Zap trailing space.

from Kirill Miazine, thanks.

Run non-daemons services in a different process group to avoid SIGHUP at boot

12 factors apps and similar don't daemonize and are thus vulnerable to
receiving a SIGHUP signal at the end of /etc/rc. Shield them by running
them in a different process group. Do this only for services that need
rc_bg=Yes, as suggested by ajacoutot@

There have been several reports about this issue in the past years, the
last one being from edd@ who successfully tested this fix. Input from
several folks, ok sthen@ ajacoutot@

Drop support for $rcexec; people should now use the rc_exec function.

prodded by jsg@

_rc_quirks is only called by _rc_parse_conf, so just merge the two.

ok robert@ sthen@ kn@

Make rc_configtest behave like rc_pre and rc_post; i.e. don't define a default
function (each rc.d script is supposed to define its own if wanted).
This way, we can filter out the "configtest" action depending on whether the
function exists or not.
Adapt documentation.

tweak/ok kn@

Add a new action: "configtest", to check configuration syntax of the daemon.
A few adjustments will be done in the next days (like disabling this action if
there's no specific rc_configtest function defined).

e.g.
/etc/rc.d/sshd configtest
rcctl configtest sshd

idea from naddy@

When using logger(1), also log the message to standard error so we don't
have to check syslog when running in debug mode (`-d').

Introduce the rc_configtest() function.
By default it just returns "0" but can be overriden by rc.d scripts to check
that the daemon configuration is valid when running "start", "reload" and
"restart".

Introduce a new daemon_execdir variable for changing to a specified directory
before running rc_rcexec.

Based on an proposal from openbsd.tech at aisha.cc
ok robert@ abieber@

Replace the $rcexec variable by an rc_exec function.
It is much cleaner to the eyes and makes more sense from a functionnal point of
view.
This will allow to extend rc_exec with other functionnalities (like upcoming
rc_startdir).
Bonus point: daemon_logger will now work with manually crafted rc_start
functions.

This will require a mechanical change from ${rcexec} to rc_exec in rc.d scripts.
ports will be fixed right after this commit but we will keep compatibility to
give a chance to people to fix their custom scripts.

positive tests from a few
ok robert@

look for the login class in both login.conf and login.conf.d/${class}

ok aja@

Tidy up; no change.

Improve and simplify timer handling in "stop" and "reload".
Rename _rc_wait to _rc_wait_for_start since only "start" uses this now (to
handle rc_bg daemons).
In any situation, none of these actions should be able to hang boot or shutdown.

We should now be able to manage most corner cases out there ("most" because it's
unreasonable to assume we can cope with all the non-default
rc_{start,stop,reload} crazyness).

Several tests have been made and no obvious regression has been found.
But that doesn't mean there isn't; if some behavior changed for the worst, talk
to me.

ok robert@ sthen@

Consistency in test; no behavior change.

Set SECONDS to 0 in _rc_wait.
While this is not strictly required, it's a failsafe and more fair to
daemon_timeout as we will effectively wait for the start/stop/reload sequence
instead of the duration of the rc.d script itself.

Simplify _rc_exit.

Run "_rc_wait stop" _before_ stopping the daemon and not after...
This doesn't change the default behavior but fixes rc.d scripts with a home made
rc_stop() function that can block and potentially hangs halt/reboot forever.

ok robert@

Return 0 in case we reach KILL; this allows "restart" to work as expected
in this situation.

reported by and ok robert@

check that the rc script including rc.subr is using ksh; rc.subr uses ksh
features and scripts will not work correctly with sh. tweak jca/ok kn/
ok with direction aja

rc_reload_signal & rc_stop_signal are not rc.conf(8) variables; they're
only for rc.d scripts.

Speed up _rc_wait: only sleep 1/2 second between rc_check tries and make sure
we have at least 1s for SIGTERM to do its job.

Use built-in SECONDS instead of hand roller timer.

with a tweak from kn@
ok sthen@

Always run _rc_rm_runfile when process is sent a SIGKILL or rc_post fails (at
this point the process has been terminated).

Drop uneeded sleep.

Allow passing a different signal than SIGTERM in the default rc_stop()
function. This will allow to simplify some rc.d script that cook there own
function to gracefully stop a process (e.g. web servers). There are other use
cases as well.
And do the same for rc_reload because it's cheap and can also simplify a
handful of rc.d scripts.

Behave like shutdown and if the process is still not down after daemon_timeout
(configurable; default to 30s), then send a SIGKILL.

