1*c2691defSclaudio# $OpenBSD: rc,v 1.559 2022/06/28 18:46:01 claudio Exp $ 2df930be7Sderaadt 3300d0407Srpe# System startup script run by init on autoboot or after single-user. 4300d0407Srpe# Output and error are redirected to console by init, and the console is the 5300d0407Srpe# controlling terminal. 6df930be7Sderaadt 75116749bSrpe# Turn off Strict Bourne shell. 85116749bSrpeset +o sh 95116749bSrpe 105420764bSmillert# Subroutines (have to come first). 115420764bSmillert 12fcb22a03Srpe# Strip in- and whole-line comments from a file. 13fcb22a03Srpe# Strip leading and trailing whitespace if IFS is set. 14fcb22a03Srpe# Usage: stripcom /path/to/file 155420764bSmillertstripcom() { 16fcb22a03Srpe local _file=$1 _line 175420764bSmillert 18fcb22a03Srpe [[ -s $_file ]] || return 19fcb22a03Srpe 205420764bSmillert while read _line ; do 21fcb22a03Srpe _line=${_line%%#*} 22fcb22a03Srpe [[ -n $_line ]] && print -r -- "$_line" 23fcb22a03Srpe done <$_file 245420764bSmillert} 255420764bSmillert 26fcb22a03Srpe# Update resource limits based on login.conf settings. 27fcb22a03Srpe# Usage: update_limit -flag capability 280e47d797Smillertupdate_limit() { 29fcb22a03Srpe local _flag=$1 # ulimit flag 30fcb22a03Srpe local _cap=$2 _val # login.conf capability and its value 31fcb22a03Srpe local _suffix 320e47d797Smillert 33c1b505a4Sotto for _suffix in {,-max,-cur}; do 34fcb22a03Srpe _val=$(getcap -f /etc/login.conf -s ${_cap}${_suffix} daemon 2>/dev/null) 35fcb22a03Srpe [[ -n $_val ]] || continue 36fcb22a03Srpe [[ $_val == infinity ]] && _val=unlimited 37fcb22a03Srpe 38fcb22a03Srpe case $_suffix in 39fcb22a03Srpe -cur) ulimit -S $_flag $_val 400e47d797Smillert ;; 41fcb22a03Srpe -max) ulimit -H $_flag $_val 420e47d797Smillert ;; 43fcb22a03Srpe *) ulimit $_flag $_val 440e47d797Smillert return 450e47d797Smillert ;; 460e47d797Smillert esac 470e47d797Smillert done 480e47d797Smillert} 490e47d797Smillert 50c30b6886Srpe# Apply sysctl.conf(5) settings. 510e47d797Smillertsysctl_conf() { 529017c8e1Sbluhm # do not use a pipe as limits would only be applied to the subshell 539017c8e1Sbluhm set -- $(stripcom /etc/sysctl.conf) 549017c8e1Sbluhm while [[ $# > 0 ]] ; do 559017c8e1Sbluhm sysctl "$1" 566be3177eSmillert 579017c8e1Sbluhm case "$1" in 580e47d797Smillert kern.maxproc=*) 599017c8e1Sbluhm update_limit -p maxproc 609017c8e1Sbluhm ;; 610e47d797Smillert kern.maxfiles=*) 629017c8e1Sbluhm update_limit -n openfiles 639017c8e1Sbluhm ;; 640e47d797Smillert esac 659017c8e1Sbluhm shift 660e47d797Smillert done 670e47d797Smillert} 680e47d797Smillert 69c30b6886Srpe# Apply mixerctl.conf(5) settings. 70e5682fb9Srpemixerctl_conf() { 71c30b6886Srpe stripcom /etc/mixerctl.conf | 72c30b6886Srpe while read _line; do 73c30b6886Srpe mixerctl -q "$_line" 2>/dev/null 740e47d797Smillert done 750e47d797Smillert} 760e47d797Smillert 77c30b6886Srpe# Apply wsconsctl.conf(5) settings. 78e5682fb9Srpewsconsctl_conf() { 79c30b6886Srpe [[ -x /sbin/wsconsctl ]] || return 806be3177eSmillert 81c30b6886Srpe stripcom /etc/wsconsctl.conf | 82c30b6886Srpe while read _line; do 83a07f66abSrpe eval "wsconsctl $_line" 846be3177eSmillert done 856be3177eSmillert} 866be3177eSmillert 87a0d08aa9Srpe# Push the old seed into the kernel, create a future seed and create a seed 88a0d08aa9Srpe# file for the boot-loader. 