]);
+}
struct
git: 9fac39c63c12 - main - arm64: fix the handling of DDB symbols in early boot
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=9fac39c63c123f02c803007772bdb3bee1d3 commit 9fac39c63c123f02c803007772bdb3bee1d3 Author: Doug Rabson AuthorDate: 2024-01-18 16:41:02 + Commit: Doug Rabson CommitDate: 2024-01-18 16:41:02 + arm64: fix the handling of DDB symbols in early boot The code which installs the kernel symbol table wasn't being compiled because the file did not include opt_ddb.h Reviewed by:kevans emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D43490 --- sys/arm64/arm64/machdep_boot.c | 5 + 1 file changed, 5 insertions(+) diff --git a/sys/arm64/arm64/machdep_boot.c b/sys/arm64/arm64/machdep_boot.c index 19ad2977614f..b8e0c734bbb4 100644 --- a/sys/arm64/arm64/machdep_boot.c +++ b/sys/arm64/arm64/machdep_boot.c @@ -27,6 +27,7 @@ */ #include "opt_platform.h" +#include "opt_ddb.h" #include #include @@ -48,6 +49,10 @@ #include #endif +#ifdef DDB +#include +#endif + extern int *end; static char *loader_envp;
git: 895545d0e666 - main - Fix spelling of BUILDENV_SHELL
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=895545d0e6664ad05fefe63ce46eb670be7e4957
commit 895545d0e6664ad05fefe63ce46eb670be7e4957
Author: Doug Rabson
AuthorDate: 2021-09-11 12:03:52 +
Commit: Doug Rabson
CommitDate: 2021-09-11 12:27:11 +
Fix spelling of BUILDENV_SHELL
---
Makefile.inc1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.inc1 b/Makefile.inc1
index 478824675382..8134bb93df03 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -1219,7 +1219,7 @@ BUILDENV_DIR?=${.CURDIR}
# Note: make will report any errors the shell reports. This can
# be odd if the last command in an interactive shell generates an
# error or is terminated by SIGINT. These reported errors look bad,
-# but are harmless. Allowing them also allows BUIDLENV_SHELL to
+# but are harmless. Allowing them also allows BUILDENV_SHELL to
# be a complex command whose status will be returned to the caller.
# Some scripts in tools rely on this behavior to report build errors.
#
___
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"
git: c7631f9153b7 - main - libc_nonshared: Move to clibs package
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c7631f9153b7d24279210869eb1fbe2e4a1763b2
commit c7631f9153b7d24279210869eb1fbe2e4a1763b2
Author: Doug Rabson
AuthorDate: 2022-11-01 10:14:29 +
Commit: Doug Rabson
CommitDate: 2022-11-01 10:17:07 +
libc_nonshared: Move to clibs package
Its needed by libc.a which lives in clibs.
PR: 254173
---
lib/libc_nonshared/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/libc_nonshared/Makefile b/lib/libc_nonshared/Makefile
index 261828072e74..8ecf1699ba74 100644
--- a/lib/libc_nonshared/Makefile
+++ b/lib/libc_nonshared/Makefile
@@ -10,6 +10,7 @@ NO_PIC=
# -fpic on some platforms, -fPIC on others.
CFLAGS+=${PICFLAG} -DPIC -fvisibility=hidden
+PACKAGE= clibs
LIB= c_nonshared
LIBC_NONSHARED_SRCS=
git: eb6f48854df2 - main - Fix a typo in the binmisc option name
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=eb6f48854df20441b384ca36b6b31558ada087c9 commit eb6f48854df20441b384ca36b6b31558ada087c9 Author: Doug Rabson AuthorDate: 2022-12-07 13:40:18 + Commit: Doug Rabson CommitDate: 2022-12-07 13:51:34 + Fix a typo in the binmisc option name This should be spelt IMGACT_BINMISC to match the filename. The option name does not appear outside of sys/conf and this module is typically used via the kernel module imgact_binmisc.ko. MFC After: 2 weeks --- sys/conf/NOTES | 2 +- sys/conf/files | 2 +- sys/conf/options | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 8a9c726b792c..1c763b2a2ceb 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -2772,7 +2772,7 @@ options RANDOM_ENABLE_UMA # slab allocator optionsRANDOM_ENABLE_ETHER # ether_input # Module to enable execution of application via emulators like QEMU -options IMAGACT_BINMISC +options IMGACT_BINMISC # zlib I/O stream support # This enables support for compressed core dumps. diff --git a/sys/conf/files b/sys/conf/files index 9aec63c6969e..60c5c749c40b 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -3772,7 +3772,7 @@ kern/bus_if.m standard kern/clock_if.mstandard kern/cpufreq_if.m standard kern/device_if.m standard -kern/imgact_binmisc.c optionalimagact_binmisc +kern/imgact_binmisc.c optional imgact_binmisc kern/imgact_elf.c standard kern/imgact_elf32.coptional compat_freebsd32 kern/imgact_shell.cstandard diff --git a/sys/conf/options b/sys/conf/options index c388a06abc9b..e2720980f356 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -110,7 +110,7 @@ FILEMON opt_dontuse.h FFCLOCK FULL_PREEMPTIONopt_sched.h GZIO opt_gzio.h -IMAGACT_BINMISCopt_dontuse.h +IMGACT_BINMISC opt_dontuse.h IPI_PREEMPTION opt_sched.h GEOM_BDE opt_geom.h GEOM_CACHE opt_geom.h
git: 5eeb4f737f11 - main - imgact_binmisc: Optionally pre-open the interpreter vnode
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5eeb4f737f11b253ac330ae459b05e30fd16d0e8
commit 5eeb4f737f11b253ac330ae459b05e30fd16d0e8
Author: Doug Rabson
AuthorDate: 2022-11-17 10:48:20 +
Commit: Doug Rabson
CommitDate: 2022-12-08 14:32:03 +
imgact_binmisc: Optionally pre-open the interpreter vnode
This allows the use of chroot and/or jail environments which depend on
interpreters registed with imgact_binmisc to use emulator binaries from
the host to emulate programs inside the chroot.
Reviewed by:imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D37432
---
sys/kern/imgact_binmisc.c| 49
sys/kern/kern_exec.c | 18 ++-
sys/sys/imgact.h | 1 +
sys/sys/imgact_binmisc.h | 3 ++-
usr.sbin/binmiscctl/binmiscctl.8 | 8 +++
usr.sbin/binmiscctl/binmiscctl.c | 15
6 files changed, 83 insertions(+), 11 deletions(-)
diff --git a/sys/kern/imgact_binmisc.c b/sys/kern/imgact_binmisc.c
index 951822df06b1..65b2e8e409a6 100644
--- a/sys/kern/imgact_binmisc.c
+++ b/sys/kern/imgact_binmisc.c
@@ -30,15 +30,18 @@ __FBSDID("$FreeBSD$");
#include
#include
#include
+#include
#include
#include
#include
#include
#include
#include
+#include
#include
#include
#include
+#include
#include
@@ -63,6 +66,7 @@ typedef struct imgact_binmisc_entry {
uint8_t *ibe_magic;
uint8_t *ibe_mask;
uint8_t *ibe_interpreter;
+ struct vnode *ibe_interpreter_vnode;
ssize_t ibe_interp_offset;
uint32_t ibe_interp_argcnt;
uint32_t ibe_interp_length;
@@ -114,7 +118,7 @@ static struct sx interp_list_sx;
* Populate the entry with the information about the interpreter.
*/
static void
-imgact_binmisc_populate_interp(char *str, imgact_binmisc_entry_t *ibe)
+imgact_binmisc_populate_interp(char *str, imgact_binmisc_entry_t *ibe, int
flags)
{
uint32_t len = 0, argc = 1;
char t[IBE_INTERP_LEN_MAX];
@@ -150,6 +154,30 @@ imgact_binmisc_populate_interp(char *str,
imgact_binmisc_entry_t *ibe)
memcpy(ibe->ibe_interpreter, t, len);
ibe->ibe_interp_argcnt = argc;
ibe->ibe_interp_length = len;
+
+ ibe->ibe_interpreter_vnode = NULL;
+ if (flags & IBF_PRE_OPEN) {
+ struct nameidata nd;
+ int error;
+
+ tp = t;
+ while (*tp != '\0' && *tp != ' ') {
+ tp++;
+ }
+ *tp = '\0';
+ NDINIT(&nd, LOOKUP, FOLLOW | ISOPEN, UIO_SYSSPACE, t);
+
+ /*
+* If there is an error, just stop now and fall back
+* to the non pre-open case where we lookup during
+* exec.
+*/
+ error = namei(&nd);
+ if (error)
+ return;
+
+ ibe->ibe_interpreter_vnode = nd.ni_vp;
+ }
}
/*
@@ -167,7 +195,7 @@ imgact_binmisc_new_entry(ximgact_binmisc_entry_t *xbe,
ssize_t interp_offset,
ibe->ibe_name = malloc(namesz, M_BINMISC, M_WAITOK|M_ZERO);
strlcpy(ibe->ibe_name, xbe->xbe_name, namesz);
- imgact_binmisc_populate_interp(xbe->xbe_interpreter, ibe);
+ imgact_binmisc_populate_interp(xbe->xbe_interpreter, ibe,
xbe->xbe_flags);
ibe->ibe_magic = malloc(xbe->xbe_msize, M_BINMISC, M_WAITOK|M_ZERO);
memcpy(ibe->ibe_magic, xbe->xbe_magic, xbe->xbe_msize);
@@ -199,6 +227,8 @@ imgact_binmisc_destroy_entry(imgact_binmisc_entry_t *ibe)
free(ibe->ibe_interpreter, M_BINMISC);
if (ibe->ibe_name)
free(ibe->ibe_name, M_BINMISC);
+ if (ibe->ibe_interpreter_vnode)
+ vrele(ibe->ibe_interpreter_vnode);
if (ibe)
free(ibe, M_BINMISC);
}
@@ -271,15 +301,20 @@ imgact_binmisc_add_entry(ximgact_binmisc_entry_t *xbe)
}
}
+ /*
+* Preallocate a new entry. We do this without holding the
+* lock to avoid lock-order problems if IBF_PRE_OPEN is
+* set.
+*/
+ ibe = imgact_binmisc_new_entry(xbe, interp_offset, argv0_cnt);
+
INTERP_LIST_WLOCK();
if (imgact_binmisc_find_entry(xbe->xbe_name) != NULL) {
INTERP_LIST_WUNLOCK();
+ imgact_binmisc_destroy_entry(ibe);
return (EEXIST);
}
- /* Preallocate a new entry. */
- ibe = imgact_binmisc_new_entry(xbe, interp_offset, argv0_cnt);
-
SLIST_INSERT_HEAD(&interpreter_l
git: a3f714c4ff8c - main - Add support for mounting single files in nullfs
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a3f714c4ff8cf3754520f330abe783aa6a06dcdb
commit a3f714c4ff8cf3754520f330abe783aa6a06dcdb
Author: Doug Rabson
AuthorDate: 2022-11-07 16:56:09 +
Commit: Doug Rabson
CommitDate: 2022-12-19 16:44:54 +
Add support for mounting single files in nullfs
My main use-case for this is to support mounting config files and secrets
into OCI containers. My current workaround copies the files into the
container which is messy and risks secrets leaking into container images
if the cleanup fails.
