From nobody Mon Nov 13 08:50:14 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4STNRV6VJxz50f7W; Mon, 13 Nov 2023 08:50:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4STNRV4yhzz3VQZ; Mon, 13 Nov 2023 08:50:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699865414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kG+HEwIsoJXrhgsjv9uv9KnIOv/X3J28veCZH+k3F+k=; b=b+B1TQruN8/MDM7a0jKVw5qELOqlRgRfcznbJMuz40/0y2/TSWCvT0HvXp/BNkX0BXpBH5 QfZtHKwKqBonztLhTP60i8hwce79/lAyiNAz3kSAoTku8cia5NboWAp8AMMsHwVYNRYKVn lIRkuB5djMVAuJEwTqO/1FfJwzbcj+bRAKwEGTCRBoBQ80atTPTh2H6AS8KtWdRtjJqn+f uiGgfhR1L+ltqTbdYkAoqo+Gfcsaj/nhlaUCvmDdCRJIoqTClEztubN8aeTBnrEc0UMjEI SFvrZSblhRpl98EFoUU6jbvF9G1INiUJjuY+P8Z0lA0L2bwO6THqNWqvHDDNOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699865414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kG+HEwIsoJXrhgsjv9uv9KnIOv/X3J28veCZH+k3F+k=; b=NQqH81rlbn/gR+7EIJytU8QYgGcYEAEcXLR8puy5BnqCaPT05SA/3fr0trc24Gnada2Zg7 MAOSpRQqqRFBfIO2UuDIOfEkwd430/Qk8w0ENFdINV0ApAFan9PdDXRQWK8edMxKYjiTXZ CxUfwYt3oiCwc2/U4Uc4ZoTIfyIYMRULn1QTpwhpV7vppFYxSLO5fs/jAzDRhw9i1c/I96 QZnhfm2LPserkftqSWN2CiX65uHQXkul08fcl2y0jmIqswYFGz1gs9439EhZellMvI/eDe fguR4gxCZt6J2Du0r+ccDlyOt0j6cjN/YLuA8e7iSfzs3FDuFYy+gZ3y8htjuA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699865414; a=rsa-sha256; cv=none; b=tmeC+dUbPEVC+uwi1bCTv1ya3QvbEaEO2LboQxashKyLq97QVTFKsBtcA/VRKiCUszCs2+ JFqgbf/llux8n6qserPhViVCFtgp/kb8DsTHSsmyBXJsjc+qq+sFBCbaTTXTlAznbBAv2n 9pEWOOjqqzSMQ7ccGjdBeBCreCUqrW90XFr4//SLmIbJDLkyoiHxtrErr37xaCCitUtIEp kRPbQhJi8aCSR19+91XhkaI9HpnGqjOeW1rU9p2zGhzBYfvTZOnmf1nbc8o2AkNEnxGdHl ndq4Pb1Kdii27/Z1sJwXVqTyMells91fdLIrlv+ntXpT5GXehwS5vEE9kwkncg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4STNRV44dNzydt; Mon, 13 Nov 2023 08:50:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3AD8oE7W099974; Mon, 13 Nov 2023 08:50:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3AD8oEX0099962; Mon, 13 Nov 2023 08:50:14 GMT (envelope-from git) Date: Mon, 13 Nov 2023 08:50:14 GMT Message-Id: <202311130850.3AD8oEX0099962@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Alexander Leidinger Subject: git: cb57f50e6404 - main - defaults: oomprotect sshd and local_unbound List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: netchild X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: cb57f50e6404389e4314025caea487d63ddf0ee4 Auto-Submitted: auto-generated The branch main has been updated by netchild: URL: https://cgit.FreeBSD.org/src/commit/?id=cb57f50e6404389e4314025caea487d63ddf0ee4 commit cb57f50e6404389e4314025caea487d63ddf0ee4 Author: Alexander Leidinger AuthorDate: 2023-11-13 08:48:51 +0000 Commit: Alexander Leidinger CommitDate: 2023-11-13 08:48:51 +0000 defaults: oomprotect sshd and local_unbound Add sshd and local_unbound to the oom protected services. syslogd is protected by default already, document it. This was discussed on arch@, see https://lists.freebsd.org/archives/freebsd-arch/2023-November/000543.html sshd is protected to be able to investigate and fix oom issues on systems which don't have out-of-band console access. local_unbound is protected as it may be enabled for local use and without DNS a lot grinds to a halt (including sshd). Relnotes: yes MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D42544 --- libexec/rc/rc.conf | 2 ++ share/man/man5/rc.conf.5 | 20 +++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf index 26e189953044..3269288728b6 100644 --- a/libexec/rc/rc.conf +++ b/libexec/rc/rc.conf @@ -318,6 +318,7 @@ ggated_config="/etc/gg.exports" # ggated(8) exports file. ggated_flags="" # Extra parameters like which port to bind to. ctld_enable="NO" # CAM Target Layer / iSCSI target daemon. local_unbound_enable="NO" # Local caching DNS resolver +local_unbound_oomprotect="YES" # Don't kill local_unbound when swap space is exhausted. local_unbound_tls="NO" # Use DNS over TLS blacklistd_enable="NO" # Run blacklistd daemon (YES/NO). blacklistd_flags="" # Optional flags for blacklistd(8). @@ -364,6 +365,7 @@ pppoed_provider="*" # Provider and ppp(8) config file entry. pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled). pppoed_interface="em0" # The interface that pppoed runs on. sshd_enable="NO" # Enable sshd +sshd_oomprotect="YES" # Don't kill sshd when swap space is exhausted. sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one. sshd_flags="" # Additional flags for sshd. ftpd_enable="NO" # Enable stand-alone ftpd. diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index a76cb1a04e0a..ad84bcbd576c 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd September 18, 2023 +.Dd November 13, 2023 .Dt RC.CONF 5 .Os .Sh NAME @@ -2318,6 +2318,12 @@ If set to run the .Xr syslogd 8 daemon. +Note, the +.Va syslogd_oomprotect +variable is set to +.Dq Li YES +by default in +.Pa /etc/defaults/rc.conf . .It Va syslogd_program .Pq Vt str Path to @@ -2381,6 +2387,12 @@ If set to run the .Xr unbound 8 daemon as a local caching DNS resolver. +Note, the +.Va local_unbound_oomprotect +variable is set to +.Dq Li YES +by default in +.Pa /etc/defaults/rc.conf . .It Va nscd_enable .Pq Vt bool Set to @@ -3840,6 +3852,12 @@ Set to to start .Xr sshd 8 at system boot time. +Note, the +.Va sshd_oomprotect +variable is set to +.Dq Li YES +by default in +.Pa /etc/defaults/rc.conf . .It Va sshd_flags .Pq Vt str If