89e5682fb9Srperandom_seed() { 9013a462f6Sbluhm dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none 91d7e1c4e4Sderaadt chmod 600 /var/db/host.random 9213a462f6Sbluhm dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none 9313a462f6Sbluhm dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none 9449be1d20Sderaadt chmod 600 /etc/random.seed 958f0921ecSdjm} 968f0921ecSdjm 97300d0407Srpe# Populate net.inet.(tcp|udp).baddynamic with the contents of /etc/services so 98300d0407Srpe# as to avoid randomly allocating source ports that correspond to well-known 99300d0407Srpe# services. 100d1aa7b7fSrpe# Usage: fill_baddynamic tcp|udp 101e5682fb9Srpefill_baddynamic() { 102484497f6Shalex local _service=$1 103e27ad5ceSdjm local _sysctl="net.inet.${_service}.baddynamic" 104d1aa7b7fSrpe 105484497f6Shalex stripcom /etc/services | 106484497f6Shalex { 107d1aa7b7fSrpe _ban= 108484497f6Shalex while IFS=" /" read _name _port _srv _junk; do 109d1aa7b7fSrpe [[ $_srv == $_service ]] || continue 110d1aa7b7fSrpe 111d1aa7b7fSrpe _ban="${_ban:+$_ban,}+$_port" 112d1aa7b7fSrpe 113e27ad5ceSdjm # Flush before argv gets too long 114d1aa7b7fSrpe if ((${#_ban} > 1024)); then 115d1aa7b7fSrpe sysctl -q "$_sysctl=$_ban" 116d1aa7b7fSrpe _ban= 117e27ad5ceSdjm fi 118484497f6Shalex done 119d1aa7b7fSrpe [[ -n $_ban ]] && sysctl -q "$_sysctl=$_ban" 120484497f6Shalex } 121e27ad5ceSdjm} 122e27ad5ceSdjm 123300d0407Srpe# Start daemon using the rc.d daemon control scripts. 124300d0407Srpe# Usage: start_daemon daemon1 daemon2 daemon3 125e5682fb9Srpestart_daemon() { 126d4d32436Srpe local _daemon 127d4d32436Srpe 128d4d32436Srpe for _daemon; do 129d4d32436Srpe eval "_do=\${${_daemon}_flags}" 130d4d32436Srpe [[ $_do != NO ]] && /etc/rc.d/${_daemon} start 131833ea469Srobert done 132833ea469Srobert} 133833ea469Srobert 13464702a80Stim# Generate keys for isakmpd, iked and sshd if they don't exist yet. 135e5682fb9Srpemake_keys() { 136d4d32436Srpe local _isakmpd_key=/etc/isakmpd/private/local.key 137d4d32436Srpe local _isakmpd_pub=/etc/isakmpd/local.pub 138d4d32436Srpe local _iked_key=/etc/iked/private/local.key 139d4d32436Srpe local _iked_pub=/etc/iked/local.pub 140d4d32436Srpe 141d4d32436Srpe if [[ ! -f $_isakmpd_key ]]; then 142d4d32436Srpe echo -n "openssl: generating isakmpd/iked RSA keys... " 143d4d32436Srpe if openssl genrsa -out $_isakmpd_key 2048 >/dev/null 2>&1 && 144d4d32436Srpe chmod 600 $_isakmpd_key && 145d4d32436Srpe openssl rsa -out $_isakmpd_pub -in $_isakmpd_key \ 146d4d32436Srpe -pubout >/dev/null 2>&1; then 1473e77ed4cSderaadt echo done. 1483e77ed4cSderaadt else 1493e77ed4cSderaadt echo failed. 1503e77ed4cSderaadt fi 1513e77ed4cSderaadt fi 1523e77ed4cSderaadt 153d4d32436Srpe if [[ ! -f $_iked_key ]]; then 1543e77ed4cSderaadt # Just copy the generated isakmpd key 155d4d32436Srpe cp $_isakmpd_key $_iked_key 156d4d32436Srpe chmod 600 $_iked_key 157d4d32436Srpe cp $_isakmpd_pub $_iked_pub 1583e77ed4cSderaadt fi 1593e77ed4cSderaadt 1603e77ed4cSderaadt ssh-keygen -A 16181acd49bSflorian 16281acd49bSflorian if [[ ! -f /etc/soii.key ]]; then 1630e5bd3a1Srpe openssl rand -hex 16 > /etc/soii.key && 16481acd49bSflorian chmod 600 /etc/soii.key && sysctl -q \ 16581acd49bSflorian "net.inet6.ip6.soiikey=$(</etc/soii.key)" 16681acd49bSflorian fi 1673e77ed4cSderaadt} 1683e77ed4cSderaadt 1692aff8cd6Srpe# Re-link libraries, placing the objects in a random order. 