Reviewed by:mjg, kib
Tested by: pho
Differential Revision: https://reviews.freebsd.org/D37478
---
sbin/mount/getmntopts.c | 14 ++
sbin/mount/mntopts.h | 1 +
sbin/mount/mount.c | 23 ---
sbin/mount_nullfs/mount_nullfs.8 | 11 +++
sbin/mount_nullfs/mount_nullfs.c | 23 +--
5 files changed, 67 insertions(+), 5 deletions(-)
diff --git a/sbin/mount/getmntopts.c b/sbin/mount/getmntopts.c
index fb739c6406ae..0ee6d99ed8b9 100644
--- a/sbin/mount/getmntopts.c
+++ b/sbin/mount/getmntopts.c
@@ -139,6 +139,20 @@ checkpath(const char *path, char *resolved)
return (0);
}
+int
+checkpath_allow_file(const char *path, char *resolved)
+{
+ struct stat sb;
+
+ if (realpath(path, resolved) == NULL || stat(resolved, &sb) != 0)
+ return (1);
+ if (!S_ISDIR(sb.st_mode) && !S_ISREG(sb.st_mode)) {
+ errno = ENOTDIR;
+ return (1);
+ }
+ return (0);
+}
+
void
build_iovec(struct iovec **iov, int *iovlen, const char *name, void *val,
size_t len)
diff --git a/sbin/mount/mntopts.h b/sbin/mount/mntopts.h
index 183d6d9e501d..1d8b80069355 100644
--- a/sbin/mount/mntopts.h
+++ b/sbin/mount/mntopts.h
@@ -103,6 +103,7 @@ struct mntopt {
void getmntopts(const char *, const struct mntopt *, int *, int *);
void rmslashes(char *, char *);
int checkpath(const char *, char resolved_path[]);
+int checkpath_allow_file(const char *, char resolved_path[]);
extern int getmnt_silent;
void build_iovec(struct iovec **iov, int *iovlen, const char *name, void *val,
size_t len);
void build_iovec_argf(struct iovec **iov, int *iovlen, const char *name, const
char *fmt, ...);
diff --git a/sbin/mount/mount.c b/sbin/mount/mount.c
index 6c986907bcda..7ac5cd965a8f 100644
--- a/sbin/mount/mount.c
+++ b/sbin/mount/mount.c
@@ -89,6 +89,7 @@ struct statfs *getmntpt(const char *);
inthasopt(const char *, const char *);
intismounted(struct fstab *, struct statfs *, int);
intisremountable(const char *);
+intallow_file_mount(const char *);
void mangle(char *, struct cpa *);
char *update_options(char *, char *, int);
intmountfs(const char *, const char *, const char *,
@@ -502,6 +503,15 @@ isremountable(const char *vfsname)
return (0);
}
+int
+allow_file_mount(const char *vfsname)
+{
+
+ if (strcmp(vfsname, "nullfs") == 0)
+ return (1);
+ return (0);
+}
+
int
hasopt(const char *mntopts, const char *option)
{
@@ -548,9 +558,16 @@ mountfs(const char *vfstype, const char *spec, const char
*name, int flags,
static struct cpa mnt_argv;
/* resolve the mountpoint with realpath(3) */
- if (checkpath(name, mntpath) != 0) {
- xo_warn("%s", mntpath);
- return (1);
+ if (allow_file_mount(vfstype)) {
+ if (checkpath_allow_file(name, mntpath) != 0) {
+ xo_warn("%s", mntpath);
+ return (1);
+ }
+ } else {
+ if (checkpath(name, mntpath) != 0) {
+ xo_warn("%s", mntpath);
+ return (1);
+ }
}
name = mntpath;
diff --git a/sbin/mount_nullfs/mount_nullfs.8 b/sbin/mount_nullfs/mount_nullfs.8
index 756b13a7ffdf..68c252c69d61 100644
--- a/sbin/mount_nullfs/mount_nullfs.8
+++ b/sbin/mount_nullfs/mount_nullfs.8
@@ -64,6 +64,17 @@ but in other respects it is indistinguishable from the
original.
.Pp
The
.Nm
+utility supports mounting both directories and single files.
+Both
+.Ar target
+and
+.Ar mount_point
+must be the same type.
+Mounting directories to files or files to
+directories is not supported.
+.Pp
+The
+.Nm
file system differs from a traditional
loopback file system in two respects: it is implemented using
a stackable layers techniques, and its
diff --git a/sbin/mount_nullfs/mount_nullfs.c b/sbin/mount_nullfs/mount_nullfs.c
index 77ec0991ea9b..55d7ac982f70 100644
--- a/sbin/mount_nullfs/mount_nullfs.c
+++ b/sbin/mount_nullfs/mount_nullfs.c
@@ -48,6 +48,7 @@ static const char rcsid[] =
#include
#include
+#include
#include
#include
@@ -61,6 +62,14 @@ static const char rcsid[] =
static voidusa
git: 78d35459a258 - main - Add vn_path_to_global_path_hardlink
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=78d35459a2586da024ac18e8768b44893c7184e7
commit 78d35459a2586da024ac18e8768b44893c7184e7
Author: Doug Rabson
AuthorDate: 2022-12-02 14:09:31 +
Commit: Doug Rabson
CommitDate: 2022-12-19 16:44:59 +
Add vn_path_to_global_path_hardlink
This is similar to vn_path_to_global_path but allows for regular files
which may not be present in the cache.
Reviewed by:mjg, kib
Tested by: pho
---
sys/kern/vfs_cache.c | 69 ++--
sys/sys/vnode.h | 3 +++
2 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/sys/kern/vfs_cache.c b/sys/kern/vfs_cache.c
index d7b235c12f7b..f2dd8328278d 100644
--- a/sys/kern/vfs_cache.c
+++ b/sys/kern/vfs_cache.c
@@ -3812,6 +3812,71 @@ out:
return (error);
}
+/*
+ * This is similar to vn_path_to_global_path but allows for regular
+ * files which may not be present in the cache.
+ *
+ * Requires a locked, referenced vnode.
+ * Vnode is re-locked on success or ENODEV, otherwise unlocked.
+ */
+int
+vn_path_to_global_path_hardlink(struct thread *td, struct vnode *vp,
+struct vnode *dvp, char *path, u_int pathlen, const char *leaf_name,
+size_t leaf_length)
+{
+ struct nameidata nd;
+ struct vnode *vp1;
+ char *rpath, *fbuf;
+ size_t len;
+ int error;
+
+ ASSERT_VOP_ELOCKED(vp, __func__);
+
+ /*
+* Construct global filesystem path from dvp, vp and leaf
+* name.
+*/
+ VOP_UNLOCK(vp);
+ error = vn_fullpath_hardlink(vp, dvp, leaf_name, leaf_length,
+ &rpath, &fbuf, &len);
+
+ if (error != 0) {
+ vrele(vp);
+ goto out;
+ }
+
+ if (strlen(rpath) >= pathlen) {
+ vrele(vp);
+ error = ENAMETOOLONG;
+ goto out;
+ }
+
+ /*
+* Re-lookup the vnode by path to detect a possible rename.
+* As a side effect, the vnode is relocked.
+* If vnode was renamed, return ENOENT.
+*/
+ NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1, UIO_SYSSPACE,
path);
+ error = namei(&nd);
+ if (error != 0) {
+ vrele(vp);
+ goto out;
+ }
+ NDFREE_PNBUF(&nd);
+ vp1 = nd.ni_vp;
+ vrele(vp);
+ if (vp1 == vp)
+ strcpy(path, rpath);
+ else {
+ vput(vp1);
+ error = ENOENT;
+ }
+
+out:
+ free(fbuf, M_TEMP);
+ return (error);
+}
+
#ifdef DDB
static void
db_print_vpath(struct vnode *vp)
@@ -5339,7 +5404,7 @@ cache_fplookup_climb_mount(struct cache_fpl *fpl)
vp = fpl->tvp;
vp_seqc = fpl->tvp_seqc;
- VNPASS(vp->v_type == VDIR || vp->v_type == VBAD, vp);
+ VNPASS(vp->v_type == VDIR || vp->v_type == VREG || vp->v_type == VBAD,
vp);
mp = atomic_load_ptr(&vp->v_mountedhere);
if (__predict_false(mp == NULL)) {
return (0);
@@ -5396,7 +5461,7 @@ cache_fplookup_cross_mount(struct cache_fpl *fpl)
vp = fpl->tvp;
vp_seqc = fpl->tvp_seqc;
- VNPASS(vp->v_type == VDIR || vp->v_type == VBAD, vp);
+ VNPASS(vp->v_type == VDIR || vp->v_type == VREG || vp->v_type == VBAD,
vp);
mp = atomic_load_ptr(&vp->v_mountedhere);
if (__predict_false(mp == NULL)) {
return (0);
diff --git a/sys/sys/vnode.h b/sys/sys/vnode.h
index 52f735713a30..89784dd4e455 100644
--- a/sys/sys/vnode.h
+++ b/sys/sys/vnode.h
@@ -714,6 +714,9 @@ struct vnode *
intvn_commname(struct vnode *vn, char *buf, u_int buflen);
intvn_path_to_global_path(struct thread *td, struct vnode *vp,
char *path, u_int pathlen);
+intvn_path_to_global_path_hardlink(struct thread *td, struct vnode *vp,
+ struct vnode *dvp, char *path, u_int pathlen, const char *leaf_name,
+ size_t leaf_length);
intvaccess(enum vtype type, mode_t file_mode, uid_t file_uid,
gid_t file_gid, accmode_t accmode, struct ucred *cred);
intvaccess_vexec_smr(mode_t file_mode, uid_t file_uid, gid_t file_gid,
git: 521fbb722c33 - main - Add support for mounting single files in nullfs
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=521fbb722c33663cf00a83bca70ad7cb790687b3
commit 521fbb722c33663cf00a83bca70ad7cb790687b3
Author: Doug Rabson
AuthorDate: 2022-11-23 14:51:13 +
Commit: Doug Rabson
CommitDate: 2022-12-19 16:46:13 +
Add support for mounting single files in nullfs
The main use-case for this is to support mounting config files and
secrets into OCI containers. My current workaround copies the files into
the container which is messy and risks secrets leaking into container
images if the cleanup fails.
This adds a VFCF flag to indicate whether the filesystem supports file
mounts and allows fspath to be either a directory or a file if the flag
is set.
Test Plan:
$ sudo mkdir -p /mnt
$ sudo touch /mnt/foo
$ sudo mount -t nullfs /COPYRIGHT /mnt/foo
Reviewed by:mjg, kib
Tested by: pho
---
sys/fs/nullfs/null_vfsops.c | 13 -
sys/kern/vfs_mount.c| 34 +++---
sys/sys/mount.h | 1 +
3 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/sys/fs/nullfs/null_vfsops.c b/sys/fs/nullfs/null_vfsops.c
index 216a8badce56..7f78d23ba016 100644
--- a/sys/fs/nullfs/null_vfsops.c
+++ b/sys/fs/nullfs/null_vfsops.c
@@ -156,6 +156,17 @@ nullfs_mount(struct mount *mp)
}
}
+ /*
+* Lower vnode must be the same type as the covered vnode - we
+* don't allow mounting directories to files or vice versa.
+*/
+ if ((lowerrootvp->v_type != VDIR && lowerrootvp->v_type != VREG) ||
+ lowerrootvp->v_type != mp->mnt_vnodecovered->v_type) {
+ NULLFSDEBUG("nullfs_mount: target must be same type as fspath");
+ vput(lowerrootvp);
+ return (EINVAL);
+ }
+
xmp = (struct null_mount *) malloc(sizeof(struct null_mount),
M_NULLFSMNT, M_WAITOK | M_ZERO);
@@ -503,4 +514,4 @@ static struct vfsops null_vfsops = {
.vfs_unlink_lowervp = nullfs_unlink_lowervp,
};
-VFS_SET(null_vfsops, nullfs, VFCF_LOOPBACK | VFCF_JAIL);
+VFS_SET(null_vfsops, nullfs, VFCF_LOOPBACK | VFCF_JAIL | VFCF_FILEMOUNT);
diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c
index bf8fd3b1c179..8001604d2855 100644
--- a/sys/kern/vfs_mount.c
+++ b/sys/kern/vfs_mount.c
@@ -1105,8 +1105,13 @@ vfs_domount_first(
error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN);
if (error == 0)
error = vinvalbuf(vp, V_SAVE, 0, 0);
- if (error == 0 && vp->v_type != VDIR)
- error = ENOTDIR;
+ if (vfsp->vfc_flags & VFCF_FILEMOUNT) {
+ if (error == 0 && vp->v_type != VDIR && vp->v_type != VREG)
+ error = EINVAL;
+ } else {
+ if (error == 0 && vp->v_type != VDIR)
+ error = ENOTDIR;
+ }
if (error == 0 && (fsflags & MNT_EMPTYDIR) != 0)
error = vfs_emptydir(vp);
if (error == 0) {
@@ -1535,22 +1540,33 @@ vfs_domount(
/*
* Get vnode to be covered or mount point's vnode in case of MNT_UPDATE.
*/
- NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1, UIO_SYSSPACE,
- fspath);
+ NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1 | WANTPARENT,
+ UIO_SYSSPACE, fspath);
error = namei(&nd);
if (error != 0)
return (error);
- NDFREE_PNBUF(&nd);
vp = nd.ni_vp;
if ((fsflags & MNT_UPDATE) == 0) {
if ((vp->v_vflag & VV_ROOT) != 0 &&
(fsflags & MNT_NOCOVER) != 0) {
vput(vp);
- return (EBUSY);
+ error = EBUSY;
+ goto out;
}
pathbuf = malloc(MNAMELEN, M_TEMP, M_WAITOK);
strcpy(pathbuf, fspath);
- error = vn_path_to_global_path(td, vp, pathbuf, MNAMELEN);
+ /*
+* Note: we allow any vnode type here. If the path sanity check
+* succeeds, the type will be validated in vfs_domount_first
+* above.
