From: Marcin Krol Date: Tue, 21 May 2024 20:07:30 +0000 (+0200) Subject: - version 0.5.4 X-Git-Tag: 0.5.4 X-Git-Url: https://git.tld-linux.org/?a=commitdiff_plain;ds=sidebyside;h=HEAD;hp=5d89b49a413e24dae01d41cdb0d50b919ad4830e;p=rc-scripts.git - version 0.5.4 --- diff --git a/.gitignore b/.gitignore index 6337d3c..a909fb2 100644 --- a/.gitignore +++ b/.gitignore @@ -50,7 +50,6 @@ src/doexec src/genhostid src/getkey src/initlog -src/ipcalc src/loglevel src/minilogd src/netreport diff --git a/AUTHORS b/AUTHORS index 252e6a0..b8c84a8 100644 --- a/AUTHORS +++ b/AUTHORS @@ -3,8 +3,7 @@ MAINTAINERS AUTHORS/CREDITS Marcin Krol - fixes, scripts for controlling bonding, - preparation for TLD Linux + modified for TLD Linux, fixes, enhancements Arkadiusz Miśkiewicz networking functions, iproute2 support, diff --git a/README b/README index 42defae..4163756 100644 --- a/README +++ b/README @@ -18,15 +18,16 @@ To use IPv6 networking you should compile: Networking options ---> <*/M> The IPv6 protocol (EXPERIMENTAL) - [*] IPv6: enable EUI-64 token format - [*] IPv6: disable provider based addresses + [*] IPv6: enable EUI-64 token format + [*] IPv6: disable provider based addresses -too. +too. Other required or suggested packages: | What? | Package | +-------------+-------------------------------+ + 6to4 ipcalc IPX ncfps fourtun fourtun and kernel module bridge bridge-utils @@ -35,7 +36,7 @@ Other required or suggested packages: serial/ppp ppp, dip, wvdial serial/slip slattach PPPoE pppd + rp-pppoe (plugin or userspace program) - + Also you should know that format of interface configuration files is totally different from these used in RedHat/Mandrake initscripts and even from stable rc-scripts branch. @@ -45,4 +46,3 @@ to TLD developers at . -- TLD Linux Developers - diff --git a/configure.ac b/configure.ac index 4a83cf6..b5761f8 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ -AC_INIT([rc-scripts], [0.5.2], [tld-devel@lists.tld-linux.org], [rc-scripts]) +AC_INIT([rc-scripts], [0.5.4], [tld-devel@lists.tld-linux.org], [rc-scripts]) dnl Do not require AUTHORS, ChangeLog, NEWS, and README to exist AM_INIT_AUTOMAKE([foreign]) diff --git a/lib/functions b/lib/functions index 8f08dc6..b4c4840 100644 --- a/lib/functions +++ b/lib/functions @@ -59,52 +59,6 @@ CCHARS="$WHITE" # Color of these characters (look at /etc/sysconfig/init-colors [ -r /etc/sysconfig/system ] && . /etc/sysconfig/system [ -r /etc/sysconfig/bootsplash ] && . /etc/sysconfig/bootsplash -if [ -z "$VSERVER" -o "$VSERVER" = "detect" ]; then - { - while read _f _ctx; do - [ "$_f" = "VxID:" -o "$_f" = "s_context:" ] && break - done /dev/null - if [ -z "$_ctx" -o "$_ctx" = "0" ]; then - VSERVER=no - else - VSERVER=yes - fi - unset _f _ctx -fi - -# VSERVER_ISOLATION_NET = isolation only inside of vserver guests -if [ -z "$VSERVER_ISOLATION_NET" -o "$VSERVER_ISOLATION_NET" = "detect" ]; then - VSERVER_ISOLATION_NET=no - if [ "$VSERVER" = "yes" ]; then - if [ -f /proc/self/nsproxy ]; then - # older kernels - { - while read _t _data; do - [ "$_t" = "net:" ] && break - done < /proc/self/nsproxy - } 2> /dev/null - if [ "${_data##*\(}" = "I)" ]; then - VSERVER_ISOLATION_NET=yes - fi - elif [ -f /proc/self/ninfo ]; then - # newer kernels - { - while read _t _data; do - [ "$_t" = "NCaps:" ] && break - done < /proc/self/ninfo - } 2> /dev/null - if [ "${_t}" = "NCaps:" ]; then - VSERVER_ISOLATION_NET=yes - fi - else - # assume (very?) old kernel mode - VSERVER_ISOLATION_NET=yes - fi - unset _f _data - fi -fi - # we need to know in functions if we were called from a terminal if [ -z "$ISATTY" ]; then [ -t ] && ISATTY=yes || ISATTY=no @@ -165,11 +119,7 @@ strstr() { # Apply sysctl settings, including files in /etc/sysctl.d apply_sysctl() { - local file - for file in /etc/sysctl.d/*.conf; do - test -f "$file" && sysctl -q -e -p "$file" - done - sysctl -q -e -p /etc/sysctl.conf + sysctl -q -e --system } if is_yes "$FASTRC" || is_yes "$IN_SHUTDOWN"; then @@ -358,7 +308,7 @@ nls() { rc_splash() { local action="$1" - if ! is_no "$BOOT_SPLASH" && ! is_yes "$VSERVER"; then + if ! is_no "$BOOT_SPLASH"; then [ -x /bin/splash ] && /bin/splash "$action" fi @@ -472,7 +422,6 @@ checkpid() { # - inside chroot get only those processes, which are inside chroot. # - don't filter out pids which do not have corresponding running processes (process died etc) # (note: some processes like named are chrooted but run outside chroot) -# - do nothing inside vserver filter_chroot() { # no pids, exit early [ $# -eq 0 ] && return @@ -484,11 +433,6 @@ filter_chroot() { pids=$(filter_ns "$@") && set -- "$pids" fi - if is_yes "$VSERVER"; then - echo $@ - return - fi - if [ $# -lt 1 -o ! -d /proc/1 ]; then echo $@ return @@ -952,7 +896,11 @@ killproc() { # Remove pid file if any. if [ "$notset" = "1" ]; then - rm -f /var/run/${base}.pid + if [ -f "${pidfile}" ] ; then + rm -f "$pidfile" + else + rm -f /var/run/${base}.pid + fi fi return $result @@ -1080,6 +1028,9 @@ confirm() { # module is needed (ie. is requested, is available and isn't loaded already) is_module() { + # fail if /sbin/lsmod does not exists (ex. in containers) + [ -x /sbin/lsmod ] || return 1 + # module name without .o at end if ! lsmod | grep -q "$1"; then if ls -1R /lib/modules/$(uname -r)/ 2> /dev/null | grep -q "^${1}.