17090411c6cSrpereorder_libs() { 1718fb1a259Srpe local _error=false _dkdev _liba _libas _mp _ro_list _tmpdir 1725567e4dfSrpe local _relink=/usr/share/relink 17367c6ae01Stb 17467c6ae01Stb [[ $library_aslr == NO ]] && return 17567c6ae01Stb 1768fb1a259Srpe # Skip if /usr/lib, /usr/libexec or /usr/share/relink are on nfs mounted 1778fb1a259Srpe # filesystems, otherwise record which ones are mounted read-only. 17855ce135fSkn for _dkdev in $(df /usr/{lib,libexec} $_relink | 17955ce135fSkn sed '1d;s/ .*//' | sort -u); do 18055ce135fSkn _mp=$(mount -t ffs | grep "^$_dkdev") || return 18155ce135fSkn if [[ $_mp == *read-only* ]]; then 1828fb1a259Srpe _ro_list="$_ro_list ${_mp%% *}" 1838fb1a259Srpe fi 1848fb1a259Srpe done 185229d5e69Srpe 186229d5e69Srpe echo -n 'reordering libraries:' 18790411c6cSrpe 188342eb06cSjsg # Remount the (read-only) filesystems in _ro_list as read-write. 1898fb1a259Srpe for _mp in $_ro_list; do 1908fb1a259Srpe if ! mount -u -w $_mp; then 19190411c6cSrpe echo ' failed.' 19290411c6cSrpe return 19390411c6cSrpe fi 1948fb1a259Srpe done 19590411c6cSrpe 196a74de434Stb # Only choose the latest version of the libraries. 1975567e4dfSrpe for _liba in $_relink/usr/lib/lib{c,crypto}; do 198941122a8Szhuk _libas="$_libas $(ls $_liba.so.+([0-9.]).a | sort -rV | head -1)" 199a74de434Stb done 200a74de434Stb 2015567e4dfSrpe for _liba in $_relink/usr/libexec/ld.so.a $_libas; do 2025567e4dfSrpe _tmpdir=$(mktemp -dq $_relink/_rebuild.XXXXXXXXXXXX) && 203fa903907Srpe ( 2045c3fc979Sderaadt set -o errexit 205d125f366Skn _install='install -F -o root -g bin -m 0444' 206fa903907Srpe _lib=${_liba##*/} 2075c3fc979Sderaadt _lib=${_lib%.a} 2085567e4dfSrpe _lib_dir=${_liba#$_relink} 2098fb1a259Srpe _lib_dir=${_lib_dir%/*} 2105c3fc979Sderaadt cd $_tmpdir 211fa903907Srpe ar x $_liba 212fa903907Srpe if [[ $_lib == ld.so ]]; then 213c0197e40Sguenther args="-g -x -e _dl_start \ 214fa903907Srpe --version-script=Symbols.map --shared -Bsymbolic \ 215c0197e40Sguenther --no-undefined" 216c0197e40Sguenther [[ -f ld.script ]] && args="$args -T ld.script" 217c0197e40Sguenther ld $args -o ld.so.test $(ls *.o | sort -R) 218fa903907Srpe chmod u+x test-ld.so 219fa903907Srpe [[ $(./test-ld.so ok) == './test-ld.so: ok!' ]] 220fa903907Srpe $_install /usr/libexec/ld.so /usr/libexec/ld.so.save 2218fb1a259Srpe $_install ld.so.test $_lib_dir/ld.so 222fa903907Srpe else 223287d24a6Snaddy cc -shared -o $_lib $(ls *.so | sort -R) $(<.ldadd) 2245c3fc979Sderaadt [[ -s $_lib ]] && file $_lib | fgrep -q 'shared object' 2255c3fc979Sderaadt LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir awk 'BEGIN {exit 0}' 2261c02e5edSderaadt LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir openssl \ 2271c02e5edSderaadt x509 -in /etc/ssl/cert.pem -out /dev/null 2288fb1a259Srpe $_install $_lib $_lib_dir/$_lib 229fa903907Srpe fi 230dff3de36Srpe ) || { _error=true; break; } 2315c3fc979Sderaadt done 23290411c6cSrpe 2335567e4dfSrpe rm -rf $_relink/_rebuild.* 234dff3de36Srpe 23590411c6cSrpe # Restore previous mount state if it was changed. 2368fb1a259Srpe for _mp in $_ro_list; do 2378fb1a259Srpe mount -u -r $_mp || _error=true 2388fb1a259Srpe done 23990411c6cSrpe 240dff3de36Srpe if $_error; then 241dff3de36Srpe echo ' failed.' 