+*/
+ if (vp->v_type == VDIR)
+ error = vn_path_to_global_path(td, vp, pathbuf,
+ MNAMELEN);
+ else
+ error = vn_path_to_global_path_hardlink(td, vp,
+ nd.ni_dvp, pathbuf, MNAMELEN,
+ nd.ni_cnd.cn_nameptr, nd.ni_cnd.cn_namelen);
if (error == 0) {
error = vfs_domount_first(td, vfsp, pathbuf, vp,
fsflags, optlist);
@@ -1559,6 +1575,10 @@ vfs_d
git: a1d74b2dab78 - main - Allow realpath to work for file mounts
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a1d74b2dab78d56582126b4944b435d00747f601
commit a1d74b2dab78d56582126b4944b435d00747f601
Author: Doug Rabson
AuthorDate: 2022-12-04 15:53:07 +
Commit: Doug Rabson
CommitDate: 2022-12-19 16:46:27 +
Allow realpath to work for file mounts
For file mounts, the directory vnode is not available from namei and this
prevents the use of vn_fullpath_hardlink. In this case, we can use the
vnode which was covered by the file mount with vn_fullpath.
This also disallows file mounts over files with link counts greater than
one to ensure a deterministic path to the mount point.
Reviewed by:mjg, kib
Tested by: pho
---
sys/kern/vfs_cache.c | 28 ++--
sys/kern/vfs_mount.c | 5 +
2 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/sys/kern/vfs_cache.c b/sys/kern/vfs_cache.c
index f2dd8328278d..47065cf85bb5 100644
--- a/sys/kern/vfs_cache.c
+++ b/sys/kern/vfs_cache.c
@@ -3147,12 +3147,36 @@ kern___realpathat(struct thread *td, int fd, const char
*path, char *buf,
pathseg, path, fd, &cap_fstat_rights);
if ((error = namei(&nd)) != 0)
return (error);
- error = vn_fullpath_hardlink(nd.ni_vp, nd.ni_dvp, nd.ni_cnd.cn_nameptr,
- nd.ni_cnd.cn_namelen, &retbuf, &freebuf, &size);
+
+ if (nd.ni_vp->v_type == VREG && nd.ni_dvp->v_type != VDIR &&
+ (nd.ni_vp->v_vflag & VV_ROOT) != 0) {
+ /*
+* This happens if vp is a file mount. The call to
+* vn_fullpath_hardlink can panic if path resolution can't be
+* handled without the directory.
+*
+* To resolve this, we find the vnode which was mounted on -
+* this should have a unique global path since we disallow
+* mounting on linked files.
+*/
+ struct vnode *covered_vp;
+ error = vn_lock(nd.ni_vp, LK_SHARED);
+ if (error != 0)
+ goto out;
+ covered_vp = nd.ni_vp->v_mount->mnt_vnodecovered;
+ vref(covered_vp);
+ VOP_UNLOCK(nd.ni_vp);
+ error = vn_fullpath(covered_vp, &retbuf, &freebuf);
+ vrele(covered_vp);
+ } else {
+ error = vn_fullpath_hardlink(nd.ni_vp, nd.ni_dvp,
nd.ni_cnd.cn_nameptr,
+ nd.ni_cnd.cn_namelen, &retbuf, &freebuf, &size);
+ }
if (error == 0) {
error = copyout(retbuf, buf, size);
free(freebuf, M_TEMP);
}
+out:
vrele(nd.ni_vp);
vrele(nd.ni_dvp);
NDFREE_PNBUF(&nd);
diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c
index 8001604d2855..8de9d3c4fff8 100644
--- a/sys/kern/vfs_mount.c
+++ b/sys/kern/vfs_mount.c
@@ -1108,6 +1108,11 @@ vfs_domount_first(
if (vfsp->vfc_flags & VFCF_FILEMOUNT) {
if (error == 0 && vp->v_type != VDIR && vp->v_type != VREG)
error = EINVAL;
+ /*
+* For file mounts, ensure that there is only one hardlink to
the file.
+*/
+ if (error == 0 && vp->v_type == VREG && va.va_nlink != 1)
+ error = EINVAL;
} else {
if (error == 0 && vp->v_type != VDIR)
error = ENOTDIR;
git: 71e9be1bd54c - main - Don't allow stacking of file mounts
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=71e9be1bd54cf54de6fa273af71468e790ccdf47
commit 71e9be1bd54cf54de6fa273af71468e790ccdf47
Author: Doug Rabson
AuthorDate: 2022-12-06 13:24:55 +
Commit: Doug Rabson
CommitDate: 2022-12-19 16:46:27 +
Don't allow stacking of file mounts
Reviewed by:mjg, kib
Tested by: pho
---
sys/kern/vfs_mount.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c
index 8de9d3c4fff8..67a72f095786 100644
--- a/sys/kern/vfs_mount.c
+++ b/sys/kern/vfs_mount.c
@@ -1551,6 +1551,12 @@ vfs_domount(
if (error != 0)
return (error);
vp = nd.ni_vp;
+ /*
+* Don't allow stacking file mounts to work around problems with the way
+* that namei sets nd.ni_dvp to vp_crossmp for these.
+*/
+ if (vp->v_type == VREG)
+ fsflags |= MNT_NOCOVER;
if ((fsflags & MNT_UPDATE) == 0) {
if ((vp->v_vflag & VV_ROOT) != 0 &&
(fsflags & MNT_NOCOVER) != 0) {
git: 5e9c888a7ac0 - main - pkgbase: Move pw to the runtime package
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=5e9c888a7ac014f81bcf369ff3d38690d51545ee commit 5e9c888a7ac014f81bcf369ff3d38690d51545ee Author: Doug Rabson AuthorDate: 2022-05-30 13:22:08 + Commit: Doug Rabson CommitDate: 2022-05-30 14:23:00 + pkgbase: Move pw to the runtime package This allows building a container image with enough functionality for downloading and installing packages without having to include the utilities package. Reviewed by: manu MFC after: 2 weeks --- usr.sbin/pw/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/usr.sbin/pw/Makefile b/usr.sbin/pw/Makefile index 353eac132c7d..d994c289a04c 100644 --- a/usr.sbin/pw/Makefile +++ b/usr.sbin/pw/Makefile @@ -1,5 +1,6 @@ # $FreeBSD$ +PACKAGE= runtime PROG= pw MAN= pw.conf.5 pw.8 SRCS= pw.c pw_conf.c pw_user.c pw_group.c pw_log.c pw_nis.c pw_vpw.c \
git: 0c19c4db74aa - main - Move sort to runtime
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=0c19c4db74aad465200797382f4a14f86cd4e146 commit 0c19c4db74aad465200797382f4a14f86cd4e146 Author: Doug Rabson AuthorDate: 2022-07-29 09:15:24 + Commit: Doug Rabson CommitDate: 2022-07-29 10:27:25 + Move sort to runtime Allows pkg bootstrap without having to install FreeBSD-utilities --- usr.bin/sort/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/usr.bin/sort/Makefile b/usr.bin/sort/Makefile index 3f7b607a177a..40cd99086b95 100644 --- a/usr.bin/sort/Makefile +++ b/usr.bin/sort/Makefile @@ -2,6 +2,7 @@ .include +PACKAGE= runtime PROG= sort SRCS= bwstring.c coll.c file.c mem.c radixsort.c sort.c vsort.c CSTD= c11
git: 6e4dbb7feff4 - main - pkgbase: split kerberos binaries and libs
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=6e4dbb7feff42275c3025dbc25d6ea6cce4e5fd7
commit 6e4dbb7feff42275c3025dbc25d6ea6cce4e5fd7
Author: Doug Rabson
AuthorDate: 2022-07-29 09:14:34 +
Commit: Doug Rabson
CommitDate: 2022-08-03 10:02:28 +
pkgbase: split kerberos binaries and libs
Summary:
This allows installing packages that depend on kerberos libraries
without pulling in all the binaries. It also moves libgssapi to runtime
to allow installing kerbereos libraries without adding a dependancy on
the large utilities package. It makes sense to put libgssapi in runtime
rather than kerberos-lib since this is a plugin layer which is intended
to support any GSS-API mechanisms, not just kerberos.
A good example of a package which uses kerberos libraries without
needing the kerberos utilities is sshd. This uses the kerberos GSS-API
libraries to implement its GSSAPIAuthentication option.
MFC after: 2 weeks
Subscribers: imp
Differential Revision: https://reviews.freebsd.org/D36028
---
kerberos5/lib/libasn1/Makefile | 2 +-
kerberos5/lib/libgssapi_krb5/Makefile | 2 +-
kerberos5/lib/libgssapi_ntlm/Makefile | 2 +-
kerberos5/lib/libgssapi_spnego/Makefile | 2 +-
kerberos5/lib/libhdb/Makefile | 2 +-
kerberos5/lib/libheimbase/Makefile | 2 +-
kerberos5/lib/libheimipcc/Makefile | 2 +-
kerberos5/lib/libheimipcs/Makefile | 2 +-
kerberos5/lib/libheimntlm/Makefile | 2 +-
kerberos5/lib/libhx509/Makefile | 2 +-
kerberos5/lib/libkadm5clnt/Makefile | 2 +-
kerberos5/lib/libkadm5srv/Makefile | 2 +-
kerberos5/lib/libkafs5/Makefile | 2 +-
kerberos5/lib/libkdc/Makefile | 2 +-
kerberos5/lib/libkrb5/Makefile | 2 +-
kerberos5/lib/libroken/Makefile | 2 +-
kerberos5/lib/libsl/Makefile| 2 +-
kerberos5/lib/libvers/Makefile | 2 +-
kerberos5/lib/libwind/Makefile | 2 +-
lib/libgssapi/Makefile | 1 +
release/packages/Makefile.package | 2 ++
21 files changed, 22 insertions(+), 19 deletions(-)
diff --git a/kerberos5/lib/libasn1/Makefile b/kerberos5/lib/libasn1/Makefile
index 1772965239e8..60213ce0673f 100644
--- a/kerberos5/lib/libasn1/Makefile
+++ b/kerberos5/lib/libasn1/Makefile
@@ -1,6 +1,6 @@
# $FreeBSD$
-PACKAGE= kerberos
+PACKAGE= kerberos-lib
LIB= asn1
LDFLAGS= -Wl,--no-undefined
diff --git a/kerberos5/lib/libgssapi_krb5/Makefile
b/kerberos5/lib/libgssapi_krb5/Makefile
index fe64b99d57f0..3d50b002d9c9 100644
--- a/kerberos5/lib/libgssapi_krb5/Makefile
+++ b/kerberos5/lib/libgssapi_krb5/Makefile
@@ -1,6 +1,6 @@
# $FreeBSD$
-PACKAGE= kerberos
+PACKAGE= kerberos-lib
LIB= gssapi_krb5
LDFLAGS= -Wl,-Bsymbolic -Wl,--no-undefined
diff --git a/kerberos5/lib/libgssapi_ntlm/Makefile
b/kerberos5/lib/libgssapi_ntlm/Makefile
index 224404600205..a6860d54add9 100644
--- a/kerberos5/lib/libgssapi_ntlm/Makefile
+++ b/kerberos5/lib/libgssapi_ntlm/Makefile
@@ -1,6 +1,6 @@
# $FreeBSD$
-PACKAGE= kerberos
+PACKAGE= kerberos-lib
LIB= gssapi_ntlm
LDFLAGS= -Wl,-Bsymbolic -Wl,--no-undefined
diff --git a/kerberos5/lib/libgssapi_spnego/Makefile
b/kerberos5/lib/libgssapi_spnego/Makefile
index bfd235b27981..609ecd69c79c 100644
--- a/kerberos5/lib/libgssapi_spnego/Makefile
+++ b/kerberos5/lib/libgssapi_spnego/Makefile
@@ -1,6 +1,6 @@
# $FreeBSD$
-PACKAGE= kerberos
+PACKAGE= kerberos-lib
LIB= gssapi_spnego
LDFLAGS= -Wl,-Bsymbolic -Wl,--no-undefined
diff --git a/kerberos5/lib/libhdb/Makefile b/kerberos5/lib/libhdb/Makefile
index 647ee1513148..f39d54d6c2d7 100644
--- a/kerberos5/lib/libhdb/Makefile
+++ b/kerberos5/lib/libhdb/Makefile
@@ -1,6 +1,6 @@
# $FreeBSD$
-PACKAGE= kerberos
+PACKAGE= kerberos-lib
LIB= hdb
LDFLAGS= -Wl,--no-undefined ${LDAPLDFLAGS}
diff --git a/kerberos5/lib/libheimbase/Makefile
b/kerberos5/lib/libheimbase/Makefile
index d98d6ebbb4f4..b369b666f2ec 100644
--- a/kerberos5/lib/libheimbase/Makefile
+++ b/kerberos5/lib/libheimbase/Makefile
@@ -1,6 +1,6 @@
#$FreeBSD$
-PACKAGE= kerberos
+PACKAGE= kerberos-lib
LIB= heimbase
LDFLAGS= -Wl,--no-undefined
diff --git a/kerberos5/lib/libheimipcc/Makefile
b/kerberos5/lib/libheimipcc/Makefile
index d102058720e7..3cebdee96941 100644
--- a/kerberos5/lib/libheimipcc/Makefile
+++ b/kerberos5/lib/libheimipcc/Makefile
@@ -1,6 +1,6 @@
#$FreeBSD$
-PACKAGE= kerberos
+PACKAGE= kerberos-lib
LIB= heimipcc
PRIVATELIB=
diff --git a/kerberos5/lib/libheimipcs/Makefile
b/kerberos5/lib/libheimipcs/Makefile
index 308b5ecd6840..17e81702061c 100644
--- a/kerberos5/lib/libheimipcs/Makefile
+++ b/kerberos5/lib/libheimipcs/Makefile
@@ -1,6 +1,6 @@
#$FreeBSD$
-PACKAGE= kerberos
+PACKAGE= kerberos-lib
LIB= heimipcs
PRIVATELIB=
diff --git a/kerberos5
git: da4b0d6eb06d - main - netfront: fix the support for disabling LRO at boot time
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=da4b0d6eb06d730487d48e15d2d5e10c56266fd9
commit da4b0d6eb06d730487d48e15d2d5e10c56266fd9
Author: Doug Rabson
AuthorDate: 2023-08-12 13:19:47 +
Commit: Doug Rabson
CommitDate: 2023-10-20 10:50:20 +
netfront: fix the support for disabling LRO at boot time
The driver has a tunable hw.xn.enable_lro which is intended to control
whether LRO is enabled. This is currently non-functional - even if its
set to zero, the driver still requests LRO support from the backend.