\(\|k\)o\(\|.gz\)"; then diff --git a/lib/functions.network b/lib/functions.network index 862d42b..ad930e3 100644 --- a/lib/functions.network +++ b/lib/functions.network @@ -226,7 +226,7 @@ setup_ip_param () # set handling for bridge case "$DEVICETYPE" in - br|atm|lec|irda|vlan) + bond|br|atm|lec|irda|vlan) HANDLING=1 ;; esac @@ -345,7 +345,8 @@ setup_routes() # Add ONLY IPv4 address (IPv6 address is added automaticly) set_up_loopback() { - if is_yes "$IPV4_NETWORKING"; then + # test if addr is assigned already as lxd(lxc?) initializes loopback upfront + if is_yes "$IPV4_NETWORKING" && ! ip addr show lo | grep -q "127\.0\.0\.1"; then ip addr add 127.0.0.1/8 dev lo fi ip link set dev lo up diff --git a/lib/ifdown-bond b/lib/ifdown-bond index 80a2cf2..f490bbe 100755 --- a/lib/ifdown-bond +++ b/lib/ifdown-bond @@ -35,19 +35,19 @@ fi setup_ip_param # forget all addresses -LC_ALL=C ip addr flush dev ${DEVICE} 2>&1 | grep -v "Nothing to flush" +LC_ALL=C ip addr flush dev "${DEVICE}" 2>&1 | grep -v "Nothing to flush" # release slave devices for SLAVE_DEV in $(cat /sys/class/net/${DEVICE}/bonding/slaves 2>/dev/null); do - echo "-${SLAVE_DEV}" > /sys/class/net/${DEVICE}/bonding/slaves + ip link set "${SLAVE_DEV}" nomaster done # bring bonding master down -ip link set ${DEVICE} down +ip link set "${DEVICE}" down # remove bonding master -if grep -wq "${DEVICE}" /sys/class/net/bonding_masters; then - echo "-${DEVICE}" > /sys/class/net/bonding_masters +if [ -d "/sys/class/net/${DEVICE}" ]; then + ip link del "${DEVICE}" type bond if [ $? -ne 0 ]; then exit 1 fi diff --git a/lib/ifup b/lib/ifup index 5d6fc21..be231ce 100755 --- a/lib/ifup +++ b/lib/ifup @@ -125,11 +125,13 @@ if [ -n "$ETHTOOL_OPTS" ] ; then fi if is_yes "$SLAVE" && [ -n "$MASTER" ] ; then - if ! grep -wq "${DEVICE}" /sys/class/net/${MASTER}/bonding/slaves 2>/dev/null; then - nls "Enslaving %s to %s" "$DEVICE" "$MASTER" - ip link set dev ${DEVICE} down - echo "+${DEVICE}" > /sys/class/net/${MASTER}/bonding/slaves 2>/dev/null - fi + # create master if it doesn't exist yet + [ ! -d "/sys/class/net/${MASTER}" ] && ip link add "${MASTER}" type bond + + nls "Enslaving %s to %s" "${DEVICE}" "${MASTER}" + ip link set "${DEVICE}" master "${MASTER}" + ip link set "${DEVICE}" up + exit 0 fi @@ -217,6 +219,19 @@ else # IPv6 in use ? if is_yes "$IPV6_NETWORKING" && [ -n "${IP6ADDR}" ]; then ip addr add ${IP6ADDR} dev ${DEVICE} ${IP6ADDROPT} + timeout=0 + while [ $timeout -le 20 ] && \ + if_state="`ip -o addr list dev ${DEVICE} to ${IP6ADDR}`" && \ + echo "$if_state" | grep -q tentative && \ + ! echo "$if_state" | grep -q dadfailed ; do + usleep 500000 + timeout=$((timeout+1)) + done + if ip -o addr list dev ${DEVICE} to ${IP6ADDR} | grep -q dadfailed ; then + ip addr del ${IP6ADDR} dev ${DEVICE} + nls '%s: Duplicated address detected: %s' "$DEVICE" "$IP6ADDR" + exit 1 + fi if [ -n "${IP6ADDRLABEL}" ]; then ip addrlabel add prefix ${IP6ADDR} dev ${DEVICE} label ${IP6ADDRLABEL} fi diff --git a/lib/ifup-bond b/lib/ifup-bond index 5651839..3c1d648 100755 --- a/lib/ifup-bond +++ b/lib/ifup-bond @@ -35,20 +35,15 @@ fi if [ ! -f /sys/class/net/bonding_masters ]; then modprobe -s bonding || exit 1 # delete default bond0 - echo "-bond0" > /sys/class/net/bonding_masters + ip link del bond0 type bond fi # set all major variables setup_ip_param # create bonding master -if ! grep -wq "${DEVICE}" /sys/class/net/bonding_masters; then - echo "+${DEVICE}" > /sys/class/net/bonding_masters - if [ $? -eq 0 ]; then - ip link set dev ${DEVICE} multicast ${MULTICAST} ${ARP} - else - exit 1 - fi +if [ ! -d "/sys/class/net/${DEVICE}" ]; then + ip link add "${DEVICE}" type bond fi # add the bits to setup driver parameters here diff --git a/lib/ifup-post b/lib/ifup-post index a271309..5ab4191 100755 --- a/lib/ifup-post +++ b/lib/ifup-post @@ -59,7 +59,10 @@ fi if [ -n "$NEEDHOSTNAME" -a "${DEVICETYPE}" != "ppp" -a "${DEVICETYPE}" != "slip" ]; then IPADDR=$(ip -f inet addr show dev ${DEVICE} | awk '/inet/ { print $2 }' |awk -F"/" '{ print $1 }') - eval $(/bin/ipcalc --silent --hostname ${IPADDR}) && set_hostname $HOSTNAME + if eval $(/bin/ipcalc --silent --hostname ${IPADDR}) ; then + [ "${HOSTNAME}" != "${IPADDR}" ] && set_hostname ${HOSTNAME} + fi + fi # run tleds software diff --git a/man/Makefile.am b/man/Makefile.am index ae48e04..4603c69 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -8,7 +8,6 @@ man_MANS = \ genhostid.1 \ getkey.1 \ initlog.1 \ - ipcalc.1 \ netreport.1 \ ppp-watch.8 \ usernetctl.8 \ diff --git a/man/ipcalc.1 b/man/ipcalc.1 deleted file mode 100644 index fd9b212..0000000 --- a/man/ipcalc.1 +++ /dev/null @@ -1,58 +0,0 @@ -.TH IPCALC 1 "April 30 2001" "Red Hat, Inc." RH \" -*- nroff -*- -.SH NAME -ipcalc \- perform simple manipulation of IP addresses -.SH SYNOPSIS -.B ipcalc -[\fIOPTION\fR]... <\fBIP address\fR>[\fI/prefix\fR] [\fInetmask\fR] - -.SH DESCRIPTION -\fBipcalc\fR provides a simple way to calculate IP information for a host. -The various options