242dff3de36Srpe else 24390411c6cSrpe echo ' done.' 244dff3de36Srpe fi 2455c3fc979Sderaadt} 2465c3fc979Sderaadt 2472aff8cd6Srpe# Run rc.* script and email output to root. 2482aff8cd6Srpe# Usage: run_upgrade_script firsttime|sysmerge 24963fe92b2Sajacoutotrun_upgrade_script() { 25063fe92b2Sajacoutot local _suffix=$1 2515e8c7790Srpe 25263fe92b2Sajacoutot [[ -n $_suffix ]] || return 1 2535e8c7790Srpe 25463fe92b2Sajacoutot if [[ -f /etc/rc.$_suffix ]]; then 255d49e7124Sajacoutot echo "running rc.$_suffix" 25663fe92b2Sajacoutot mv /etc/rc.$_suffix /etc/rc.$_suffix.run 25763fe92b2Sajacoutot . /etc/rc.$_suffix.run 2>&1 | tee /dev/tty | 25863fe92b2Sajacoutot mail -Es "$(hostname) rc.$_suffix output" root >/dev/null 25963fe92b2Sajacoutot fi 26063fe92b2Sajacoutot rm -f /etc/rc.$_suffix.run 26163fe92b2Sajacoutot} 26263fe92b2Sajacoutot 26348d8ec78Srpe# Check filesystems, optionally by using a fsck(8) flag. 26448d8ec78Srpe# Usage: do_fsck [-flag] 265e5682fb9Srpedo_fsck() { 26648d8ec78Srpe fsck -p "$@" 26781896204Sclaudio case $? in 26848d8ec78Srpe 0) ;; 26948d8ec78Srpe 2) exit 1 27081896204Sclaudio ;; 27148d8ec78Srpe 4) echo "Rebooting..." 27281896204Sclaudio reboot 27381896204Sclaudio echo "Reboot failed; help!" 27481896204Sclaudio exit 1 27581896204Sclaudio ;; 27648d8ec78Srpe 8) echo "Automatic file system check failed; help!" 27781896204Sclaudio exit 1 27881896204Sclaudio ;; 27948d8ec78Srpe 12) echo "Boot interrupted." 28081896204Sclaudio exit 1 28181896204Sclaudio ;; 28248d8ec78Srpe 130) # Interrupt before catcher installed. 28381896204Sclaudio exit 1 28481896204Sclaudio ;; 28548d8ec78Srpe *) echo "Unknown error; help!" 28681896204Sclaudio exit 1 28781896204Sclaudio ;; 28881896204Sclaudio esac 28981896204Sclaudio} 29081896204Sclaudio 291300d0407Srpe# End subroutines. 2925420764bSmillert 293df930be7Sderaadtstty status '^T' 294df930be7Sderaadt 295300d0407Srpe# Set shell to ignore SIGINT (2), but not children; shell catches SIGQUIT (3) 296300d0407Srpe# and returns to single user after fsck. 297df930be7Sderaadttrap : 2 298300d0407Srpetrap : 3 # Shouldn't be needed. 299df930be7Sderaadt 300ff291771Srpeexport HOME=/ 301ff291771Srpeexport INRC=1 302ff291771Srpeexport PATH=/sbin:/bin:/usr/sbin:/usr/bin 303df930be7Sderaadt 3044f9a4669Sderaadt# /etc/myname contains my symbolic name. 3054f9a4669Sderaadtif [[ -f /etc/myname ]]; then 3064f9a4669Sderaadt hostname "$(stripcom /etc/myname)" 3074f9a4669Sderaadtfi 3084f9a4669Sderaadt 309300d0407Srpe# Must set the domainname before rc.conf, so YP startup choices can be made. 310ff291771Srpeif [[ -s /etc/defaultdomain ]]; then 311ff291771Srpe domainname "$(stripcom /etc/defaultdomain)" 31210cfcf00Sderaadtfi 31310cfcf00Sderaadt 314a0d08aa9Srpe# Get local functions from rc.subr to load rc.conf into scope. 3158799e9c8SrobertFUNCS_ONLY=1 . /etc/rc.d/rc.subr 3168799e9c8Srobert_rc_parse_conf 317d9f03edaSrobert 318a0d08aa9Srpe# If executed with the 'shutdown' parameter by the halt, reboot or shutdown: 319a0d08aa9Srpe# - update seed files 320a0d08aa9Srpe# - execute the rc.d scripts specified by $pkg_scripts in reverse order 321a0d08aa9Srpe# - bring carp interfaces down gracefully 322ff291771Srpeif [[ $1 == shutdown ]]; then 3230e5bd3a1Srpe if echo 2>/dev/null >>/var/db/host.random || 3247b987043Sbluhm