This change fixes the feature so that if enable_lro is set to zero, LRO
no longer appears in the interface capabilities and LRO is not requested
from the backend.
PR: 273046
MFC after: 1 week
Reviewed by:royger
Differential Revision: https://reviews.freebsd.org/D41439
---
sys/dev/xen/netfront/netfront.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/sys/dev/xen/netfront/netfront.c b/sys/dev/xen/netfront/netfront.c
index b4e7722552e6..dafb838cf328 100644
--- a/sys/dev/xen/netfront/netfront.c
+++ b/sys/dev/xen/netfront/netfront.c
@@ -2272,7 +2272,7 @@ int
create_netdev(device_t dev)
{
struct netfront_info *np;
- int err;
+ int err, cap_enabled;
if_t ifp;
np = device_get_softc(dev);
@@ -2304,7 +2304,11 @@ create_netdev(device_t dev)
if_sethwassist(ifp, XN_CSUM_FEATURES);
/* Enable all supported features at device creation. */
if_setcapabilities(ifp, IFCAP_HWCSUM|IFCAP_TSO4|IFCAP_LRO);
- if_setcapenable(ifp, if_getcapabilities(ifp));
+ cap_enabled = if_getcapabilities(ifp);
+ if (!xn_enable_lro) {
+ cap_enabled &= ~IFCAP_LRO;
+ }
+ if_setcapenable(ifp, cap_enabled);
if_sethwtsomax(ifp, 65536 - (ETHER_HDR_LEN + ETHER_VLAN_ENCAP_LEN));
if_sethwtsomaxsegcount(ifp, MAX_TX_REQ_FRAGS);
git: 21e9018ae196 - main - pkgbase: use . format for alpha, beta and release package versions
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=21e9018ae19662db643a21064150da866bc7beb4
commit 21e9018ae19662db643a21064150da866bc7beb4
Author: Doug Rabson
AuthorDate: 2023-11-13 13:04:26 +
Commit: Doug Rabson
CommitDate: 2023-11-13 14:46:36 +
pkgbase: use . format for alpha, beta and release package
versions
This is consistent with version numbers used in releng/13.2.
PR: 275051
Reviewed by:bapt
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D42562
---
Makefile.inc1 | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/Makefile.inc1 b/Makefile.inc1
index c1c0b56efd1b..c1dfb84538af 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -547,9 +547,11 @@ VERSION= FreeBSD ${_REVISION}-${_BRANCH:C/-p[0-9]+$//}
${TARGET_ARCH} ${SRCRELDA
MAJOR_REVISION=${_REVISION:R}
.if !defined(PKG_VERSION)
+_PKG_REVISION= ${_REVISION}
_STRTIMENOW= %Y%m%d%H%M%S
_TIMENOW= ${_STRTIMENOW:gmtime}
.if ${_BRANCH:MCURRENT*} || ${_BRANCH:MSTABLE*} || ${_BRANCH:MPRERELEASE*}
+_PKG_REVISION= ${MAJOR_REVISION}
EXTRA_REVISION=.snap${_TIMENOW}
.elif ${_BRANCH:MALPHA*}
EXTRA_REVISION=.a${_BRANCH:C/ALPHA([0-9]+).*/\1/}.${_TIMENOW}
@@ -560,7 +562,7 @@ EXTRA_REVISION=
.rc${_BRANCH:C/RC([0-9]+).*/\1/}.${_TIMENOW}
.elif ${_BRANCH:M*-p*}
EXTRA_REVISION=p${_BRANCH:C/.*-p([0-9]+$)/\1/}
.endif
-PKG_VERSION:= ${MAJOR_REVISION}${EXTRA_REVISION:C/[[:space:]]//g}
+PKG_VERSION:= ${_PKG_REVISION}${EXTRA_REVISION:C/[[:space:]]//g}
.endif
.endif # !defined(PKG_VERSION)
git: 5ab151574c8a - main - netinet*: Fix redirects for connections from localhost
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5ab151574c8a1824c6cd8eded28506cb983284bc
commit 5ab151574c8a1824c6cd8eded28506cb983284bc
Author: Doug Rabson
AuthorDate: 2023-05-24 13:11:37 +
Commit: Doug Rabson
CommitDate: 2023-05-31 10:11:05 +
netinet*: Fix redirects for connections from localhost
Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
rules to change the destination address and port for a connection.
Typically, the rule triggers on an input event when a packet is received
by a router and the destination address and/or port is changed to
implement the redirect. When a reply packet on this connection is output
to the network, the rule triggers again, reversing the modification.
When the connection is initiated on the same host as the packet filter,
it is initially output via lo0 which queues it for input processing.
This causes an input event on the lo0 interface, allowing redirect
processing to rewrite the destination and create state for the
connection. However, when the reply is received, no corresponding output
event is generated; instead, the packet is delivered to the higher level
protocol (e.g. tcp or udp) without reversing the redirect, the reply is
not matched to the connection and the packet is dropped (for tcp, a
connection reset is also sent).
This commit fixes the problem by adding a second packet filter call in
the input path. The second call happens right before the handoff to
higher level processing and provides the missing output event to allow
the redirect's reply processing to perform its rewrite. This extra
processing is disabled by default and can be enabled using pfilctl:
pfilctl link -o pf:default-out inet-local
pfilctl link -o pf:default-out6 inet6-local
PR: 268717
Reviewed-by:kp, melifaro
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40256
---
sys/netinet/ip_input.c | 22 -
sys/netinet/ip_var.h| 4 ++
sys/netinet6/ip6_input.c| 19
sys/netinet6/ip6_var.h | 4 ++
tests/sys/netpfil/common/Makefile | 1 +
tests/sys/netpfil/{pf => common}/rdr.sh | 84 +
tests/sys/netpfil/common/utils.subr | 4 ++
tests/sys/netpfil/pf/Makefile | 1 -
8 files changed, 127 insertions(+), 12 deletions(-)
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 5de09a32a2f5..5eef4be5ada8 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -136,7 +136,9 @@ SYSCTL_BOOL(_net_inet_ip, OID_AUTO,
source_address_validation,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_sav), true,
"Drop incoming packets with source address that is a local address");
-VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */
+/* Packet filter hooks */
+VNET_DEFINE(pfil_head_t, inet_pfil_head);
+VNET_DEFINE(pfil_head_t, inet_local_pfil_head);
static struct netisr_handler ip_nh = {
.nh_name = "ip",
@@ -327,6 +329,10 @@ ip_vnet_init(void *arg __unused)
args.pa_headname = PFIL_INET_NAME;
V_inet_pfil_head = pfil_head_register(&args);
+ args.pa_flags = PFIL_OUT;
+ args.pa_headname = PFIL_INET_LOCAL_NAME;
+ V_inet_local_pfil_head = pfil_head_register(&args);
+
if (hhook_head_register(HHOOK_TYPE_IPSEC_IN, AF_INET,
&V_ipsec_hhh_in[HHOOK_IPSEC_INET],
HHOOK_WAITOK | HHOOK_HEADISINVNET) != 0)
@@ -816,6 +822,20 @@ ours:
return;
#endif /* IPSTEALTH */
+ /*
+* We are going to ship the packet to the local protocol stack. Call the
+* filter again for this 'output' action, allowing redirect-like rules
+* to adjust the source address.
+*/
+ if (PFIL_HOOKED_OUT(V_inet_local_pfil_head)) {
+ if (pfil_mbuf_out(V_inet_local_pfil_head, &m, V_loif, NULL) !=
+ PFIL_PASS)
+ return;
+ if (m == NULL) /* consumed by filter */
+ return;
+ ip = mtod(m, struct ip *);
+ }
+
/*
* Attempt reassembly; if it succeeds, proceed.
* ip_reass() will return a different mbuf.
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index c25bae4b394f..cb4e4fbd1f42 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -255,6 +255,10 @@ VNET_DECLARE(struct pfil_head *, inet_pfil_head);
#defineV_inet_pfil_headVNET(inet_pfil_head)
#definePFIL_INET_NAME "inet"
+VNET_DECLARE(struct pfil_head *, inet_local_pfil_head);
+#defineV_inet_local_pfil_head VNET(inet_local_pfil_head)
+#definePFIL_INET_
git: 4a6b92849e61 - main - pf: Fix tests broken by enabling inet-local filtering
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=4a6b92849e619c40ca9a78d38339798f2735ec56
commit 4a6b92849e619c40ca9a78d38339798f2735ec56
Author: Doug Rabson
AuthorDate: 2023-06-02 15:58:33 +
Commit: Doug Rabson
CommitDate: 2023-06-03 10:07:56 +
pf: Fix tests broken by enabling inet-local filtering
Summary:
Three of the pf dummynet tests were using filter rules which matched
both the intended epair interface as well as lo0 which now receives
PFIL_OUT events for messages delivered to the local network stack (if
enabled). This commit changes the rules to match only for the expected
epair interface.