specify what information \fBipcalc\fR should display -on standard out. Multiple options may be specified. An IP address to -operate on must always be specified. Most operations also require a -netmask or a CIDR prefix as well. - -.SH OPTIONS -.TP -.TP -\fB\-b\fR, \fB\-\-broadcast\fR -Display the broadcast address for the given IP address and netmask. - -.TP -\fB\-h\fR, \fB\-\-hostname\fR -Display the hostname for the given IP address. - -.TP -\fB\-m\fR, \fB\-\-netmask\fR -Calculate the netmask for the given IP address. It assumes that the IP -address is in a complete class A, B, or C network. Many networks do -not use the default netmasks, in which case an inappropriate value will -be returned. - -.TP -\fB\-p\fR, \fB\-\-prefix\fR -Show the prefix for the given mask/IP address. - -.TP -\fB\-n\fR, \fB\-\-network\fR -Display the network address for the given IP address and netmask. - -.TP -\fB\-s\fR, \fB\-\-silent\fR -Don't ever display error messages. - -.SH AUTHORS -.nf -Erik Troan -.nf -Preston Brown -.fi -.SH "REPORTING BUGS" -Report bugs to our bugtracking system: -http://bugzilla.redhat.com/bugzilla. -.SH COPYRIGHT -Copyright \(co 1997-2001 Red Hat, Inc. -.br -This is free software; see the source for copying conditions. There is NO -warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR -PURPOSE. diff --git a/rc.d/init.d/cryptsetup b/rc.d/init.d/cryptsetup index 263a39c..d5ac2c3 100755 --- a/rc.d/init.d/cryptsetup +++ b/rc.d/init.d/cryptsetup @@ -105,7 +105,7 @@ init_crypto() { continue fi - if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then + if /sbin/cryptsetup --disable-locks isLuks "$src" 2>/dev/null; then if key_is_random "$key"; then nls "%s: LUKS requires non-random key, skipping" "$dst" ret=1 @@ -114,7 +114,7 @@ init_crypto() { if [ -n "$params" ]; then nls "%s: options are invalid for LUKS partitions, ignoring them" "$dst" fi - /sbin/cryptsetup ${key:+-d $key} luksOpen "$src" "$dst" <&1 + /sbin/cryptsetup --disable-locks ${key:+-d $key} luksOpen "$src" "$dst" <&1 fi rc=$? if [ $rc -ne 0 ]; then @@ -144,7 +144,7 @@ halt_crypto() { [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue if [ -b "/dev/mapper/$dst" ]; then if LC_ALL=C /sbin/dmsetup info "$dst" | grep -q '^Open count: *0$'; then - /sbin/cryptsetup remove "$dst" + /sbin/cryptsetup --disable-locks remove "$dst" else fnval=1 fi diff --git a/rc.d/init.d/netfs b/rc.d/init.d/netfs index ab00e6d..19738b7 100755 --- a/rc.d/init.d/netfs +++ b/rc.d/init.d/netfs @@ -15,7 +15,7 @@ . /etc/rc.d/init.d/cryptsetup . /etc/sysconfig/network -if is_yes "$VSERVER" || [[ "$container" = lxc* ]]; then +if [[ "$container" = lxc* ]]; then exit 0 fi @@ -173,28 +173,16 @@ RETVAL=0 # See how we were called. case "$1" in start) - if is_yes "$VSERVER_ISOLATION_NET"; then - exit 0 - fi start ;; stop) - if is_yes "$VSERVER_ISOLATION_NET"; then - exit 0 - fi stop ;; restart) - if is_yes "$VSERVER_ISOLATION_NET"; then - exit 0 - fi stop start ;; reload) - if is_yes "$VSERVER_ISOLATION_NET"; then - exit 0 - fi start ;; status) diff --git a/rc.d/init.d/network b/rc.d/init.d/network index b44e291..cf670a7 100755 --- a/rc.d/init.d/network +++ b/rc.d/init.d/network @@ -356,11 +356,7 @@ find_boot_interfaces # See how we were called. case "$1" in start) - if is_yes "$VSERVER_ISOLATION_NET"; then - touch /var/lock/subsys/network - else - start - fi + start ;; start_init) network_init @@ -374,11 +370,7 @@ case "$1" in rm -f /var/lock/subsys/network ;; stop) - if is_yes "$VSERVER_ISOLATION_NET"; then - rm -f /var/lock/subsys/network >/dev/null 2>&1 - else - stop - fi + stop ;; status) @@ -394,18 +386,11 @@ case "$1" in ;; reload) - if is_yes "$VSERVER_ISOLATION_NET"; then - exit 0 - fi shift reload ${1:+"$@"} ;; restart) - if is_yes "$VSERVER_ISOLATION_NET"; then - exit 0 - fi - stop start ;; diff --git a/rc.d/init.d/random b/rc.d/init.d/random index 342dcdc..6c7e411 100755 --- a/rc.d/init.d/random +++ b/rc.d/init.d/random @@ -11,11 +11,6 @@ # Source function library. . /etc/rc.d/init.d/functions -# do nothing in vserver -if is_yes "$VSERVER"; then - return -fi - random_seed=/var/run/random-seed poolfile=/proc/sys/kernel/random/poolsize diff --git a/rc.d/init.d/sys-chroots b/rc.d/init.d/sys-chroots index b6e88ef..4945393 100755 --- a/rc.d/init.d/sys-chroots +++ b/rc.d/init.d/sys-chroots @@ -103,11 +103,11 @@ start() { fi # sysfs is also needed before any other things (under kernel > 2.5) if grep -q sysfs /proc/filesystems ; then - chroot $dir mount -o gid=17 -t sysfs sysfs /sys + chroot $dir mount -t sysfs sysfs /sys fi # selinux if grep -q selinuxfs /proc/filesystems ; then - chroot $dir mount -o gid=17 -t selinuxfs selinuxfs /selinux + chroot $dir mount -t selinuxfs selinuxfs /selinux fi chroot $dir mount -a # network diff --git a/rc.d/rc b/rc.d/rc index 04d6f38..4bf8cb2 100755 --- a/rc.d/rc +++ b/rc.d/rc @@ -68,7 +68,7 @@ fi # virtual console, and send messages to /dev/console # (it can be serial console too) if [ "$COLUMNS" -gt 0 ]; then - if [ "$argv2" != "chroot" ] && ! is_yes "$VSERVER" && \ + if [ "$argv2" != "chroot" ] && \ [ "$runlevel" = "0" -o "$runlevel" = "6" ]; then CONSOLE=/dev/tty1 [ -x /usr/bin/chvt ] && /usr/bin/chvt 1 && echo > $CONSOLE @@ -82,7 +82,7 @@ fi # See if we want to be in user confirmation mode if [ "$previous" = "N" ]; then - if ! is_yes "$VSERVER" && grep -qi confirm /proc/cmdline >/dev/null 2>/dev/null \ + if grep -qi confirm /proc/cmdline >/dev/null 2>/dev/null \ || [ -f /var/run/confirm ]; then rm -f /var/run/confirm CONFIRM="yes" @@ -129,14 +129,6 @@ else export progress=0 fi -if is_yes "$VSERVER"; then - # if runlevel is not 0 (halt) or 6 (reboot) run rc.sysinit - # BUT only if rc is run standalone (not run by init, as init will run rc.sysinit) - if [ "$previous" != "N" -a "$runlevel" != "0" -a "$runlevel" != "6" ]; then - /etc/rc.d/rc.sysinit $runlevel - fi -fi - # set onlcr to avoid staircase effect and do not lock scrolling stty onlcr -ixon 0>&1 2>/dev/null diff --git a/rc.d/rc.shutdown b/rc.d/rc.shutdown index d86f962..efcaecb 100755 --- a/rc.d/rc.shutdown +++ b/rc.d/rc.shutdown @@ -54,93 +54,104 @@ fi # Write to wtmp file before unmounting /var halt -w -if ! is_yes "$VSERVER"; then - # Turn off swap, then unmount file systems. - run_cmd "Turning off swap" swapoff -a +# Turn off swap, then unmount file systems. +run_cmd "Turning off swap" swapoff -a - [ -x /etc/rc.d/rc.acct ] && /etc/rc.d/rc.acct stop +[ -x /etc/rc.d/rc.acct ] && /etc/rc.d/rc.acct stop - if [ -x /sbin/quotaoff ]; then - run_cmd "Turning off quotas for local filesystems" /sbin/quotaoff -a - fi +if [ -x /sbin/quotaoff ]; then + run_cmd "Turning off quotas for local filesystems" /sbin/quotaoff -a +fi - # grab kexec_loaded state before we umount /sys - kexec_loaded=`cat /sys/kernel/kexec_loaded 2>/dev/null` +# grab kexec_loaded state before we umount /sys +kexec_loaded=`cat /sys/kernel/kexec_loaded 2>/dev/null` - # Unmount file systems, killing processes if we have to. - sig=-15 - retry=3 - force= - if [ -z "$UMOUNT_IGNORE" ]; then - UMOUNT_IGNORE="/" - else - UMOUNT_IGNORE="/ $UMOUNT_IGNORE" - fi - remaining=$(awk -v ig="^($UMOUNT_IGNORE)$" 'BEGIN { gsub(/[\t ]+/, "|", ig); } \ - $3 !~ /^(proc|loopfs|devpts|devtmpfs|shm|iso9660|ramfs|tmpfs|sysfs|securityfs|squashfs)$/ \ - && $1 !~ /^(none|\/dev\/root)$/ \ - && $2 !~ ig {print $2}' /proc/mounts) - while [ -n "$remaining" -a "$retry" -gt 0 ]; do - show "Unmounting file systems"; busy - ERRORS=$(umount -a $force -t noproc 2>&1); rc=$? +# Unmount file systems, killing processes if we have to. +sig=-15 +retry=3 +force= +if [ -z "$UMOUNT_IGNORE" ]; then + UMOUNT_IGNORE="/" +else + UMOUNT_IGNORE="/ $UMOUNT_IGNORE" +fi +remaining=$(awk -v ig="^($UMOUNT_IGNORE)$" 'BEGIN { gsub(/[\t ]+/, "|", ig); } \ + $3 !~ /^(proc|loopfs|devpts|devtmpfs|shm|iso9660|ramfs|tmpfs|cgroup|cgroup2|sysfs|securityfs|efivarfs|squashfs)$/ \ + && $1 !~ /^(none|\/dev\/root)$/ \ + && $2 !~ ig {print $2}' /proc/mounts) +while [ -n "$remaining" -a "$retry" -gt 0 ]; do + for mnt in $remaining; do + run_cmd "$(nls 'Umounting file system: %s' $mnt)" umount $force -R $mnt # we might had unmounted /usr, recheck $TPUT availability # but well. we need tput only for show() and busy() (ok() and fail() messages are already cached) # TODO: look ahead the messages? if is_yes "$TPUT"; then - TPUT= - rc_gettext_init - fi - - if [ $rc = 0 ]; then - ok - else - fail - [ -n "$ERRORS" ] && echo "$ERRORS" + TPUT= + rc_gettext_init fi - - sleep 2 - remaining=$(awk -v ig="^($UMOUNT_IGNORE)$" 'BEGIN { gsub(/[\t ]+/, "|", ig); } \ - $3 !~ /^(proc|loopfs|devpts|devtmpfs|shm|iso9660|ramfs|tmpfs|sysfs|securityfs|squashfs)$/ \ - && $1 !~ /^(none|\/dev\/root)$/ \ - && $2 !~ ig {print $2}' /proc/mounts) - [ -z "$remaining" ] && break - fuser -k -m $sig $remaining > /dev/null - sleep 5 - retry=$(($retry-1)) - sig=-9 - force="-f" done - run_cmd "Remounting root filesystem in ro mode" mount -n -o remount,ro / + show "Unmounting remainging file systems"; busy + ERRORS=$(umount -a $force -t noproc,nosysfs,notmpfs,nodevpts,nodevtmpfs 2>&1); rc=$ - if [ -x /sbin/vgchange ]; then - lvmversion=$(LC_ALL=C /sbin/vgchange --version 2>/dev/null | awk '/LVM version:/{if ($3 >= 2) print "2"}') - if [ "$lvmversion" = "2" ]; then - lvmsysinit="--sysinit" - else - lvmsysinit="" - fi - /sbin/vgchange -a n $lvmsysinit > /dev/null 2>&1 + # we might had unmounted /usr, recheck $TPUT availability + # but well. we need tput only for show() and busy() (ok() and fail() messages are already cached) + # TODO: look ahead the messages? + if is_yes "$TPUT"; then + TPUT= + rc_gettext_init fi - if [ -x /sbin/mdadm -a -f /etc/mdadm.conf ]; then - if grep -qE "^([[:blank:]]|)ARRAY[[:blank:]]" /etc/mdadm.conf 2>/dev/null; then - /sbin/mdadm --stop --scan > /dev/null 2>&1 - rc=$? + if [ $rc = 0 ]; then + ok + else + fail + if [ -n "$ERRORS" ]; then + nls "Umount errors:" + echo "$ERRORS" fi fi - show "Remounting remaining filesystems ro mode"; busy - if mount | awk '/ext2|ext3|reiserfs|xfs|jfs/ { print $3 }' | while read line; do mount -n -o ro,remount $line; done; then - ok + sleep 2 + remaining=$(awk -v ig="^($UMOUNT_IGNORE)$" 'BEGIN { gsub(/[\t ]+/, "|", ig); } \ + $3 !~ /^(proc|loopfs|devpts|devtmpfs|shm|iso9660|ramfs|tmpfs|cgroup|cgroup2|sysfs|securityfs|efivarfs|squashfs)$/ \ + && $1 !