While here, factorise pkill invocations into a _rc_sendsig() function that can
potentially be used by rc.d scripts instead of cooking pkill lines; this will
benefit from the configured routing table etc.

tested & ok robert@

Shuffle things around to have FUNCS_ONLY higher in the script so consummers
source only what they really needs.
Only expose the following which are used by /etc/rc, netstart and rcctl:
_rc_parse_conf
_rc_check_name
_rc_err
_rc_do
_rc_quirk

ok sthen@

Add logger(1) support for daemons that are logging to stdout/stderr (mostly from
the go ecosystem).
Properly handle failing daemon startup now that we have pipefail.

To take advantage of this new feature, just add foo_logger=facility to the
daemon rc.d(8) script or in rc.conf.local(8) or use rcctl:
rcctl set foo logger daemon.info

tweak for checking flags in rcctl(8) from martijn@
"this looks pretty good" deraadt@
ok sthen@

Use su -fl to avoid sourcing /etc/profile / the target user's .profile

This way rc.d and rcctl don't suffer from side effects in people's rc
files. If you somehow used those files to set environment variables,
you should have used login.conf as described in rc.d(8) instead.

ok ajacoutot@

Sort variables and fix a comment.
No functional change.

Do not run _rc_parse_conf of /var/run/rc.d/foobar on "start".
This is needed in case a foobar fails to start but still returns 0. Changing its
flags (in rc.conf.local) would then get ignored because of this cache (which is
around to handle stop/check/reload on flags changes).

claudio@ reported this issue when struggling with prometheus several weeks ago

Remove dependency on basename(1).

prodded by deraadt@
ok kn@ deraadt@ tb@

Start in the daemon configured routing table and not in the one we're currently
in. This fixes the case where one would be in a non default rdomain shell then
run an rdomain 0 rc.d daemon.

reported by YASUOKA Masahiko and Pierre Emeriaud
ok sthen@ claudio@ benno@

The shell will strip the quotes from daemon_flags when starting a daemon so make
sure pexp matches the process (i.e. doesn't include the quotes).
It's a bit hackish but it allows things like these in rc.conf.local:
relayd_flags=-D IPS="1.2.3.4 2.3.4.5"

And we properly end up with...
$ grep ^pexp /var/run/rc.d/relayd
pexp=/usr/sbin/relayd -D IPS=1.2.3.4 1.2.3.5
... which matches what is in the process list:
root 14217 <snip> 0:00.01 /usr/sbin/relayd -D IPS=1.2.3.4 1.2.3.5

There's always the possibility that we have introduced a regressions with hand
crafted functions in rc.d scripts (mostly from packags), so watch out.

reported by and debugged with claudio@

Revert previous (for now).
semarie found a few regressions with daemon that will fail if cwd is not
accessible.

Change the way we call su(1) in rcexec:
- drop `-'l' to prevent simulating a full login and running /root/.profile
(prodded by a mail from J Greely)
- use `-m' to preserve the environment because we now set HOME to "/" like
/etc/rc does; note that we now also clear the environment using `env -i' before
running su(1) which leaves us with only HOME, PATH and SHELL

Committing early to catch regressions fast, if any.
ok halex@

Temporarily disable the second call to rc_check until I figure out what
is going on. Should fix another case of false negative reported by sthen
(redis).

Fix logic in _rc_wait to properly cope with setproctitle(3) daemons. It was a
regression from my recent rc.subr changes.

reported by deraadt@ and naddy@ : pflogd was marked as failed during boot while
it was properly running

Introduce a scary rc.conf(8) knob library_aslr=(YES|NO) to turn off the
reordering of libraries by rc(8). This way machines with very slow disk I/O
have a chance of booting within reasonable time now that libcrypto is also
randomized.

Discussed with various;
input & ok from deraadt ajacoutot

Move check later to mitigate a possible race.

Indent and rename var; no functional change.

When a daemon reaches its timeout when starting, display "timeout" instead
of "ok" so the user is warned and has a chance to fix it (most of the time
due to bogus flags). Daemons reaching the timeout without being able to
start are still marked as "failed" (which should also give a clue to the
user that some investigation is needed).

prodded by beck@ a while ago
discussed with and ok sthen@

Drop useless lines continuation; no functional change.

Ok turns out we still want to keep the rc_bg variable around but we need
to know which daemon cannot background themselves (actually we want to
know the opposite, but there are much more). However, it's only needed in
_rc_wait and rc.subr still does its magic without the need to add `&'.

Add an ALRM timer to cope with 2 annoying issues in rc.d(8):
- prevent a daemon from hanging the boot
(typo in your flagsm e.g. httpd_flags=-d)
- make sure we can get the status of a backgrounded daemon instead of always
returning success

Side effect of this is that we can kill a knob! rip rc_bg :-)
Ports will need love, and a second commit is coming for that.