PR: 268717
Reviewed-by:kp
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40393
---
tests/sys/netpfil/common/dummynet.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/sys/netpfil/common/dummynet.sh
b/tests/sys/netpfil/common/dummynet.sh
index c3d0588045c8..6f7981a043a8 100644
--- a/tests/sys/netpfil/common/dummynet.sh
+++ b/tests/sys/netpfil/common/dummynet.sh
@@ -55,7 +55,7 @@ interface_removal_body()
"ipfw" \
"ipfw add 1000 pipe 1 ip from any to any" \
"pf"\
- "pass dnpipe 1"
+ "pass on ${epair}b dnpipe 1"
# single ping succeeds just fine
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
@@ -102,7 +102,7 @@ pipe_body()
"ipfw" \
"ipfw add 1000 pipe 1 ip from any to any" \
"pf"\
- "pass dnpipe 1"
+ "pass on ${epair}b dnpipe 1"
# single ping succeeds just fine
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
@@ -146,7 +146,7 @@ pipe_v6_body()
"ipfw" \
"ipfw add 1000 pipe 1 ip6 from any to any" \
"pf"\
- "pass dnpipe 1"
+ "pass on ${epair}b dnpipe 1"
# Single ping succeeds
atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8:42::2
git: 3a1f834b5228 - main - pf: Add code to enable filtering for locally delivered packets
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=3a1f834b5228986a7c14fd60da13cf2700e80996
commit 3a1f834b5228986a7c14fd60da13cf2700e80996
Author: Doug Rabson
AuthorDate: 2023-06-20 13:01:58 +
Commit: Doug Rabson
CommitDate: 2023-06-20 14:34:01 +
pf: Add code to enable filtering for locally delivered packets
This is disabled by default since it potentially changes the behavior of
existing filter rule sets. To enable this extra filter for packets being
delivered locally, use:
sysctl net.pf.filter_local=1
service pf restart
PR: 268717
Reviewed-by:kp
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40373
---
UPDATING | 12
sys/netpfil/pf/pf_ioctl.c| 20
tests/sys/netpfil/common/utils.subr | 3 +--
tests/sys/netpfil/pf/fragmentation_compat.sh | 3 ++-
tests/sys/netpfil/pf/fragmentation_pass.sh | 3 ++-
tests/sys/netpfil/pf/killstate.sh| 24
tests/sys/netpfil/pf/map_e.sh| 3 ++-
tests/sys/netpfil/pf/pass_block.sh | 3 ++-
tests/sys/netpfil/pf/pfsync.sh | 1 +
tests/sys/netpfil/pf/route_to.sh | 3 ++-
tests/sys/netpfil/pf/set_skip.sh | 2 +-
tests/sys/netpfil/pf/table.sh| 6 --
12 files changed, 65 insertions(+), 18 deletions(-)
diff --git a/UPDATING b/UPDATING
index 1980411c1853..f4e13d97006d 100644
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,18 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
world, or to merely disable the most expensive debugging functionality
at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
+20230619:
+ To enable pf rdr rules for connections initiated from the host, pf
+ filter rules can be optionally enabled for packets delivered
+ locally. This can change the behavior of rules which match packets
+ delivered to lo0. To enable this feature:
+
+ sysctl net.pf.filter_local=1
+ service pf restart
+
+ When enabled, its best to ensure that packets delivered locally are not
+ filtered, e.g. by adding a 'skip on lo' rule.
+
20230613:
Improvements to libtacplus(8) mean that tacplus.conf(5) now
follows POSIX shell syntax rules. This may cause TACACS+
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index e76a92fb7e7f..b78c30aa4b8c 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -195,6 +195,12 @@ static MALLOC_DEFINE(M_PFRULE, "pf_rule", "pf(4) rules");
#error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
#endif
+VNET_DEFINE_STATIC(bool, pf_filter_local) = false;
+#define V_pf_filter_local VNET(pf_filter_local)
+SYSCTL_BOOL(_net_pf, OID_AUTO, filter_local, CTLFLAG_VNET | CTLFLAG_RW,
+&VNET_NAME(pf_filter_local), false,
+"Enable filtering for packets delivered to local network stack");
+
static void pf_init_tagset(struct pf_tagset *, unsigned int *,
unsigned int);
static void pf_cleanup_tagset(struct pf_tagset *);
@@ -6682,6 +6688,13 @@ hook_pf(void)
pla.pa_hook = V_pf_ip4_out_hook;
ret = pfil_link(&pla);
MPASS(ret == 0);
+ if (V_pf_filter_local) {
+ pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
+ pla.pa_head = V_inet_local_pfil_head;
+ pla.pa_hook = V_pf_ip4_out_hook;
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
+ }
#endif
#ifdef INET6
pha.pa_type = PFIL_TYPE_IP6;
@@ -6703,6 +6716,13 @@ hook_pf(void)
pla.pa_hook = V_pf_ip6_out_hook;
ret = pfil_link(&pla);
MPASS(ret == 0);
+ if (V_pf_filter_local) {
+ pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
+ pla.pa_head = V_inet6_local_pfil_head;
+ pla.pa_hook = V_pf_ip6_out_hook;
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
+ }
#endif
atomic_store_bool(&V_pf_pfil_hooked, true);
diff --git a/tests/sys/netpfil/common/utils.subr
b/tests/sys/netpfil/common/utils.subr
index f4eec24618a7..e354f6638b87 100644
--- a/tests/sys/netpfil/common/utils.subr
+++ b/tests/sys/netpfil/common/utils.subr
@@ -55,11 +55,10 @@ firewall_config()
jexec ${jname} ipfw -q -f flush
jexec ${jname} /bin/sh $cwd/ipfw.rule
elif [ ${fw} == "pf" ]; then
+ jexec ${jname} sysctl net.pf.filter_local=1
jexec ${jname} pfctl -e
jexec ${jname} pfctl -F all
jexec ${jname} pfctl -f $cwd/pf.rule
- jexec ${jname} pfilc
git: 09267cc15284 - main - /etc/rc.subr: add support for kld sysctl variables
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=09267cc15284795fef958fb9ed786bb2382d6763 commit 09267cc15284795fef958fb9ed786bb2382d6763 Author: Doug Rabson AuthorDate: 2023-06-21 12:26:17 + Commit: Doug Rabson CommitDate: 2023-07-14 09:49:47 + /etc/rc.subr: add support for kld sysctl variables For kernel modules loaded by scripts in /etc/rc.d and /usr/local/etc/rc.d, if there is a file in /etc/sysctl.conf.d named .conf, then this will be loaded using the sysctl(8) utility. For instance, sysctl variable changes for the pf kernel module would be placed in the file /etc/sysctl.conf.d/pf.conf. PR: 272129 Reviewed by:imp freebsd_igalic.co MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D40886 --- etc/mtree/BSD.root.dist | 2 ++ libexec/rc/rc.subr | 3 +++ share/man/man5/sysctl.conf.5 | 10 ++ 3 files changed, 15 insertions(+) diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist index 3a3a3a78d995..2ec079b0abd1 100644 --- a/etc/mtree/BSD.root.dist +++ b/etc/mtree/BSD.root.dist @@ -96,6 +96,8 @@ .. ssl .. + sysctl.conf.d + .. syslog.d .. zfs diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr index 6a7f070f7f5b..ef3da46b3206 100644 --- a/libexec/rc/rc.subr +++ b/libexec/rc/rc.subr @@ -1970,6 +1970,9 @@ load_kld() return 1 else info "$1 kernel module loaded." + if [ -f "/etc/sysctl.conf.d/$1.conf" ]; then + sysctl -f "/etc/sysctl.conf.d/$1.conf" + fi fi else debug "load_kld: $1 kernel module already loaded." diff --git a/share/man/man5/sysctl.conf.5 b/share/man/man5/sysctl.conf.5 index 5df168661d85..26ecf763ca12 100644 --- a/share/man/man5/sysctl.conf.5 +++ b/share/man/man5/sysctl.conf.5 @@ -51,6 +51,13 @@ Comments can also exist at the end of a line, as seen in the .Sx EXAMPLES section, below. +.Pp +For kernel modules loaded via +.Xr rc.subr 8 +system , +additional module-specific settings can be applied +by adding a file in the same format named +.Pf /etc/sysctl.d/.conf . .Sh FILES .Bl -tag -width /etc/rc.d/sysctl_lastload -compact .It Pa /etc/rc.d/sysctl @@ -69,6 +76,9 @@ Initial settings for .It Pa /etc/sysctl.conf.local Machine-specific settings for sites with a common .Pa /etc/sysctl.conf . +.It Pa /etc/sysctl.conf.d +Module specific settings for kernel modules loaded via +.Xr rc.subr 8 . .El .Sh EXAMPLES To turn off logging of programs that exit due to fatal signals you may use
git: 5ac2a874d070 - main - /etc/rc.subr: rename sysctl.conf.d to sysctl.kld.d
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=5ac2a874d070a0880dc0a264cb2230d7f1c19bea commit 5ac2a874d070a0880dc0a264cb2230d7f1c19bea Author: Doug Rabson AuthorDate: 2023-07-15 07:40:50 + Commit: Doug Rabson CommitDate: 2023-07-15 13:16:08 + /etc/rc.subr: rename sysctl.conf.d to sysctl.kld.d This better reflects the intent that this directory is indexed by kld name and removes a conflict with D32128 which aims to split sysctl.conf. Reviewed by:kevans imp MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D41043 --- etc/mtree/BSD.root.dist | 2 +- libexec/rc/rc.subr | 4 ++-- share/man/man5/sysctl.conf.5 | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist index 2ec079b0abd1..a81cd03050aa 100644 --- a/etc/mtree/BSD.root.dist +++ b/etc/mtree/BSD.root.dist @@ -96,7 +96,7 @@ .. ssl .. - sysctl.conf.d + sysctl.kld.d .. syslog.d .. diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr index ef3da46b3206..0114dd5ca5a8 100644 --- a/libexec/rc/rc.subr +++ b/libexec/rc/rc.subr @@ -1970,8 +1970,8 @@ load_kld() return 1 else info "$1 kernel module loaded." - if [ -f "/etc/sysctl.conf.d/$1.conf" ]; then - sysctl -f "/etc/sysctl.conf.d/$1.conf" + if [ -f "/etc/sysctl.kld.d/$1.conf" ]; then + sysctl -f "/etc/sysctl.kld.d/$1.conf" fi fi else diff --git a/share/man/man5/sysctl.conf.5 b/share/man/man5/sysctl.conf.5 index 26ecf763ca12..1f769772dc9d 100644 --- a/share/man/man5/sysctl.conf.5 +++ b/share/man/man5/sysctl.conf.5 @@ -54,10 +54,10 @@ section, below. .Pp For kernel modules loaded via .Xr rc.subr 8 -system , +system, additional module-specific settings can be applied by adding a file in the same format named -.Pf /etc/sysctl.d/.conf . +.Pf /etc/sysctl.kld.d/.conf . .Sh FILES .Bl -tag -width /etc/rc.d/sysctl_lastload -compact .It Pa /etc/rc.d/sysctl @@ -76,7 +76,7 @@ Initial settings for .It Pa /etc/sysctl.conf.local Machine-specific settings for sites with a common .Pa /etc/sysctl.conf . -.It Pa /etc/sysctl.conf.d +.It Pa /etc/sysctl.kld.d Module specific settings for kernel modules loaded via .Xr rc.subr 8 . .El
git: 1d7ffb373c9d - main - pkgbase: reorganise caroot and openssl packages
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1d7ffb373c9d639c9645a6b09ae46b2b92adb2e3
commit 1d7ffb373c9d639c9645a6b09ae46b2b92adb2e3
Author: Doug Rabson
AuthorDate: 2023-07-31 14:38:45 +
Commit: Doug Rabson
CommitDate: 2023-08-05 08:30:35 +
pkgbase: reorganise caroot and openssl packages
This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.
PR: 272816
Reviewed by:manu
Differential Revision: https://reviews.freebsd.org/D41321
---
release/packages/Makefile.package| 10 --
release/packages/{caroot.ucl => certctl.ucl} | 0
release/packages/generate-ucl.sh | 14 --
secure/lib/libcrypto/Makefile| 2 +-
secure/lib/libssl/Makefile | 2 +-
usr.sbin/certctl/Makefile| 2 +-
6 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/release/packages/Makefile.package