~ /^(none|\/dev\/root)$/ \ + && $2 !~ ig {print $2}' /proc/mounts) + [ -z "$remaining" ] && break + fuser -k -m $sig $remaining > /dev/null + sleep 5 + retry=$(($retry-1)) + sig=-9 + force="-f" +done + +run_cmd "Remounting root filesystem in ro mode" mount -n -o remount,ro / + +if [ -x /sbin/vgchange ]; then + lvmversion=$(LC_ALL=C /sbin/vgchange --version 2>/dev/null | awk '/LVM version:/{if ($3 >= 2) print "2"}') + if [ "$lvmversion" = "2" ]; then + lvmsysinit="--sysinit --noudevsync" else - fail + lvmsysinit="" fi - _rebootwhat="system" + /sbin/vgchange -a n $lvmsysinit > /dev/null 2>&1 +fi + +if [ -x /sbin/mdadm -a -f /etc/mdadm.conf ]; then + if grep -qE "^([[:blank:]]|)ARRAY[[:blank:]]" /etc/mdadm.conf 2>/dev/null; then + /sbin/mdadm --stop --scan > /dev/null 2>&1 + rc=$? + fi +fi + +show "Remounting remaining filesystems ro mode"; busy +if mount | awk '/ext2|ext3|reiserfs|xfs|jfs/ { print $3 }' | while read line; do mount -n -o ro,remount $line; done; then + ok else - _rebootwhat="vserver" + fail fi +_rebootwhat="system" if [ -f /etc/crypttab ] && ! is_empty_file /etc/crypttab; then . /etc/rc.d/init.d/cryptsetup diff --git a/rc.d/rc.sysinit b/rc.d/rc.sysinit index 826b435..750e16a 100755 --- a/rc.d/rc.sysinit +++ b/rc.d/rc.sysinit @@ -47,6 +47,7 @@ modprobe_c() { # filter only what is wanted by this script: aliases and options modprobe_c_cache=$(modprobe -c | grep -E '^(alias|options)') + echo "$modprobe_c_cache" } # parse kernel cmdline @@ -123,8 +124,8 @@ init_selinux() { if ! grep -Fq selinuxfs /proc/filesystems; then # no support in kernel, no chance SELINUX=no - elif ! is_fsmounted selinuxfs /selinux; then - mount -n -o gid=17 -t selinuxfs selinuxfs /selinux + elif ! is_fsmounted selinuxfs $selinuxfsdir; then + mount -n -t selinuxfs selinuxfs $selinuxfsdir fi # Check SELinux status @@ -197,17 +198,6 @@ enable_swap() { is_yes "$AUTOSWAP" && enable_autoswap } -# Remove duplicate entries from mtab (for vserver guest use only) -clean_vserver_mtab() { - > /etc/mtab.clean - while read device mountpoint line; do - grep -qs "$mountpoint" /etc/mtab.clean || \ - echo "$device $mountpoint $line" >> /etc/mtab.clean - done < /etc/mtab - cat /etc/mtab.clean > /etc/mtab - rm -f /etc/mtab.clean -} - # Loads modules from /etc/modules, /etc/modules.X.Y and /etc/modules.X.Y.Z load_kernel_modules() { local modules_file=$1 @@ -365,7 +355,7 @@ else RC_BOOTLOG= fi -if ! is_yes "$VSERVER" && [[ "$container" != lxc* ]]; then +if [[ "$container" != lxc* ]]; then # we need /proc mounted before everything is_fsmounted proc /proc || mount -n /proc || mount -n -o gid=17,hidepid=2 -t proc /proc /proc @@ -380,18 +370,22 @@ if ! is_yes "$VSERVER" && [[ "$container" != lxc* ]]; then # sysfs is also needed before any other things (under kernel > 2.5) if ! is_fsmounted sysfs /sys; then - grep -Fq sysfs /proc/filesystems && mount -n -o gid=17 -t sysfs sysfs /sys + grep -Fq sysfs /proc/filesystems && mount -n -t sysfs sysfs /sys fi if grep -Fq securityfs /proc/filesystems; then - mount -n -o gid=17 -t securityfs securityfs /sys/kernel/security + mount -n -t securityfs securityfs /sys/kernel/security + fi + if [ -d /sys/firmware/efi ] && ! is_fsmounted efivarfs /sys/firmware/efi/efivars; then + mount -n -o rw -t efivarfs efivarfs /sys/firmware/efi/efivars fi - init_selinux - - # TLD Linux LiveCD support - if [ -x /etc/rc.d/rc.live ]; then - /etc/rc.d/rc.live + if [ -d /sys/fs/selinux ]; then + # Linux 3.0+ + selinuxfsdir=/sys/fs/selinux + else + selinuxfsdir=/selinux fi + init_selinux # Choose Hardware profile if ! is_no "$HWPROFILES" && [ -f /etc/sysconfig/hwprof ]; then @@ -439,7 +433,7 @@ else domainname "" fi -if ! is_yes "$VSERVER" && [[ "$container" != lxc* ]]; then +if [[ "$container" != lxc* ]]; then # Set console loglevel if [ -n "$CONSOLE_LOGLEVEL" ]; then dmesg -n $CONSOLE_LOGLEVEL @@ -631,7 +625,7 @@ if [ -n "$IN_INITLOG" ]; then IN_INITLOG="" fi -if ! is_yes "$VSERVER" && [[ "$container" != lxc* ]]; then +if [[ "$container" != lxc* ]]; then # Clear mtab > /etc/mtab [ -f /etc/cryptomtab ] && > /etc/cryptomtab @@ -655,10 +649,13 @@ if ! is_yes "$VSERVER" && [[ "$container" != lxc* ]]; then if is_fsmounted securityfs /sys/kernel/security ; then mount -f -t securityfs securityfs /sys/kernel/security 2> /dev/null fi + if [ -d /sys/firmware/efi ] && is_fsmounted efivarfs /sys/firmware/efi/efivars ; then + mount -f -t efivarfs efivarfs /sys/firmware/efi/efivars 2> /dev/null + fi fi - if is_fsmounted selinuxfs /selinux; then - mount -f -t selinuxfs selinuxfs /selinux 2> /dev/null + if is_fsmounted selinuxfs $selinuxfsdir; then + mount -f -t selinuxfs selinuxfs $selinuxfsdir 2> /dev/null fi if [ ! -f /proc/modules ]; then @@ -929,7 +926,6 @@ else killall -IO blogd fi - clean_vserver_mtab fi is_yes "$SELINUX" && [ -f /.autorelabel ] && relabel_selinux @@ -988,37 +984,35 @@ is_yes "$SELINUX" && restorecon /tmp/.ICE-unix >/dev/null 2>&1 test -d /var/run/netreport || mkdir -m 770 /var/run/netreport -if ! is_yes "$VSERVER"; then - enable_swap +enable_swap - # If a SCSI tape has been detected, load the st module unconditionally - # since many SCSI tapes don't deal well