Created attachment 251339 [details] make the rc script service jails aware Hi, attached is a mechanical patch (untested) which makes the rc.d script service jails ready. This is a new feature in -current. The setup I've chosen is to allow ipv4/ipv6 access. It does not allow to use sysv IPC in a jail. IF you want to add this possibility, the config would need to be changed to "net_basic sysvipc" instead. The config can be overridden in rc.conf. See also: https://docs.freebsd.org/en/books/handbook/jails/#service-jails https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails Bye, Alexander.
No idea how acme-dns behaves in that respect - will have to test. Next week (June 17th ff.) I can get to that.
Created attachment 252137 [details] Rename rc script to comply + make service jails ready The attached patch fixes some issues with the rc script. A generic discussion about the rc scripts in the ports collection which contains a lot more background information about the "why" of this patch is at https://lists.freebsd.org/archives/freebsd-ports/2024-July/006342.html The rc-article (https://docs.freebsd.org/en/articles/rc-scripting/) is also updated in this regard. Short: - the filename shall be the same as the content of the name variable inside the script - (already OK) PROVIDE shall be the same as the content of the name variable inside the script - this fixes the use of the script with service jails (new feature in -current) Additionally to what is discussed there and fixed in the patch, I made the following additional changes: - add service jails options to the scripts to enable the use in service jails (new feature in -current) the svcj_options allow the use of the host-network, if you want to allow sysvipc you need to replace "net_basic" with "net_basic sysvipc" (inherits/shares the sysv stuff, "sysipcnew" if the sysvipc parts shall be uniq to the specific service) I would add an UPDATING entry similar to the 20240705 entry.
Hi Alexander, the port builds and runs just fine with your patch on 14.1. So no breakage introduced. Do I need to run -current to test the service jails facility? Because I do not run -current anywhere at the moment. Kind regards, Patrick
(In reply to Patrick M. Hausen from comment #3) Correct in both cases: no influence on 14.x, and only available in -current (and disabled by default).
- installed a VM with a 15.0 snapshot - checked out ports tree - applied your patch - built and installed acme_dns - started the service with acme_dns_svcj="YES" - verified it runs in a jail - performed a test registration and update with curl Everything seems to work. Go for it and thanks! Patrick
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c9f63c5c714cbc0cb6138199aa071bb258f1b759 commit c9f63c5c714cbc0cb6138199aa071bb258f1b759 Author: Alexander Leidinger <netchild@FreeBSD.org> AuthorDate: 2024-08-24 12:47:11 +0000 Commit: Alexander Leidinger <netchild@FreeBSD.org> CommitDate: 2024-08-24 12:47:11 +0000 dns/acme-dns: make service jails aware Add a basic config for service jails and rename the start script to make it comply to the rc-docs. PR: 279625 Approved by: maintainer UPDATING | 10 ++++++++++ dns/acme-dns/Makefile | 2 +- dns/acme-dns/files/{acme-dns.in => acme_dns.in} | 1 + 3 files changed, 12 insertions(+), 1 deletion(-)