b/release/packages/Makefile.package
index 9bd2994c882a..e1256e02b2ad 100644
--- a/release/packages/Makefile.package
+++ b/release/packages/Makefile.package
@@ -26,10 +26,14 @@ bsdinstall_COMMENT= BSDInstall Utilities
bsdinstall_DESC= BSDInstall Utilities
bsnmp_COMMENT= BSNMP Utilities
bsnmp_DESC=BSNMP Utilities
+caroot_COMMENT=SSL Certificates
+caroot_DESC= SSL Certificates
clang_COMMENT= Clang Utilities
clang_DESC=Clang Utilities
clibs_COMMENT= Core C Libraries
clibs_DESC=Core C Libraries
+certctl_COMMENT= SSL Certificate Utility
+certctl_DESC= SSL Certificate Utility
console-tools_COMMENT= Console Utilities
console-tools_DESC=Console Utilities
csh_COMMENT= C Shell
@@ -113,8 +117,10 @@ nfs_COMMENT= NFS Utilities
nfs_DESC= NFS Utilities
nvme-tools_COMMENT=NVME Utilities
nvme-tools_DESC= NVME Utilities
-openssl_COMMENT= OpenSSL Library and Utility
-openssl_DESC= OpenSSL Library and Utility
+openssl_COMMENT= OpenSSL Utility
+openssl_DESC= OpenSSL Utility
+openssl-lib_COMMENT= OpenSSL Libraries
+openssl-lib_DESC= OpenSSL Libraries
pkg-bootstrap_COMMENT= pkg bootstrap Utility
pkg-bootstrap_DESC=pkg bootstrap Utility
periodic_COMMENT= Periodic Utility
diff --git a/release/packages/caroot.ucl b/release/packages/certctl.ucl
similarity index 100%
rename from release/packages/caroot.ucl
rename to release/packages/certctl.ucl
diff --git a/release/packages/generate-ucl.sh b/release/packages/generate-ucl.sh
index 2b1f71e95c11..0c90a9ec4553 100755
--- a/release/packages/generate-ucl.sh
+++ b/release/packages/generate-ucl.sh
@@ -42,8 +42,8 @@ main() {
# clibs should not have any dependencies or anything
# else imposed on it.
;;
- caroot)
- pkgdeps="openssl"
+ certctl)
+ pkgdeps="caroot openssl"
;;
# -dev packages that have no corresponding non-dev package
@@ -139,14 +139,16 @@ main() {
cp "${uclsource}" "${uclfile}"
if [ ! -z "${pkgdeps}" ]; then
- cat <> ${uclfile}
-deps: {
- FreeBSD-${pkgdeps}: {
+ echo 'deps: {' >> ${uclfile}
+ for dep in ${pkgdeps}; do
+ cat <> ${uclfile}
+ FreeBSD-${dep}: {
origin: "base",
version: "${PKG_VERSION}"
}
-}
EOF
+ done
+ echo '}' >> ${uclfile}
fi
cap_arg="$( make -f ${srctree}/share/mk/bsd.endian.mk -VCAP_MKDB_ENDIAN
)"
sed -i '' -e "s/%VERSION%/${PKG_VERSION}/" \
diff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile
index 89f330ca2800..6b2a1f3bd157 100644
--- a/secure/lib/libcrypto/Makefile
+++ b/secure/lib/libcrypto/Makefile
@@ -6,7 +6,7 @@ SUBDIR= engines modules
.include
.include
-PACKAGE= openssl
+PACKAGE= openssl-lib
LIB= crypto
SHLIB_MAJOR= 30
VERSION_MAP= ${.CURDIR}/Version.map
diff --git a/secure/lib/libssl/Makefile b/secure/lib/libssl/Makefile
index 4cf17b8d5c51..dc308bcfb146 100644
--- a/secure/lib/libssl/Makefile
+++ b/secure/lib/libssl/Makefile
@@ -5,7 +5,7 @@
LIB= ssl
SHLIB_MAJOR= 30
VERSION_MAP= ${.CURDIR}/Version.map
-PACKAGE= openssl
+PACKAGE= openssl-lib
NO_LINT=
diff --git a/usr.sbin/certctl/Makefile b/usr.sbin/certctl/Makefile
index df5acb606143..d583bf3055bd 100644
--- a/usr.sbin/certctl/Makefile
+++ b/usr.sbin/certctl/Makefile
@@ -1,6 +1,6 @@
# $FreeBSD$
-PACKAGE= caroot
+PACKAGE= certctl
SCRIPTS=certctl.sh
MAN= certctl.8
git: 54cfeb848468 - main - pkgbase: move libcom_err from kerberos to kerberos-lib
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=54cfeb848468b8086fd046bdb94a0ed30f6dec15 commit 54cfeb848468b8086fd046bdb94a0ed30f6dec15 Author: Doug Rabson AuthorDate: 2023-08-09 07:42:16 + Commit: Doug Rabson CommitDate: 2023-08-11 13:34:23 + pkgbase: move libcom_err from kerberos to kerberos-lib This makes it possible to install kerberos-lib (which is used by common utilities such as curl) without pulling in the rest of kerberos. MFC after: 1 week --- lib/libcom_err/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/libcom_err/Makefile b/lib/libcom_err/Makefile index 4bb69614453e..fcc060a615fb 100644 --- a/lib/libcom_err/Makefile +++ b/lib/libcom_err/Makefile @@ -1,6 +1,6 @@ # $FreeBSD$ -PACKAGE= kerberos +PACKAGE= kerberos-lib LIB= com_err SRCS= com_err.c error.c
git: 182e8ae26d7c - main - netstat(1): teach netstat to attach to jails
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=182e8ae26d7cad119bcfce7cc788c1f5cb06e226
commit 182e8ae26d7cad119bcfce7cc788c1f5cb06e226
Author: Doug Rabson
AuthorDate: 2023-08-14 08:01:28 +
Commit: Doug Rabson
CommitDate: 2023-08-16 13:05:13 +
netstat(1): teach netstat to attach to jails
Add -j flag to netstat(1) to allow access to network information
from a jail.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D41446
---
usr.bin/netstat/Makefile | 5 +++
usr.bin/netstat/main.c| 57 ++
usr.bin/netstat/netstat.1 | 79 +++
3 files changed, 128 insertions(+), 13 deletions(-)
diff --git a/usr.bin/netstat/Makefile b/usr.bin/netstat/Makefile
index 92f8aa9c30fa..e578cea03183 100644
--- a/usr.bin/netstat/Makefile
+++ b/usr.bin/netstat/Makefile
@@ -69,4 +69,9 @@ SRCS+=route_netlink.c
CFLAGS+=-DWITHOUT_NETLINK
.endif
+.if ${MK_JAIL} != "no" && !defined(RESCUE)
+CFLAGS+= -DJAIL
+LIBADD+= jail
+.endif
+
.include
diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c
index 61b4536a5788..e8a808bb4f56 100644
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@@ -46,6 +46,9 @@ __FBSDID("$FreeBSD$");
#include
#include
+#ifdef JAIL
+#include
+#endif
#include
#include
#include
@@ -60,6 +63,9 @@ __FBSDID("$FreeBSD$");
#include
#include
#include
+#ifdef JAIL
+#include
+#endif
#include
#include
#include
@@ -233,6 +239,9 @@ int interval; /* repeat interval for i/f stats */
char *interface; /* desired i/f for stats, or NULL for all i/fs */
intunit; /* unit number for above */
+#ifdef JAIL
+char *jail_name; /* desired jail to operate in */
+#endif
static int af; /* address family */
intlive; /* true if we are examining a live system */
@@ -245,6 +254,9 @@ main(int argc, char *argv[])
int fib = -1;
char *endptr;
bool first = true;
+#ifdef JAIL
+ int jid;
+#endif
af = AF_UNSPEC;
@@ -252,7 +264,7 @@ main(int argc, char *argv[])
if (argc < 0)
exit(EXIT_FAILURE);
- while ((ch = getopt(argc, argv,
"46AaBbCcdF:f:ghI:iLlM:mN:nOoPp:Qq:RrSTsuWw:xz"))
+ while ((ch = getopt(argc, argv,
"46AaBbCcdF:f:ghI:ij:LlM:mN:nOoPp:Qq:RrSTsuWw:xz"))
!= -1)
switch(ch) {
case '4':
@@ -340,6 +352,15 @@ main(int argc, char *argv[])
case 'i':
iflag = 1;
break;
+ case 'j':
+#ifdef JAIL
+ if (optarg == NULL)
+ usage();
+ jail_name = optarg;
+#else
+ errx(1, "Jail support is not compiled in");
+#endif
+ break;
case 'L':
Lflag = 1;
break;
@@ -436,6 +457,16 @@ main(int argc, char *argv[])
}
#endif
+#ifdef JAIL
+ if (jail_name != NULL) {
+ jid = jail_getid(jail_name);
+ if (jid == -1)
+ errx(1, "Jail not found");
+ if (jail_attach(jid) != 0)
+ errx(1, "Cannot attach to jail");
+ }
+#endif
+
/*
* Discard setgid privileges if not the running kernel so that bad
* guys can't print interesting stuff from kernel memory.
@@ -890,24 +921,24 @@ static void
usage(void)
{
(void)xo_error("%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n",
-"usage: netstat [-46AaCcLnRSTWx] [-f protocol_family | -p protocol]\n"
+"usage: netstat [-j jail] [-46AaCcLnRSTWx] [-f protocol_family | -p
protocol]\n"
" [-M core] [-N system]",
-" netstat -i | -I interface [-46abdhnW] [-f address_family]\n"
+" netstat [-j jail] -i | -I interface [-46abdhnW] [-f address_family]\n"
" [-M core] [-N system]",
-" netstat -w wait [-I interface] [-46d] [-M core] [-N system]\n"
+" netstat [-j jail] -w wait [-I interface] [-46d] [-M core] [-N
system]\n"
" [-q howmany]",
-" netstat -s [-46sz] [-f protocol_family | -p protocol]\n"
+" netstat [-j jail] -s [-46sz] [-f protocol_family | -p protocol]\n"
" [-M core] [-N system]",
-" netstat -i | -I interface -s [-46s]\n"
+" netstat [-j jail] -i | -I interface -s [-46s]\n"
" [-f protocol_family | -p protocol] [-M core] [-N system]",
-" netstat -m [-M core] [-N system]",
-" net
git: 3af3571ca5b8 - main - netstat(1): fix manpage date
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=3af3571ca5b82a56ae88654ec5cb35acfbe5d12c commit 3af3571ca5b82a56ae88654ec5cb35acfbe5d12c Author: Doug Rabson AuthorDate: 2023-08-16 14:13:31 + Commit: Doug Rabson CommitDate: 2023-08-16 14:13:42 + netstat(1): fix manpage date MFC after: 1 week --- usr.bin/netstat/netstat.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.bin/netstat/netstat.1 b/usr.bin/netstat/netstat.1 index df95651499c7..9a97d85bcbad 100644 --- a/usr.bin/netstat/netstat.1 +++ b/usr.bin/netstat/netstat.1 @@ -28,7 +28,7 @@ .\"@(#)netstat.1 8.8 (Berkeley) 4/18/94 .\" $FreeBSD$ .\" -.Dd June 26, 2023 +.Dd August 14, 2023 .Dt NETSTAT 1 .Os .Sh NAME
git: b5c4616582ce - main - Fix MNT_IGNORE for devfs, fdescfs and nullfs
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b5c4616582cebdcf4dee909a3c2f5b113c4ae59e
commit b5c4616582cebdcf4dee909a3c2f5b113c4ae59e
Author: Doug Rabson
AuthorDate: 2023-08-26 09:32:32 +
Commit: Doug Rabson
CommitDate: 2023-08-26 11:08:37 +
Fix MNT_IGNORE for devfs, fdescfs and nullfs
The MNT_IGNORE flag can be used to mark certain filesystem mounts so
that utilities such as df(1) and mount(8) can filter out those mounts by
default. This can be used, for instance, to reduce the noise from
running container workloads inside jails which often have at least three
and sometimes as many as ten mounts per container.
The flag is supplied by the nmount(2) system call and is recorded so
that it can be reported by statfs(2). Unfortunately several filesystems
override the default behaviour and mask out the flag, defeating its
purpose. This change preserves the MNT_IGNORE flag for those filesystems
so that it can be reported correctly.