with st being loaded and unloaded - if [ -f /proc/scsi/scsi ] && grep -q 'Type: Sequential-Access' /proc/scsi/scsi 2>/dev/null ; then - if grep -qv ' 9 st' /proc/devices 2>/dev/null; then - if [ -n "$USEMODULES" ] ; then - # Try to load the module. If it fails, ignore it... - insmod -p st >/dev/null 2>&1 && modprobe -s st - fi +# If a SCSI tape has been detected, load the st module unconditionally +# since many SCSI tapes don't deal well with st being loaded and unloaded +if [ -f /proc/scsi/scsi ] && grep -q 'Type: Sequential-Access' /proc/scsi/scsi 2>/dev/null ; then + if grep -qv ' 9 st' /proc/devices 2>/dev/null; then + if [ -n "$USEMODULES" ] ; then + # Try to load the module. If it fails, ignore it... + insmod -p st >/dev/null 2>&1 && modprobe -s st fi fi +fi - # Now that we have all of our basic modules loaded and the kernel going, - # let's dump the syslog ring somewhere so we can find it later - mode=0600 - if [ "$(cat /proc/sys/kernel/dmesg_restrict)" = 0 ]; then - mode=0644 - fi - dmesg --raw > /var/log/dmesg - chmod $mode /var/log/dmesg - i=5 - while [ $i -ge 0 ]; do - if [ -f /var/log/dmesg.$i ]; then - mv -f /var/log/dmesg.$i /var/log/dmesg.$(($i+1)) - fi - i=$(($i-1)) - done - cp -pf /var/log/dmesg /var/log/dmesg.0 +# Now that we have all of our basic modules loaded and the kernel going, +# let's dump the syslog ring somewhere so we can find it later +mode=0600 +if [ "$(cat /proc/sys/kernel/dmesg_restrict)" = 0 ]; then + mode=0644 fi +dmesg --raw > /var/log/dmesg +chmod $mode /var/log/dmesg +i=5 +while [ $i -ge 0 ]; do + if [ -f /var/log/dmesg.$i ]; then + mv -f /var/log/dmesg.$i /var/log/dmesg.$(($i+1)) + fi + i=$(($i-1)) +done +cp -pf /var/log/dmesg /var/log/dmesg.0 if ! is_no "$RC_PROMPT"; then while :; do @@ -1030,8 +1024,8 @@ if ! is_no "$RC_PROMPT"; then fi } & -# /proc extra check if the background process we just spawned is still running, -# as in case of vserver bootup it finishes quite instantly. +# /proc extra check if the background process we just spawned is still running +# as it may finish quite instantly. if ! is_no "$RC_PROMPT" && [ -d /proc/$! ]; then /sbin/getkey i && touch /var/run/confirm touch /var/run/getkey_done diff --git a/src/Makefile.am b/src/Makefile.am index cd77139..79acf54 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -7,7 +7,6 @@ sysconf_DATA = \ bin_PROGRAMS = \ doexec \ - ipcalc \ usleep \ run-parts \ resolvesymlink @@ -34,9 +33,6 @@ doexec_SOURCES = doexec.c resolvesymlink_SOURCES = resolvesymlink.c -ipcalc_SOURCES = ipcalc.c -ipcalc_LDADD = -lpopt - genhostid_SOURCES = genhostid.c netreport_SOURCES = netreport.c diff --git a/src/ipcalc.c b/src/ipcalc.c deleted file mode 100644 index f133412..0000000 --- a/src/ipcalc.c +++ /dev/null @@ -1,361 +0,0 @@ -/* - * Copyright (c) 1997-2003 Red Hat, Inc. All rights reserved. - * - * This software may be freely redistributed under the terms of the GNU - * public license. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - * - * Authors: - * Erik Troan - * Preston Brown - */ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/*! - \def IPBITS - \brief the number of bits in an IP address. -*/ -#define IPBITS (sizeof(u_int32_t) * 8) -/*! - \def IPBYTES - \brief the number of bytes in an IP address. -*/ -#define IPBYTES (sizeof(u_int32_t)) - - -/*! - \file ipcalc.c - \brief provides utilities for manipulating IP addresses. - - ipcalc provides utilities and a front-end command line interface for - manipulating IP addresses, and calculating various aspects of an ip - address/netmask/network address/prefix/etc. - - Functionality can be accessed from other languages from the library - interface, documented here. To use ipcalc from the shell, read the - ipcalc(1) manual page. - - When passing parameters to the various functions, take note of whether they - take host byte order or network byte order. Most take host byte order, and - return host byte order, but there are some exceptions. - -*/ - -/*! - \fn u_int32_t prefix2mask(int bits) - \brief creates a netmask from a specified number of bits - - This function converts a prefix length to a netmask. As CIDR (classless - internet domain internet domain routing) has taken off, more an more IP - addresses are being specified in the format address/prefix - (i.e. 192.168.2.3/24, with a corresponding netmask 255.255.255.0). If you - need to see what netmask corresponds to the prefix part of the address, this - is the function. See also \ref mask2prefix. - - \param prefix is the number of bits to create a mask for. - \return a network mask, in network byte order. -*/ -u_int32_t prefix2mask(int prefix) { - return htonl(~((1 << (32 - prefix)) - 1)); -} - -/*! - \fn int mask2prefix(u_int32_t mask) - \brief calculates the number of bits masked off by a netmask. - - This function calculates the significant bits in an IP address as specified by - a netmask. See also \ref prefix2mask. - - \param mask is the netmask, specified as an u_int32_teger in network byte order. - \return the number of significant bits. */ -int mask2prefix(u_int32_t mask) -{ - int i; - int count = IPBITS; - - for (i = 0; i < IPBITS; i++) { - if (!