The diff is small yet not trivial so I am committing early in the release
process in one shot so it can easily be reverted if needed. I started working on
this during g2k16 in Cambridge then finished it in Brisbane for a2k17 where
robert@, beck@ and sthen@ agreed it was the correct way to go and I should move
ahead with it post 6.1.

If you see any regression, please talk to me!

Stop supporting the historical way of starting ypbind(8); that is setting
'ypbind_flags=""' when domainname is set and /var/yp/binding exists.
This can lead to inconsistent behavior at startup since /var may not be
mounted yet and /etc/rc's start_daemon() will not start ypbind.

A.K.A. make ypbind startup consistent with all other OpenBSD daemons.

ok deraadt@

Whitespace.

Introduce an _rc_check_name() function to check the input script name so that
we don't end up with cryptic error messages.
Regex help from rpe@
Issue reported by Anthony Coulter in rcctl(8), but better fix the root cause.

Also clarify the mage page that rc.d script name must follow ksh(1) variable
naming.

ok robert@ sthen@

use tab.

signal name should be first, fixes reload; ok deraadt@

Experiment on matching on the daemon_user is over. It needs more work.
portmap isn't happy with it as reported by naddy@

Revert the revert and match on the daemon_user again.
We'll see if something else breaks but it's the right thing to do.

discussed with robert@

Revert matching on the daemon user for now; it breaks sndiod handling which
does start as root but does not have a root master process and instead
changed its uid.

reported by deraadt@

Bump copyright.

Introduce rtable(4) support to rc.subr(8).
It works by adding daemon_rtable=$id in /etc/rc.conf.local.
rcctl(8) support coming in a few and so are the man pages bits.

If you want multiple instances of the same daemon running in different
routing tables, just symlink the original rc.d script.
e.g.
# cd /etc/rc.d && ln -s dhcpd dhcpd42

Then enable your daemons as such in rc.conf.local:
dhcpd_flags=
dhcpd42_flags=
dhcpd42_rtable=42

most work done by Jiri B <jirib@devio.us>; with a few tweaks and simplifications
by yours truly
ok robert@

... should make henning happy ;-)

Extend _RC_RUNFILE (/var/run/rc.d/scriptname) content with:
daemon_class, daemon_flags, daemon_timeout, daemon_user, pexp

Add "pexp" as a valid variable to _rc_parse_conf() and sort the list while here.

Besides having an easy way to see how a daemon was started exactly, it opens the
door to rdomain/rtable support in rc.d(8). We need to have as much information
on a daemon as possible if we want to target a specific rtable (using -T) and it
also makes it easier to start multiple instances of the same daemon with similar
flags as a different user...
Of course that only works with rc.d scripts *not* overwritting the default rc_*
functions.

Man page tweaks coming later.

discussed with and ok robert@

Make it possible to get usage as a non-root user.

ok robert@

Handle the rc_stop=NO => rc_restart=NO case within _rc_not_supported().

Revert, rc.d scripts have been fixed.

Comment the wait for start until I fix the x11 managers rc.d script.

After starting, unconditionally wait up to $daemon_timeout seconds to check that
the daemon is actually running (instead of only when using rc_bg).

This *may* trigger the following side effect: if a daemon starts then stops
right away (because of a config parsing issue for e.g.), then it will slow down
the boot process because rc will wait a bit before considering the start action
failed. But at least it will allow us to detect those daemons and fix them or
their rc.d(8) script.

At least as far as I can tell, all base daemons should cope with it just fine.

ok sthen@ robert@ on an earlier diff

Tidy up _rc_wait().

ok sthen@ robert@

It does not make sense to insert a specific route for 224/4 when the
default one is good enough.

So merge rc.conf(8)'s 'multicast_router' and 'multicast_host' into a
single 'multicast'. If set to YES the reject route for 224/4 is not
inserted by netstart(8).

Manual bits from jmc@

ok henning@, ajacoutot@

Missing local.

ok schwarze@

By default, require an exact match of the process name and argument list.
This allows running several instances of the same rc.d(8) script by just
linking it to different name.
e.g.
ln -s ftpproxy ftpproxy6
echo 'ftpproxy6_flags=-6' >>/etc/rc.conf.local

This is likely to break some rc.d scripts in ports. I will try and fix them all
in the next few days but I'd appreciate reports if I missed some.

ok halex@

Always use the default flags when running !start.
This is necessary so that rc.d scripts launched with `-f' can be properly
stopped, checked and reloaded.

ok schwarze@

Merge comments.