MFC after: 1 week
---
sys/fs/devfs/devfs_vfsops.c | 2 +-
sys/fs/fdescfs/fdesc_vfsops.c | 2 +-
sys/fs/nullfs/null_vfsops.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/sys/fs/devfs/devfs_vfsops.c b/sys/fs/devfs/devfs_vfsops.c
index a81a63ebf27a..dbc29fbe4d78 100644
--- a/sys/fs/devfs/devfs_vfsops.c
+++ b/sys/fs/devfs/devfs_vfsops.c
@@ -224,7 +224,7 @@ static int
devfs_statfs(struct mount *mp, struct statfs *sbp)
{
- sbp->f_flags = 0;
+ sbp->f_flags = mp->mnt_flag & MNT_IGNORE;
sbp->f_bsize = DEV_BSIZE;
sbp->f_iosize = DEV_BSIZE;
sbp->f_blocks = 2; /* 1K to keep df happy */
diff --git a/sys/fs/fdescfs/fdesc_vfsops.c b/sys/fs/fdescfs/fdesc_vfsops.c
index 309134798374..30924580dece 100644
--- a/sys/fs/fdescfs/fdesc_vfsops.c
+++ b/sys/fs/fdescfs/fdesc_vfsops.c
@@ -219,7 +219,7 @@ fdesc_statfs(struct mount *mp, struct statfs *sbp)
freefd += (lim - fdp->fd_nfiles);
FILEDESC_SUNLOCK(fdp);
- sbp->f_flags = 0;
+ sbp->f_flags = mp->mnt_flag & MNT_IGNORE;
sbp->f_bsize = DEV_BSIZE;
sbp->f_iosize = DEV_BSIZE;
sbp->f_blocks = 2; /* 1K to keep df happy */
diff --git a/sys/fs/nullfs/null_vfsops.c b/sys/fs/nullfs/null_vfsops.c
index 6acff89189f5..4b2954d5bea1 100644
--- a/sys/fs/nullfs/null_vfsops.c
+++ b/sys/fs/nullfs/null_vfsops.c
@@ -360,7 +360,7 @@ nullfs_statfs(struct mount *mp, struct statfs *sbp)
/* now copy across the "interesting" information and fake the rest */
sbp->f_type = mstat->f_type;
sbp->f_flags = (sbp->f_flags & (MNT_RDONLY | MNT_NOEXEC | MNT_NOSUID |
- MNT_UNION | MNT_NOSYMFOLLOW | MNT_AUTOMOUNTED)) |
+ MNT_UNION | MNT_NOSYMFOLLOW | MNT_AUTOMOUNTED | MNT_IGNORE)) |
(mstat->f_flags & ~(MNT_ROOTFS | MNT_AUTOMOUNTED));
sbp->f_bsize = mstat->f_bsize;
sbp->f_iosize = mstat->f_iosize;
git: 78847e1e5927 - main - pkgbase: Move headers and libs out of runtime and utilities
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=78847e1e592789dc85bddf4d2f1d9a8ce4614ff1
commit 78847e1e592789dc85bddf4d2f1d9a8ce4614ff1
Author: Doug Rabson
AuthorDate: 2023-09-11 08:38:46 +
Commit: Doug Rabson
CommitDate: 2023-09-12 12:22:21 +
pkgbase: Move headers and libs out of runtime and utilities
Headers from src/include were in the runtime-dev package but
subdirectories of src/include ended up in utilities-dev by default.
Neither package is a good choice - the headers in src/include are not
useful without the libraries contained in clibs-dev.
This moves the standard C headers to clibs-dev (C++ headers are already
in this package). While working on this, I found that various clang
libraries and headers were also bundled into utilities-dev by default
so these are also moved to clang-dev.
I also added a FreeBSD-build-essential meta package to make it simple to
install all the toolchain parts.
PR: 254173
Reviewed byb: manu
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D41815
---
include/Makefile | 2 +-
include/Makefile.inc | 2 ++
lib/clang/Makefile.inc | 1 +
lib/csu/Makefile.inc | 1 +
lib/libclang_rt/Makefile.inc | 1 +
release/packages/generate-ucl.sh | 3 +++
6 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/include/Makefile b/include/Makefile
index bc1cfd96dfc9..736a47854534 100644
--- a/include/Makefile
+++ b/include/Makefile
@@ -4,7 +4,7 @@
.include
-PACKAGE=runtime
+PACKAGE=clibs
CLEANFILES= osreldate.h version
SUBDIR= arpa protocols rpcsvc rpc xlocale
.if ${MACHINE_CPUARCH} == "amd64"
diff --git a/include/Makefile.inc b/include/Makefile.inc
new file mode 100644
index ..14d7bf96e6bc
--- /dev/null
+++ b/include/Makefile.inc
@@ -0,0 +1,2 @@
+# Make sure all our subdirectory headers end up in clibs-dev
+PACKAGE=clibs
diff --git a/lib/clang/Makefile.inc b/lib/clang/Makefile.inc
index 0a2ae8f6b802..2dfc966726b0 100644
--- a/lib/clang/Makefile.inc
+++ b/lib/clang/Makefile.inc
@@ -1,6 +1,7 @@
.include
+PACKAGE= clang
MK_PIE:= no # Explicit libXXX.a references
.if ${COMPILER_TYPE} == "clang"
diff --git a/lib/csu/Makefile.inc b/lib/csu/Makefile.inc
index faf01b293b92..55aaf589f48f 100644
--- a/lib/csu/Makefile.inc
+++ b/lib/csu/Makefile.inc
@@ -1,3 +1,4 @@
+PACKAGE= clibs-dev
NO_WMISSING_VARIABLE_DECLARATIONS=
# Can't instrument these files since that breaks non-sanitized programs.
diff --git a/lib/libclang_rt/Makefile.inc b/lib/libclang_rt/Makefile.inc
index 4832815643ae..263d1e340f3d 100644
--- a/lib/libclang_rt/Makefile.inc
+++ b/lib/libclang_rt/Makefile.inc
@@ -1,6 +1,7 @@
.include
+PACKAGE= clang
CRTSRC=${SRCTOP}/contrib/llvm-project/compiler-rt
.include "compiler-rt-vars.mk"
diff --git a/release/packages/generate-ucl.sh b/release/packages/generate-ucl.sh
index de3fec3f0ca7..fa13e8e334d2 100755
--- a/release/packages/generate-ucl.sh
+++ b/release/packages/generate-ucl.sh
@@ -44,6 +44,9 @@ main() {
certctl)
pkgdeps="caroot openssl"
;;
+ clang)
+ pkgdeps="lld clang-dev libcompiler_rt-dev"
+ ;;
# -dev packages that have no corresponding non-dev package
# as a dependency.
git: 4e899378bf5d - main - pkgbase: put library links and symlinks in the -dev package
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=4e899378bf5d89c20430d32982d2635657f34c04
commit 4e899378bf5d89c20430d32982d2635657f34c04
Author: Doug Rabson
AuthorDate: 2023-09-13 10:18:09 +
Commit: Doug Rabson
CommitDate: 2023-09-14 09:19:42 +
pkgbase: put library links and symlinks in the -dev package
Some libraries (e.g. ncurses) install links to the main library for
backwards compatibilty. This change ensures that those links are in the
dev package since the files being linked to are in that package.
PR: 249143
MFC after: 1 week
Reviewed by:emaste, manu
Differential Revision: https://reviews.freebsd.org/D41841
---
share/mk/bsd.lib.mk | 1 +
share/mk/bsd.links.mk | 8
2 files changed, 9 insertions(+)
diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk
index 90d89eeebc5d..49304463d859 100644
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@@ -561,6 +561,7 @@ LINKGRP?= ${LIBGRP}
LINKMODE?= ${LIBMODE}
SYMLINKOWN?= ${LIBOWN}
SYMLINKGRP?= ${LIBGRP}
+LINKTAGS= dev
.include
.if ${MK_MAN} != "no" && !defined(LIBRARIES_ONLY)
diff --git a/share/mk/bsd.links.mk b/share/mk/bsd.links.mk
index 990c4cb65a29..6070979612bf 100644
--- a/share/mk/bsd.links.mk
+++ b/share/mk/bsd.links.mk
@@ -14,8 +14,16 @@ afterinstall: _installlinks
.ORDER: realinstall _installlinks
_installlinks:
.for s t in ${LINKS}
+.if defined(LINKTAGS)
+ ${INSTALL_LINK} ${TAG_ARGS:D${TAG_ARGS},${LINKTAGS}} ${DESTDIR}${s}
${DESTDIR}${t}
+.else
${INSTALL_LINK} ${TAG_ARGS} ${DESTDIR}${s} ${DESTDIR}${t}
+.endif
.endfor
.for s t in ${SYMLINKS}
+.if defined(LINKTAGS)
+ ${INSTALL_SYMLINK} ${TAG_ARGS:D${TAG_ARGS},${LINKTAGS}} ${s}
${DESTDIR}${t}
+.else
${INSTALL_SYMLINK} ${TAG_ARGS} ${s} ${DESTDIR}${t}
+.endif
.endfor
git: 74da9c39c346 - main - pkgbase: Split out manpages by default
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=74da9c39c3460213750477204979989b5c39cbcd commit 74da9c39c3460213750477204979989b5c39cbcd Author: Doug Rabson AuthorDate: 2023-09-14 14:38:07 + Commit: Doug Rabson CommitDate: 2023-09-14 15:50:40 + pkgbase: Split out manpages by default This helps with building small container images using pkgbase. Reviewed by:manu bapt MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D41861 --- UPDATING | 4 share/man/man5/src.conf.5 | 4 ++-- share/mk/bsd.opts.mk | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/UPDATING b/UPDATING index 59788ab2c15d..b1276bfe83f6 100644 --- a/UPDATING +++ b/UPDATING @@ -27,6 +27,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 15.x IS SLOW: world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20230914: + Enable splitting out pkgbase manpages into separate packages by + default. To disable this, set WITHOUT_MANSPLITPKG=yes in src.conf. + 20230909: Enable vnet sysctl variables to be loader tunable. SYSCTLs which belongs to VNETs can be initialized during early boot or module diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5 index a5e7c501825a..64f725c7b2fa 100644 --- a/share/man/man5/src.conf.5 +++ b/share/man/man5/src.conf.5 @@ -1152,8 +1152,8 @@ is set explicitly) .It Va WITHOUT_MANCOMPRESS Do not install compressed man pages. Only the uncompressed versions will be installed. -.It Va WITH_MANSPLITPKG -Split man pages into their own packages during make package. +.It Va WITHOUT_MANSPLITPKG +Do not split man pages into their own packages during make package. .It Va WITHOUT_MAN_UTILS Do not build utilities for manual pages, .Xr apropos 1 , diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk index 93b0e7184b6d..51260533e265 100644 --- a/share/mk/bsd.opts.mk +++ b/share/mk/bsd.opts.mk @@ -60,6 +60,7 @@ __DEFAULT_YES_OPTIONS = \ MAKE_CHECK_USE_SANDBOX \ MAN \ MANCOMPRESS \ +MANSPLITPKG \ NIS \ NLS \ OPENSSH \ @@ -76,7 +77,6 @@ __DEFAULT_NO_OPTIONS = \ CCACHE_BUILD \ CTF \ INSTALL_AS_USER \ -MANSPLITPKG \ PROFILE \ RETPOLINE \ STALE_STAGED \
git: 4ff9d270893a - main - pkgbase: Add instructions for upgrading past 78847e1
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=4ff9d270893af757b4348398c887e630d71edf6e commit 4ff9d270893af757b4348398c887e630d71edf6e Author: Doug Rabson AuthorDate: 2023-09-17 10:06:01 + Commit: Doug Rabson CommitDate: 2023-09-17 12:21:06 + pkgbase: Add instructions for upgrading past 78847e1 The pkg solver gets confused by the file moves and refuses to upgrade without manually upgrading FreeBSD-utilities and FreeBSD-utilities-dev first. PR: 254173, 273859 MFC after: 1 week Reviewed by:Mina Galić Differential Revision: https://reviews.freebsd.org/D41892 --- UPDATING | 10 ++ 1 file changed, 10 insertions(+) diff --git a/UPDATING b/UPDATING index b1276bfe83f6..e2f50b13b154 100644 --- a/UPDATING +++ b/UPDATING @@ -31,6 +31,16 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 15.x IS SLOW: Enable splitting out pkgbase manpages into separate packages by default. To disable this, set WITHOUT_MANSPLITPKG=yes in src.conf. +20230911: + Move standard include files to the clibs-dev package and move clang + internal libraries and headers to clang and clang-dev. Upgrading systems + installed using pkgbase past this change involves extra steps to allow + for these file moves: + + pkg upgrade -y FreeBSD-utilities + pkg upgrade -y FreeBSD-utilities-dev + pkg upgrade -y + 20230909: Enable vnet sysctl variables to be loader tunable. SYSCTLs which belongs to VNETs can be initialized during early boot or module
git: a3d5dec42007 - main - release(7): fix the spelling of git.FreeBSD.org
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=a3d5dec42007a74bfc38a0210a80a3f77efb8cb7 commit a3d5dec42007a74bfc38a0210a80a3f77efb8cb7 Author: Doug Rabson AuthorDate: 2024-09-26 15:20:42 + Commit: Doug Rabson CommitDate: 2024-09-26 15:20:42 + release(7): fix the spelling of git.FreeBSD.org --- share/man/man7/release.7 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/share/man/man7/release.7 b/share/man/man7/release.7 index 0a56f0762591..c81f540d9463 100644 --- a/share/man/man7/release.7 +++ b/share/man/man7/release.7 @@ -150,7 +150,7 @@ The .Xr git 1 host used to check out the various trees. Defaults to -.Pa https://git.FreeeBSD.org . +.Pa https://git.FreeBSD.org . .It Va SRCBRANCH The .Li src/
git: d03c82c28da8 - main - release: add optional OCI images
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=d03c82c28da86e0812b98b051d24ae5980804ad7
commit d03c82c28da86e0812b98b051d24ae5980804ad7
Author: Doug Rabson
AuthorDate: 2024-08-14 15:39:24 +
Commit: Doug Rabson
CommitDate: 2024-11-08 13:23:08 +
release: add optional OCI images
This adds three OCI archive format files to the release containing
FreeBSD base images suitable for static linked, dynamic linked and shell
workloads. The shell image also contains pkg-bootstrap and can be easily
extended by installing packages (including pkgbase packages).