(ntohl(mask) & ((2 << i) - 1))) - count--; - } - - return count; -} - -/*! - \fn u_int32_t default_netmask(u_int32_t addr) - - \brief returns the default (canonical) netmask associated with specified IP - address. - - When the Internet was originally set up, various ranges of IP addresses were - segmented into three network classes: A, B, and C. This function will return - a netmask that is associated with the IP address specified defining where it - falls in the predefined classes. - - \param addr an IP address in network byte order. - \return a netmask in network byte order. */ -u_int32_t default_netmask(u_int32_t addr) -{ - if (((ntohl(addr) & 0xFF000000) >> 24) <= 127) - return htonl(0xFF000000); - else if (((ntohl(addr) & 0xFF000000) >> 24) <= 191) - return htonl(0xFFFF0000); - else - return htonl(0xFFFFFF00); -} - -/*! - \fn u_int32_t calc_broadcast(u_int32_t addr, int prefix) - - \brief calculate broadcast address given an IP address and a prefix length. - - \param addr an IP address in network byte order. - \param prefix a prefix length. - - \return the calculated broadcast address for the network, in network byte - order. -*/ -u_int32_t calc_broadcast(u_int32_t addr, - int prefix) -{ - return (addr & prefix2mask(prefix)) | ~prefix2mask(prefix); -} - -/*! - \fn u_int32_t calc_network(u_int32_t addr, int prefix) - \brief calculates the network address for a specified address and prefix. - - \param addr an IP address, in network byte order - \param prefix the network prefix - \return the base address of the network that addr is associated with, in - network byte order. -*/ -u_int32_t calc_network(u_int32_t addr, int prefix) -{ - return (addr & prefix2mask(prefix)); -} - -/*! - \fn const char *get_hostname(u_int32_t addr) - \brief returns the hostname associated with the specified IP address - - \param addr an IP address to find a hostname for, in network byte order - - \return a hostname, or NULL if one cannot be determined. Hostname is stored - in a static buffer that may disappear at any time, the caller should copy the - data if it needs permanent storage. -*/ -const char *get_hostname(u_int32_t addr) -{ - struct hostent * hostinfo; - int x; - - hostinfo = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET); - if (!hostinfo) - return NULL; - - for (x=0; hostinfo->h_name[x]; x++) { - hostinfo->h_name[x] = tolower(hostinfo->h_name[x]); - } - return hostinfo->h_name; -} - -/*! - \fn main(int argc, const char **argv) - \brief wrapper program for ipcalc functions. - - This is a wrapper program for the functions that the ipcalc library provides. - It can be used from shell scripts or directly from the command line. - - For more information, please see the ipcalc(1) man page. -*/ -int main(int argc, const char **argv) { - int showBroadcast = 0, showPrefix = 0, showNetwork = 0; - int showHostname = 0, showNetmask = 0; - int beSilent = 0; - int rc; - poptContext optCon; - char *ipStr, *prefixStr, *netmaskStr, *hostName, *chptr; - struct in_addr ip, netmask, network, broadcast; - int prefix = 0; - char errBuf[250]; - struct poptOption optionsTable[] = { - { "broadcast", 'b', 0, &showBroadcast, 0, - "Display calculated broadcast address", }, - { "hostname", 'h', 0, &showHostname, 0, - "Show hostname determined via DNS" }, - { "netmask", 'm', 0, &showNetmask, 0, - "Display default netmask for IP (class A, B, or C)" }, - { "network", 'n', 0, &showNetwork, 0, - "Display network address", }, - { "prefix", 'p', 0, &showPrefix, 0, - "Display network prefix", }, - { "silent", 's', 0, &beSilent, 0, - "Don't ever display error messages " }, - POPT_AUTOHELP - { NULL, '\0', 0, 0, 0, NULL, NULL } - }; - - optCon = poptGetContext("ipcalc", argc, argv, optionsTable, 0); - poptReadDefaultConfig(optCon, 1); - - if ((rc = poptGetNextOpt(optCon)) < -1) { - if (!beSilent) { - fprintf(stderr, "ipcalc: bad argument %s: %s\n", - poptBadOption(optCon, POPT_BADOPTION_NOALIAS), - poptStrerror(rc)); - poptPrintHelp(optCon, stderr, 0); - } - return 1; - } - - if (!(ipStr = (char *) poptGetArg(optCon))) { - if (!beSilent) { - fprintf(stderr, "ipcalc: ip address expected\n"); - poptPrintHelp(optCon, stderr, 0); - } - return 1; - } - - if (strchr(ipStr,'/') != NULL) { - prefixStr = strchr(ipStr, '/') + 1; - prefixStr--; - *prefixStr = '\0'; /* fix up ipStr */ - prefixStr++; - } else - prefixStr = NULL; - - if (prefixStr != NULL) { - prefix = atoi(prefixStr); - if (prefix == 0) { - if (!beSilent) - fprintf(stderr, "ipcalc: bad prefix: %s\n", - prefixStr); - return 1; - } - } - - if (showBroadcast || showNetwork || showPrefix) { - if (!