echo 2>/dev/null >>/etc/random.seed; then 325a938e06dSrpe random_seed 3267b987043Sbluhm else 3277b987043Sbluhm echo warning: cannot write random seed to disk 3287b987043Sbluhm fi 329a938e06dSrpe 33064702a80Stim # If we are in secure level 0, assume single user mode. 331ff291771Srpe if (($(sysctl -n kern.securelevel) == 0)); then 332ff291771Srpe echo 'single user: not running shutdown scripts' 333ff291771Srpe else 334e47b98f0Srpe set -A _d -- $pkg_scripts 335e47b98f0Srpe _i=${#_d[*]} 336e47b98f0Srpe if ((_i)); then 337bbe1205bSajacoutot echo -n 'stopping package daemons:' 338e47b98f0Srpe while ((--_i >= 0)); do 339e47b98f0Srpe [[ -x /etc/rc.d/${_d[_i]} ]] && 340e47b98f0Srpe /etc/rc.d/${_d[_i]} stop 341bbe1205bSajacoutot done 342bbe1205bSajacoutot echo '.' 343bbe1205bSajacoutot fi 344ab772a24Sderaadt 34584a73675Ssthen if /etc/rc.d/vmd check > /dev/null; then 34684a73675Ssthen echo -n 'stopping VMs' 34784a73675Ssthen /etc/rc.d/vmd stop > /dev/null 34884a73675Ssthen echo '.' 34984a73675Ssthen fi 35084a73675Ssthen 351ff291771Srpe [[ -f /etc/rc.shutdown ]] && sh /etc/rc.shutdown 352ab772a24Sderaadt fi 3539e07bef9Smcbride 354ff291771Srpe ifconfig | while read _if _junk; do 355a9f6c829Srpe [[ $_if == carp+([0-9]): ]] && ifconfig ${_if%:} down 3569e07bef9Smcbride done 3572ee46d13Smcbride 35875a54d2eSderaadt exit 0 35975a54d2eSderaadtfi 36075a54d2eSderaadt 3616d6858e6Sderaadt# If bootblocks failed to give us random, try to cause some churn 3626d6858e6Sderaadt(dmesg; sysctl hw.{uuid,serialno,sensors} ) >/dev/random 2>&1 3636d6858e6Sderaadt 364ff291771Srpe# Add swap block-devices. 365638be0f1Smiodswapctl -A -t blk 366920abb1bSderaadt 367a0d08aa9Srpe# Run filesystem check unless a /fastboot file exists. 368ff291771Srpeif [[ -e /fastboot ]]; then 369df930be7Sderaadt echo "Fast boot: skipping disk checks." 370ff291771Srpeelif [[ $1 == autoboot ]]; then 371df930be7Sderaadt echo "Automatic boot in progress: starting file system checks." 37281896204Sclaudio do_fsck 373df930be7Sderaadtfi 374df930be7Sderaadt 375a0d08aa9Srpe# From now on, allow user to interrupt (^C) the boot process. 376df930be7Sderaadttrap "echo 'Boot interrupted.'; exit 1" 3 377df930be7Sderaadt 378a0d08aa9Srpe# Unmount all filesystems except root. 379df930be7Sderaadtumount -a >/dev/null 2>&1 380a0d08aa9Srpe 381a0d08aa9Srpe# Mount all filesystems except those of type NFS and VND. 3826e571508Sgrunkmount -a -t nonfs,vnd 383a0d08aa9Srpe 384a0d08aa9Srpe# Re-mount the root filesystem read/writeable. (root on nfs requires this, 385a0d08aa9Srpe# others aren't hurt.) 386a0d08aa9Srpemount -uw / 3877a94871bSderaadtchmod og-rwx /bsd 3887a1d3142Sderaadtln -fh /bsd /bsd.booted 389a0d08aa9Srpe 390a0d08aa9Srperm -f /fastboot 391df930be7Sderaadt 39225b65f1dStedu# Set flags on ttys. 393df930be7Sderaadtttyflags -a 394df930be7Sderaadt 395b892352dSrpe# Set keyboard encoding. 