Really make daemon_class read-only; it's set to "daemon" of a matching
login class.

No more pf_rules ipsec_rules.

Check arguments before eval so we don't end up with a cryptic error message.
reported by jasper@

While here: _rc_is_supported() -> _rc_not_supported()
- saves a fork
- reduces triple negation to double negation in _rc_not_supported()
- simplifie condition for rc_restart=NO
from schwarze@

ok jasper@ schwarze@

_rc_err(): only display error message if there's an actual one.
Remove an exit() statement that could never be reached.

Fix return code of _rc_quirks().
ok robert@

Add a comment about the default values being duplicated in rcctl(8).
discussed with schwarze@

"reload" should fail if the service is not running in the first place.

ok robert@ sthen@

Make it possible to pass a specific error code to _rc_err().

ok robert@ schwarze@

Put _rc_err argument under quotes to respect the syntax we are passing.

Fix reversed logic.

ok schwarze@

Drop uneeded parenthesis in usage().

ok schwarze@

Drop unused variables.

In debug mode, make it clear when we are using the default flags when
none are set.

initial patch from me but reworked by schwarze@
ok schwarze@

In debug mode (`-d'), only print the flags relevant to the rc.d(8) we are
calling instead of all flags which makes it very difficult to see the
information we actually need.

ok schwarze@ robert@

Drop sanitation, _rc_parse_conf does this for us already.

ok schwarze@

When running interactively, display the output of the "check" action
(ok or failed) like we do with all other actions.

ok jung@ rpe@

Typo.

ok kili@

Let _rc_parse_conf stick to parsing /etc/rc.conf and /etc/rc.conf.local
if it's invoked without parameters. It's simpler than adding adding
/etc/rc.conf and /etc/rc.conf.local parameters whereever _rc_parse_conf
is used (e.g. /etc/rc and /etc/netstart).

While here, replace a

for foo in "$@"; do something; done

by

for foo; do something; done

ok aja@

Make it possible to pass arguments to _rc_parse_conf().

ok robert@

Don't return, just skip over non existing rc.conf or rc.conf.local file.

OK ajacoutot@ halex@

In debug mode, properly sort and drop duplicates so that we don't end
up with a confusing output like:
multicast_host >NO<
<...>
multicast_host >YES<

Also properly evaluate values _after_ running _rc_quirks() because these
can modify flags.

ok robert@ halex@

Fix evil typo (multicast_hosts -> multicast_host).

replace the heavy shell magic in quirks to handle backward compat with simpler
methods

Make rc.conf a parsed configuration file and stop sourcing it as a shell
script.
From now on rc.conf has a fixed syntax (key=val) and it is not allowed
to add anything to it besides the supported syntax, it all going to be
ignored.

discussed with and help from deraadt@ and halex@

Add a daemon_timeout variable for rc_wait().
It represents the maximum time in seconds to wait for the start, stop
and reload actions to return. Defaults to "30".
No default behavior is changed.

ok beck@ sthen@ jasper@ giovanni@

White spaces.

no double negatives in error message; ok aja@

Show only available actions in RC script usage messages.
Also, prettify representation of actions list a bit.

a lot of input and ok halex@ aja@
also ok schwarze@
small nit spotted by marc@
"makes a lot of sense to me" todd@

Remove useless test: rc_rm_runfile() uses rm -f which always returns 0
so we don't care if the file is present or not; also this function
should never return a failure.

ok halex@

Don't output "$action is not supported" when running an rc.d(8) script
from /etc/rc(8). This prevents the warning to be displayed at shutdown
time when the script has rc_stop=NO.

req. and input from fgsch@

"go ahead" schwarze@
input from an ok halex@, ok robert@

Don't check if ${local_rcconf} is defined before sourcing rc.conf but do
it unconditionally.
The only place local_rcconf could have been defined is from /etc/rc
sourcing rc.conf but then the variable is not exported so it will never
be seen by rc.subr.

ok robert@

Simplify the way we call the rc.d(8) script in "restart".

ok sthen@

Make '-f' only affects the "start" action.
There is no reason we couldn't reload|stop a daemon even when _flags is
set to NO.
As a bonus side effect, we can now see usage() on disabled scripts.

discussed with sthen@ and espie@
ok sthen@

Use the new "-q" option of pgrep(1) instead of redirecting stdout
to /dev/null.

unset _rcflags and _rcuser so that they don't get inherited by rc.d(8)
scripts; from robert at peichaer dot org
ok halex@

While here, put the "sanitation" commands in their own block.