(netmaskStr = (char *) poptGetArg(optCon)) && - (prefix == 0)) { - if (!beSilent) { - fprintf(stderr, "ipcalc: netmask or prefix expected\n"); - poptPrintHelp(optCon, stderr, 0); - } - return 1; - } else if (netmaskStr && prefix != 0) { - if (!beSilent) { - fprintf(stderr, "ipcalc: both netmask and prefix specified\n"); - poptPrintHelp(optCon, stderr, 0); - } - return 1; - } else if (netmaskStr) { - if (!inet_aton(netmaskStr, &netmask)) { - if (!beSilent) - fprintf(stderr, "ipcalc: bad netmask: %s\n", - netmaskStr); - return 1; - } - prefix = mask2prefix(netmask.s_addr); - } - } - - if ((chptr = (char *) poptGetArg(optCon))) { - if (!beSilent) { - fprintf(stderr, "ipcalc: unexpected argument: %s\n", chptr); - poptPrintHelp(optCon, stderr, 0); - } - return 1; - } - - /* Handle CIDR entries such as 172/8 */ - if (prefix) { - char *tmp = ipStr; - int i; - - for(i=3; i> 0; i--) { - tmp = strchr(tmp,'.'); - if (!tmp) - break; - else - tmp++; - } - tmp = NULL; - for (; i>0; i--) { - tmp = malloc(strlen(ipStr) + 3); - sprintf(tmp,"%s.0",ipStr); - ipStr = tmp; - } - } - - if (!inet_aton(ipStr, (struct in_addr *) &ip)) { - if (!beSilent) - fprintf(stderr, "ipcalc: bad ip address: %s\n", ipStr); - return 1; - } - - - if (!(showNetmask|showPrefix|showBroadcast|showNetwork|showHostname)) { - poptPrintHelp(optCon, stderr, 0); - return 1; - } - - poptFreeContext(optCon); - - /* we know what we want to display now, so display it. */ - - if (showNetmask) { - if (prefix) { - netmask.s_addr = prefix2mask(prefix); - } else { - netmask.s_addr = default_netmask(ip.s_addr); - prefix = mask2prefix(netmask.s_addr); - } - - printf("NETMASK=%s\n", inet_ntoa(netmask)); - } - - if (showPrefix) { - if (!prefix) - prefix = mask2prefix(ip.s_addr); - printf("PREFIX=%d\n", prefix); - } - - if (showBroadcast) { - broadcast.s_addr = calc_broadcast(ip.s_addr, prefix); - printf("BROADCAST=%s\n", inet_ntoa(broadcast)); - } - - if (showNetwork) { - network.s_addr = calc_network(ip.s_addr, prefix); - printf("NETWORK=%s\n", inet_ntoa(network)); - } - - if (showHostname) { - if ((hostName = (char *) get_hostname(ip.s_addr)) == NULL) { - if (!beSilent) { - sprintf(errBuf, "ipcalc: cannot find hostname for %s", ipStr); - herror(errBuf); - } - return 1; - } - - printf("HOSTNAME=%s\n", hostName); - } - - return 0; -} diff --git a/sysconfig/system b/sysconfig/system index a4f125d..096747a 100644 --- a/sysconfig/system +++ b/sysconfig/system @@ -113,12 +113,6 @@ RC_PROMPT=yes # Enable cpusets support? CPUSETS=no -# Enable this system as vserver guest (yes/no/detect) -VSERVER=detect - -# Vserver isolation only networking inside of guest (yes/no/detect) -VSERVER_ISOLATION_NET=detect - # Enable selinux support (yes/no/detect) # 'yes' behaves as 'detect' SELINUX=detect diff --git a/sysctl.conf b/sysctl.conf index a34935b..1f4cf84 100644 --- a/sysctl.conf +++ b/sysctl.conf @@ -127,6 +127,12 @@ net.ipv4.conf.default.rp_filter = 1 # fs.file-max = 8192 # fs.inode-max = 16384 +# Sometimes (read: always) the Linux OOM killer doesn’t kill the offending +# process. Usually, this is because as the system is out of memory, it isn’t +# able to do the memory intensive task of scanning through all the processes. +# Ironic. +#vm.oom_kill_allocating_task = 1 + # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. #kernel.core_uses_pid = 1 @@ -140,59 +146,6 @@ kernel.sysrq = 1 # 0 - never reboot system (suggested 60) #kernel.panic = 60 -# -# GRSECURITY http://www.grsecurity.org -# -# WARNING! -# These values are SET ONCE! -# -#kernel.grsecurity.linking_restrictions = 1 -#kernel.grsecurity.fifo_restrictions = 1 -#kernel.grsecurity.destroy_unused_shm = 0 -#kernel.grsecurity.chroot_caps = 0 -#kernel.grsecurity.chroot_deny_chmod = 0 -#kernel.grsecurity.chroot_deny_chroot = 1 -#kernel.grsecurity.chroot_deny_fchdir = 0 -#kernel.grsecurity.chroot_deny_mknod = 1 -#kernel.grsecurity.chroot_deny_mount = 1 -#kernel.grsecurity.chroot_deny_pivot = 1 -#kernel.grsecurity.chroot_deny_shmat = 0 -#kernel.grsecurity.chroot_deny_sysctl = 1 -#kernel.grsecurity.chroot_deny_unix = 0 -#kernel.grsecurity.chroot_enforce_chdir = 0 -#kernel.grsecurity.chroot_execlog = 0 -#kernel.grsecurity.chroot_findtask = 1 -#kernel.grsecurity.chroot_restrict_nice = 0 - -#kernel.grsecurity.exec_logging = 0 -#kernel.grsecurity.signal_logging = 1 -#kernel.grsecurity.forkfail_logging = 0 -#kernel.grsecurity.timechange_logging = 1 -#kernel.grsecurity.audit_chdir = 0 -#kernel.grsecurity.audit_gid = 65505 -#kernel.grsecurity.audit_group = 0 -#kernel.grsecurity.audit_ipc = 0 -#kernel.grsecurity.audit_mount = 0 - -#kernel.grsecurity.execve_limiting = 1 -#kernel.grsecurity.dmesg = 1 -#kernel.grsecurity.tpe = 1 -#kernel.grsecurity.tpe_gid = 65500 -#kernel.grsecurity.tpe_glibc = 0 -#kernel.grsecurity.tpe_restrict_all = 0 - -#kernel.grsecurity.rand_pids = 1 -#kernel.grsecurity.socket_all = 1 -#kernel.grsecurity.socket_all_gid = 65501 -#kernel.grsecurity.socket_client = 1 -#kernel.grsecurity.socket_client_gid = 65502 -#kernel.grsecurity.socket_server = 1 -#kernel.grsecurity.socket_server_gid = 65503 - -#kernel.grsecurity.disable_modules = 0 -#kernel.grsecurity.grsec_lock = 0 - -# kernel.randomize_va_space = 2 # 0 - Turn the process address space randomization off by default. # 1 - Conservative address space randomization makes the addresses of # mmap base and VDSO page randomized. This, among other things, @@ -206,6 +159,7 @@ kernel.sysrq = 1 # start of the brk area is randomized. There are however no known # non-legacy applications that would be broken this way, so for most # systems it is safe to choose Full randomization. +# kernel.randomize_va_space = 2 # for mplayer #dev.rtc.max-user-freq = 1024