396b892352dSrpeif [[ -x /sbin/kbd && -s /etc/kbdtype ]]; then 397287d24a6Snaddy kbd "$(</etc/kbdtype)" 39848390b59Smcbridefi 39948390b59Smcbride 400cc294143Sderaadtwsconsctl_conf 401cc294143Sderaadt 402b892352dSrpe# Set initial temporary pf rule set. 403b892352dSrpeif [[ $pf != NO ]]; then 404a5daec8eSrpe RULES=" 40514a6b691Srpe block all 40614a6b691Srpe pass on lo0 40714a6b691Srpe pass in proto tcp from any to any port ssh keep state 40814a6b691Srpe pass out proto { tcp, udp } from any to any port domain keep state 40914a6b691Srpe pass out inet proto icmp all icmp-type echoreq keep state 41014a6b691Srpe pass out inet proto udp from any port bootpc to any port bootps 411a5daec8eSrpe pass in inet proto udp from any port bootps to any port bootpc" 41214a6b691Srpe 413e24e98b3Sgrange if ifconfig lo0 inet6 >/dev/null 2>&1; then 41414a6b691Srpe RULES="$RULES 41514a6b691Srpe pass out inet6 proto icmp6 all icmp6-type neighbrsol 41614a6b691Srpe pass in inet6 proto icmp6 all icmp6-type neighbradv 41714a6b691Srpe pass out inet6 proto icmp6 all icmp6-type routersol 41814a6b691Srpe pass in inet6 proto icmp6 all icmp6-type routeradv 41914a6b691Srpe pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server 42014a6b691Srpe pass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client" 421e24e98b3Sgrange fi 42214a6b691Srpe 42314a6b691Srpe RULES="$RULES 42414a6b691Srpe pass in proto carp keep state (no-sync) 42514a6b691Srpe pass out proto carp !received-on any keep state (no-sync)" 42614a6b691Srpe 4270049eb19Snaddy if (($(sysctl -n vfs.mounts.nfs 2>/dev/null)+0 > 0)); then 428a5daec8eSrpe # Don't kill NFS. 42914a6b691Srpe RULES="set reassemble yes no-df 43014a6b691Srpe $RULES 43114a6b691Srpe pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any 43214a6b691Srpe pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" 433a9f6c829Srpe fi 434a5daec8eSrpe 435b892352dSrpe print -- "$RULES" | pfctl -f - 4364616f5d9Sdhartmei pfctl -e 4371097c023Skjellfi 4381097c023Skjell 439e27ad5ceSdjmfill_baddynamic udp 440e27ad5ceSdjmfill_baddynamic tcp 441e27ad5ceSdjm 4420e47d797Smillertsysctl_conf 443f753b29fSderaadt 444889fff72Sflorianmount -s /var >/dev/null 2>&1 # cannot be on NFS 445889fff72Sflorianmount -s /var/log >/dev/null 2>&1 # cannot be on NFS 446889fff72Sflorian 447889fff72Sflorianstart_daemon slaacd dhcpleased resolvd >/dev/null 2>&1 4488d7324fcSflorian 449df930be7Sderaadtecho 'starting network' 450b892352dSrpe 451b892352dSrpe# Set carp interlock by increasing the demotion counter. 452b892352dSrpe# Prevents carp from preempting until the system is booted. 4533667ef4eSteduifconfig -g carp carpdemote 128 454b892352dSrpe 45524492e87Sajacoutotsh /etc/netstart 456b892352dSrpe 457db15c4ebSderaadtmount -s /usr >/dev/null 2>&1 458db15c4ebSderaadt 459889fff72Sflorianstart_daemon unwind >/dev/null 2>&1 460db15c4ebSderaadt 4614ba63a1bSderaadtrandom_seed 4624ba63a1bSderaadt 4634ba63a1bSderaadtreorder_libs 4644ba63a1bSderaadt 465300d0407Srpe# Load pf rules and bring up pfsync interface. 466b892352dSrpeif [[ $pf != NO ]]; then 467b892352dSrpe if [[ -f /etc/pf.conf ]]; then 4683544dba0Sajacoutot pfctl -f /etc/pf.conf 4691097c023Skjell fi 470b892352dSrpe if [[ -f /etc/hostname.pfsync0 ]]; then 471b523182eSderaadt sh /etc/netstart pfsync0 472f5262b16Smpf fi 473df0568a3Sderaadtfi 4741097c023Skjell 475300d0407Srpe# Clean up left-over files. 47628e4bf3dSjcarm -f /etc/nologin /var/spool/lock/LCK.* 4772402d49fShenning(cd /var/run && { rm -rf -- *; install -c -m 664 -g utmp /dev/null utmp; }) 47823d49488Sbeck(cd /var/authpf && rm -rf -- *) 47923d49488Sbeck 480a0d08aa9Srpe# Save a copy of the boot messages. 