Reviewed by: dch, cpersiva, jlduran, zlei
Differential Revision: https://reviews.freebsd.org/D46759
MFC after: 2 days
---
release/Makefile | 11 ---
release/Makefile.oci | 34 +++
release/release.conf.sample | 4 +++
release/release.sh | 47 ++-
release/scripts/make-oci-image.sh| 63
release/tools/oci-image-dynamic.conf | 11 +++
release/tools/oci-image-minimal.conf | 19 +++
release/tools/oci-image-static.conf | 42
share/examples/Makefile | 6
share/examples/oci/Containerfile.pkg | 27
share/examples/oci/README| 7
share/man/man7/release.7 | 14 +++-
12 files changed, 279 insertions(+), 6 deletions(-)
diff --git a/release/Makefile b/release/Makefile
index be628d20ba8d..85da63b0c49a 100644
--- a/release/Makefile
+++ b/release/Makefile
@@ -7,14 +7,16 @@
# memstick: Builds memory stick image (memstick.img)
# mini-memstick: Builds minimal memory stick image (mini-memstick.img)
# ftp: Sets up FTP distribution area (ftp)
-# release: Invokes real-release, vm-release, and cloudware-release targets
+# release: Invokes real-release, vm-release, cloudware-release and
oci-release targets
# real-release: Build all media and FTP distribution area
# vm-release: Build all virtual machine image targets
# cloudware-release: Build all cloud hosting provider targets
-# install: Invokes the release-install and vm-install targets
+# oci-release: Build all OCI container images
+# install: Invokes the release-install, vm-install and oci-install targets
# release-install: Copies all release installation media into ${DESTDIR}
# vm-install: Copies all virtual machine images into ${DESTDIR}
# cloud-install: Copies non-uploaded cloud images into ${DESTDIR}
+# oci-install: Copies all OCI container images into ${DESTDIR}
#
# Variables affecting the build process:
# WORLDDIR: location of src tree -- must have built world and default kernel
@@ -316,7 +318,7 @@ ftp: packagesystem
mkdir -p ftp
cp *.txz MANIFEST ftp
-release: real-release vm-release cloudware-release
+release: real-release vm-release cloudware-release oci-release
${MAKE} -C ${.CURDIR} ${.MAKEFLAGS} release-done
true
@@ -327,7 +329,7 @@ real-release:
${MAKE} -C ${.CURDIR} ${.MAKEFLAGS} obj
${MAKE} -C ${.CURDIR} ${.MAKEFLAGS} ${RELEASE_TARGETS}
-install: release-install vm-install .WAIT cloud-install
+install: release-install vm-install oci-install .WAIT cloud-install
release-install:
.if defined(DESTDIR) && !empty(DESTDIR)
@@ -347,3 +349,4 @@ release-install:
.include "${.CURDIR}/Makefile.inc1"
.include "${.CURDIR}/Makefile.vm"
+.include "${.CURDIR}/Makefile.oci"
diff --git a/release/Makefile.oci b/release/Makefile.oci
new file mode 100644
index ..461c95f49636
--- /dev/null
+++ b/release/Makefile.oci
@@ -0,0 +1,34 @@
+#
+#
+#
+# Makefile for building OCI container images.
+#
+
+.if defined(WITH_OCIIMAGES) && !empty(WITH_OCIIMAGES)
+OCI_IMAGES= static dynamic minimal
+.endif
+
+oci-install:
+.if defined(WITH_OCIIMAGES) && !empty(WITH_OCIIMAGES)
+ mkdir -p ${DESTDIR}/ociimages
+. for _IMG in ${OCI_IMAGES}
+ cp -p ${.OBJDIR}/container-image-${_IMG}.txz ${DESTDIR}/ociimages
+. endfor
+.endif
+
+OCI_TARGETS=
+OCI_DEPS_static=
+OCI_DEPS_dynamic= container-image-static.txz
+OCI_DEPS_minimal= container-image-dynamic.txz
+
+.for _IMG in ${OCI_IMAGES}
+OCI_TARGETS+= container-image-${_IMG}.txz
+container-image-${_IMG}.txz: ${OCI_DEPS_${_IMG}}
+ sh ${.CURDIR}/scripts/make-oci-image.sh ${.CURDIR} ${REVISION}
${BRANCH} ${TARGET_ARCH} ${_IMG}
+ skopeo copy \
+
containers-storage:localhost/freebsd${REVISION:R}-${_IMG}:latest \
+
oci-archive:${.OBJDIR}/container-image-${_IMG}.tar:freebsd${REVISION:R}-${_IMG}:${REVISION}-${BRANCH}-${TARGET_ARCH}
+ ${XZ_CMD} < ${.OBJDIR}/container-image-${_IMG}.tar >
${.OBJDIR}/container-image-${_IMG}.txz
+.endfor
+
+oci-release: ${OCI_TARGETS}
diff --git a/release/release.conf.sample b/release/release.conf.
git: ca1f1d2c9419 - main - release: Add missing dependencies in the minimal OCI image
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=ca1f1d2c9419a5d66929ca6880b69901254645a6
commit ca1f1d2c9419a5d66929ca6880b69901254645a6
Author: Doug Rabson
AuthorDate: 2024-11-18 10:05:29 +
Commit: Doug Rabson
CommitDate: 2024-11-19 10:39:14 +
release: Add missing dependencies in the minimal OCI image
The pkg-bootstrap binary depends on fetch.
Reviewed by:cperciva, emaste, bapt
Differential Revision: https://reviews.freebsd.org/D47661
MFC after: 1 day
---
release/tools/oci-image-minimal.conf | 3 +++
1 file changed, 3 insertions(+)
diff --git a/release/tools/oci-image-minimal.conf
b/release/tools/oci-image-minimal.conf
index 122da1905436..82e2ce6a1bd3 100644
--- a/release/tools/oci-image-minimal.conf
+++ b/release/tools/oci-image-minimal.conf
@@ -12,7 +12,10 @@ oci_image_build() {
FreeBSD-runtime \
FreeBSD-certctl \
FreeBSD-kerberos-lib \
+FreeBSD-libarchive \
FreeBSD-libexecinfo \
+FreeBSD-libucl \
+FreeBSD-fetch \
FreeBSD-rc \
FreeBSD-pkg-bootstrap \
FreeBSD-mtree
git: e2fc29e53986 - main - release: fix architecture for OCI images
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=e2fc29e53986c69ac91d40e7f1ef8fbca317771e
commit e2fc29e53986c69ac91d40e7f1ef8fbca317771e
Author: Doug Rabson
AuthorDate: 2024-12-04 13:23:58 +
Commit: Doug Rabson
CommitDate: 2024-12-13 16:47:05 +
release: fix architecture for OCI images
PR: 283260
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D48051
---
release/scripts/make-oci-image.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/release/scripts/make-oci-image.sh
b/release/scripts/make-oci-image.sh
index a139a38d1930..6180ed9d53b4 100644
--- a/release/scripts/make-oci-image.sh
+++ b/release/scripts/make-oci-image.sh
@@ -56,7 +56,7 @@ else
base_image=scratch
fi
-c=$(buildah from ${base_image})
+c=$(buildah from --arch ${arch} ${base_image})
m=$(buildah mount $c)
oci_image_build
buildah unmount $c
git: e8a5b9fd73f4 - main - release: build OCI images with shell scripts
The branch main has been updated by dfr:
URL:
https://cgit.FreeBSD.org/src/commit/?id=e8a5b9fd73f4f437a03c85e7644daa55652e224b
commit e8a5b9fd73f4f437a03c85e7644daa55652e224b
Author: Doug Rabson
AuthorDate: 2024-12-12 16:42:00 +
Commit: Doug Rabson
CommitDate: 2025-03-02 15:17:13 +
release: build OCI images with shell scripts
This avoids the need for buildah and skopeo for building releases.
Reviewed by:cpersiva
MFC after: 1 day
Differential Revision: https://reviews.freebsd.org/D48574
---
release/Makefile.oci | 6 +-
release/release.sh | 38 -
release/scripts/make-oci-image.sh| 105 +++
release/tools/oci-image-dynamic.conf | 2 +-
release/tools/oci-image-minimal.conf | 3 +-
release/tools/oci-image-static.conf | 3 +-
6 files changed, 99 insertions(+), 58 deletions(-)
diff --git a/release/Makefile.oci b/release/Makefile.oci
index da35156c5a95..e4b5df580055 100644
--- a/release/Makefile.oci
+++ b/release/Makefile.oci
@@ -26,11 +26,7 @@ OCI_TARGETS+= container-image-${_IMG}.txz
container-image-${_IMG}.txz: ${OCI_DEPS_${_IMG}}
# Adjust PATH so that we run pwd_mkdb from the bootstrap tools
env PATH=${OBJTOP}/tmp/legacy/bin:${PATH:Q} \
- sh ${.CURDIR}/scripts/make-oci-image.sh ${.CURDIR} ${REVISION}
${BRANCH} ${TARGET_ARCH} ${_IMG}
- skopeo copy \
-
containers-storage:localhost/freebsd${REVISION:R}-${_IMG}:latest \
-
oci-archive:${.OBJDIR}/container-image-${_IMG}.tar:freebsd${REVISION:R}-${_IMG}:${REVISION}-${BRANCH}-${TARGET_ARCH}
- ${XZ_CMD} < ${.OBJDIR}/container-image-${_IMG}.tar >
${.OBJDIR}/container-image-${_IMG}.txz
+ sh ${.CURDIR}/scripts/make-oci-image.sh ${.CURDIR} ${REVISION}
${BRANCH} ${TARGET_ARCH} ${_IMG} container-image-${_IMG}.txz
.endfor
oci-release: ${OCI_TARGETS}
diff --git a/release/release.sh b/release/release.sh
index d6752e016994..5a6de297f7a1 100755
--- a/release/release.sh
+++ b/release/release.sh
@@ -292,44 +292,6 @@ extra_chroot_setup() {
fi
fi
- if [ ! -z "${WITH_OCIIMAGES}" ]; then
- # Install buildah and skopeo from ports if the ports tree is
available;
- # otherwise install the pkg.
- if [ -d ${CHROOTDIR}/usr/ports ]; then
- # Trick the ports 'run-autotools-fixup' target to do
the right
- # thing.
- _OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
- REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release
-V REVISION)
- BRANCH=$(chroot ${CHROOTDIR} make -C /usr/src/release
-V BRANCH)
- UNAME_r=${REVISION}-${BRANCH}
- GITUNSETOPTS="CONTRIB CURL CVS GITWEB GUI HTMLDOCS"
- GITUNSETOPTS="${GITUNSETOPTS} ICONV NLS P4 PERL"
- GITUNSETOPTS="${GITUNSETOPTS} SEND_EMAIL SUBTREE SVN"
- GITUNSETOPTS="${GITUNSETOPTS} PCRE PCRE2"
- PBUILD_FLAGS="OSVERSION=${_OSVERSION} BATCH=yes"
- PBUILD_FLAGS="${PBUILD_FLAGS} UNAME_r=${UNAME_r}"
- PBUILD_FLAGS="${PBUILD_FLAGS} OSREL=${REVISION}"
- PBUILD_FLAGS="${PBUILD_FLAGS} WRKDIRPREFIX=/tmp/ports"
- PBUILD_FLAGS="${PBUILD_FLAGS} DISTDIR=/tmp/distfiles"
- for _PORT in sysutils/buildah sysutils/skopeo; do
- eval chroot ${CHROOTDIR} env ${PBUILD_FLAGS}
make -C \
-/usr/ports/${_PORT} \
-FORCE_PKG_REGISTER=1 deinstall install
clean distclean
- done
- else
- eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
- pkg install -y sysutils/buildah sysutils/skopeo
- eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
- pkg clean -y
- fi
- # Use the vfs storage driver so that this works whether or not
- # the build directory is on ZFS. The images are small so the
- # performance difference is negligible.
- eval chroot ${CHROOTDIR} sed -I .bak -e '/^driver/s/zfs/vfs/'
/usr/local/etc/containers/storage.conf
- # Remove any stray images from previous builds
- eval chroot ${CHROOTDIR} buildah rmi -af
- fi
-
if [ ! -z "${EMBEDDEDPORTS}" ]; then
_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V
REVISION)
diff --git a/relea