481a0d08aa9Srpedmesg >/var/run/dmesg.boot 4826c0a0b4aSalex 4833e77ed4cSderaadtmake_keys 4843e77ed4cSderaadt 485cc027ce3Sderaadtecho -n 'starting early daemons:' 486166e2b08Stedustart_daemon syslogd ldattach pflogd nsd unbound ntpd 48781896204Sclaudiostart_daemon iscsid isakmpd iked sasyncd ldapd npppd 488833ea469Srobertecho '.' 489096ed560Sderaadt 490300d0407Srpe# Load IPsec rules. 491b892352dSrpeif [[ $ipsec != NO && -f /etc/ipsec.conf ]]; then 4923544dba0Sajacoutot ipsecctl -f /etc/ipsec.conf 49379ec6e47Shshoexerfi 49479ec6e47Shshoexer 495cc027ce3Sderaadtecho -n 'starting RPC daemons:' 4966bf0f2bdSdlgstart_daemon portmap ypldap 49720bb1f5dSderaadtrm -f /var/run/ypbind.lock 498b892352dSrpeif [[ -n $(domainname) ]]; then 49983cb8727Sderaadt start_daemon ypserv ypbind 50047a1f8faSderaadtfi 5016bf0f2bdSdlgstart_daemon mountd nfsd lockd statd amd 502df930be7Sderaadtecho '.' 503df930be7Sderaadt 504b892352dSrpe# Check and mount remaining file systems and enable additional swap. 505cc3d9aa9Sottomount -a 506638be0f1Smiodswapctl -A -t noblk 50781896204Sclaudiodo_fsck -N 50881896204Sclaudiomount -a -N 50981896204Sclaudio 5102434f299Sderaadt# Build kvm(3) and /dev databases. 5112434f299Sderaadtkvm_mkdb 5122434f299Sderaadtdev_mkdb 5132434f299Sderaadt 514300d0407Srpe# /var/crash should be a directory or a symbolic link to the crash directory 515300d0407Srpe# if core dumps are to be saved. 516b892352dSrpeif [[ -d /var/crash ]]; then 517b892352dSrpe savecore $savecore_flags /var/crash 518df930be7Sderaadtfi 519df930be7Sderaadt 5200c3c058dSrpe# Store ACPI tables in /var/db/acpi to be used by sendbug(1). 5210c3c058dSrpeif [[ -x /usr/sbin/acpidump ]]; then 522b38e49aeSkettenis acpidump -q -o /var/db/acpi/ 5230c3c058dSrpefi 5240c3c058dSrpe 525b892352dSrpeif [[ $check_quotas == YES ]]; then 526df930be7Sderaadt echo -n 'checking quotas:' 527df930be7Sderaadt quotacheck -a 528df930be7Sderaadt echo ' done.' 529df930be7Sderaadt quotaon -a 53036a647e7Sdownsjfi 531df930be7Sderaadt 532b892352dSrpe# Set proper permission for the tty device files. 533e860cdbaSderaadtchmod 666 /dev/tty[pqrstuvwxyzPQRST]* 534a293d798Smillertchown root:wheel /dev/tty[pqrstuvwxyzPQRST]* 535df930be7Sderaadt 536a0d08aa9Srpe# Check for the password temp/lock file. 537ec003eaeSrpeif [[ -f /etc/ptmp ]]; then 538df930be7Sderaadt logger -s -p auth.err \ 539df930be7Sderaadt 'password file may be incorrect -- /etc/ptmp exists' 540df930be7Sderaadtfi 541df930be7Sderaadt 542e65724e6Smillertecho clearing /tmp 543e65724e6Smillert 544300d0407Srpe# Prune quickly with one rm, then use find to clean up /tmp/[lqv]* 545300d0407Srpe# (not needed with mfs /tmp, but doesn't hurt there...). 546c67deee9Sderaadt(cd /tmp && rm -rf [a-km-pr-uw-zA-Z]*) 54768b9454cSsthen(cd /tmp && 548ca51295aSmillert find . -maxdepth 1 ! -name . ! -name lost+found ! -name quota.user \ 549c67deee9Sderaadt ! -name quota.group ! -name vi.recover -execdir rm -rf -- {} \;) 550e65724e6Smillert 55148d8ec78Srpe# Create Unix sockets directories for X if needed and make sure they have 55248d8ec78Srpe# correct permissions. 55348d8ec78Srpe[[ -d /usr/X11R6/lib ]] && mkdir -m 1777 /tmp/.{X11,ICE}-unix 5543e77ed4cSderaadt 555ec003eaeSrpe[[ -f /etc/rc.securelevel ]] && sh /etc/rc.securelevel 556ec003eaeSrpe 557300d0407Srpe# rc.securelevel did not specifically set -1 or 2, so select the default: 1. 558ec003eaeSrpe(($(sysctl -n kern.securelevel) == 0)) && sysctl kern.securelevel=1 559ec003eaeSrpe 56041406ee4Sderaadt 561300d0407Srpe# Patch /etc/motd. 562ec003eaeSrpeif [[ ! -f /etc/motd ]]; then 563dc279d04Sderaadt install -c -o root -g wheel -m 664 /dev/null /etc/motd 564dc279d04Sderaadtfi 565ec003eaeSrpeif T=$(mktemp /tmp/_motd.XXXXXXXXXX); then 566dc279d04Sderaadt sysctl -n kern.version | sed 1q >$T 5673429c198Sschwarze sed -n '/^$/,$p' </etc/motd >>$T 568dc279d04Sderaadt cmp -s $T /etc/motd || cp $T /etc/motd 569dc279d04Sderaadt rm -f $T 5705b45527eSmillertfi 571dc279d04Sderaadt 572ec003eaeSrpeif [[ $accounting == YES ]]; then 573ec003eaeSrpe [[ ! -f /var/account/acct ]] && touch /var/account/acct 574ec003eaeSrpe echo 'turning on accounting' 575ec003eaeSrpe accton /var/account/acct 576df930be7Sderaadtfi 577df930be7Sderaadt 578ec003eaeSrpeif [[ -x /sbin/ldconfig ]]; then 5797e42516dSderaadt echo 'creating runtime link editor directory cache.' 580e28b5d22Srpe [[ -d /usr/local/lib ]] && shlib_dirs="/usr/local/lib $shlib_dirs" 581ec003eaeSrpe [[ -d /usr/X11R6/lib ]] && shlib_dirs="/usr/X11R6/lib $shlib_dirs" 5827e42516dSderaadt ldconfig $shlib_dirs 5837e42516dSderaadtfi 5847e42516dSderaadt 585747e271cSjasperecho 'preserving editor files.'; /usr/libexec/vi.recover 586f57929bcSmillert 58763fe92b2Sajacoutot# If rc.sysmerge exists, run it just once, and make sure it is deleted. 58863fe92b2Sajacoutotrun_upgrade_script sysmerge 58963fe92b2Sajacoutot 590833ea469Srobertecho -n 'starting network daemons:' 59126dd7583Sclaudiostart_daemon ldomd sshd snmpd ldpd ripd ospfd ospf6d bgpd ifstated 5928f860f43Sflorianstart_daemon relayd dhcpd dhcrelay mrouted dvmrpd radiusd eigrpd route6d 593*c2691defSclaudiostart_daemon rad hostapd lpd smtpd slowcgi bgplgd httpd ftpd 594de442913Ssthenstart_daemon ftpproxy ftpproxy6 tftpd tftpproxy identd inetd rarpd bootparamd 5955f35002eSreykstart_daemon rbootd mopd vmd spamd spamlogd sndiod 596ac826d78Srobertecho '.' 597a2f190fbSrobert 598300d0407Srpe# If rc.firsttime exists, run it just once, and make sure it is deleted. 59963fe92b2Sajacoutotrun_upgrade_script firsttime 600fcbaa02fSderaadt 601300d0407Srpe# Run rc.d(8) scripts from packages. 602ec003eaeSrpeif [[ -n $pkg_scripts ]]; then 603bbe1205bSajacoutot echo -n 'starting package daemons:' 604ec003eaeSrpe for _daemon in $pkg_scripts; do 605ec003eaeSrpe if [[ -x /etc/rc.d/$_daemon ]]; then 606ec003eaeSrpe start_daemon $_daemon 607739cb2c2Sespie else 608ec003eaeSrpe echo -n " ${_daemon}(absent)" 609739cb2c2Sespie fi 610bbe1205bSajacoutot done 611bbe1205bSajacoutot echo '.' 612bbe1205bSajacoutotfi 613bbe1205bSajacoutot 614ec003eaeSrpe[[ -f /etc/rc.local ]] && sh /etc/rc.local 6158b7444a6Sderaadt 616a0d08aa9Srpe# Disable carp interlock. 6173667ef4eSteduifconfig -g carp -carpdemote 128 618f026f8beSmarc 619cc027ce3Sderaadtmixerctl_conf 620ec003eaeSrpe 621cc027ce3Sderaadtecho -n 'starting local daemons:' 6220e79390dSmatthieustart_daemon apmd sensorsd hotplugd watchdogd cron wsmoused xenodm 62374491808Smillertecho '.' 62474491808Smillert 6256248d275Srpe# Re-link the kernel, placing the objects in a random order. 6266248d275Srpe# Replace current with relinked kernel and inform root about it. 6276248d275Srpe/usr/libexec/reorder_kernel & 6285a176537Srpe 629df930be7Sderaadtdate 630df930be7Sderaadtexit 0 631