Set the daemon_class as readonly as it should be (and is documented as
such).

from robert at peichaer dot org
modified after a discussion with halex@
ok halex@ robert@

Make a couple of variables local.

from robert at peichaer dot org
ok halex@

Add a new rc_usercheck variable (default to YES). When set to no, root
privilege is needed to run rc_check.
In effect this means /etc/rc.d/foobar check can now be run as a regular
user.
Discussed with robert@ during g2k12.

ok todd@

Simplify rc_wait() (no functionnal change).

initially from robert at peichaer dot org with some enhancement by halex@
ok halex@

in -d mode, display an error message before exiting, in the case the
daemon is not active (happens often to me, as I forget which box has
which daemons).

okay ajacoutot@

Fix an issue when uid != euid (e.g. when running shutdown(8) as a
regular user, member of the operator group); rm(1) was waiting for
interactive input to remove the runfiles which made no sense, so just
use `-f'.

issue spotted by weerd@
ok weerd@ robert@

either set or unset variables that are to be examined further on, don't
just leave them untouched

ok ajacoutot@ sthen@ schwarze@

Localize _new_pexp unconditionally, or rc_read_runfile()
might pick it up from a polluted environment.
Requested by halex@, ok ajacoutot@ halex@

When the _RC_RUNFILE (by some ill chance) happened to be empty or
reading it failed, ${pexp} ended up as the empty string and the script
would send SIGTERM to init(1), which was really inconvenient.
Fix that by never allowing pexp to become empty.
My patch considerably simplified by and ok ajacoutot@.

Finally make it possible to restart/stop a daemon after having changed
its _flags in rc.conf(8).
When the rc.d(8) system starts a daemon, it will record its pexp under
/var/run/rc.d/rcscriptname and use that to interact with it (errors in
creating /var/run/rc.d or missing pexp file are non fatal, the framework
will just fallback to what it currently does).

deraadt@ doesn't mind a long as it doesn't come in the way of people
manually managing their daemons.

discussed with and input from sthen@ halex@ robert@ schwarze@
ok sthen@ robert@

Check if we are root right from the start.

ok robert@

Prepend an underscore to internal variable names; this was reverted by
mistake in the previous commit.
No functionnal change.

ok robert@

revert previous and pass on the RC_DEBUG and RC_FORCE flags in the start+stop
dance on restart rather than exporting them and expose the script to a
potentially polluted environment

ok ajacoutot@ robert@

Repair "restart" debug and force modes (we need to export RC_DEBUG and
RC_FORCE since "restart" calls "stop" then "start").
While here, append "_" to these variable names to make it clear they are
internal.

ok robert@

Add missing "*)" case statement and make sure RC_DEBUG and RC_FORCE are
unset beforehands; prodded by halex@

Add rc_usage().

ok halex@

Use arugments for rc script instead of environment variables to indicate
debug mode.
This commit also adds a force mode for the script to allow one to force
operations even if daemon_flags is set to NO.
In this case the sane default values will be used for each script.

e.g.: "/etc/rc.d/foo -f start" will start sshd even if it's disabled

ok ajacoutot@

when reloading do an rc_wait instead of just an rc_check
from david@, okay sthen@ and input from schwarze@

redirect rc_err() output to stderr, from david@

Print the daemon name before starting, and ok/failed afterwards, providing
better visual cues as to what's happening. Feedback/ok aja@ schwarze@

add license, ok ajacoutot@, deraadt@

Fix reload:
* if we try to reload a non running daemon, just exit gracefully, like
we do for 'stop'
* add an rc_check call right after rc_reload to make sure the daemon is
still around; until now we only checked the pkill(1) return code but
that is not enough

ok robert@

Add rc.d(8) script for the system daemons that are restartable.
From now on rc(8) is going to call these scripts to start them up on boot
in the same order than before.
In addition the inetd and rwhod variables in rc.conf are deprecated so that
inetd_flags and rwhod_flags should be used. The old flags are still going
to be used for some time to allow users to switch.
There are more rc modifications to come later so let's put this in so
we can base more work on this.
It is important to mention that you can still keep using rc.local just
like the way you did before, and we have no intention to remove that either.

I'd also like to thank ajacoutot@, halex@, sthen@ and schwarze@ for working
on this with me.

let reload report (ok) or (failed) just like all other actions;
ajacoutot@ and robert@ couldn't really remember the reason to be different,
either

Refactoring for simplicity, no functional change:
* Instead of nesting subshells, perform a linear series of operations
and bail out as soon as one of them fails.
* Rename rc_print to rc_exit, let it calculate the exit code itself
and let it exit, considerably simplifying error handling; new name
suggested by sthen@.
OK ajacoutot@ sthen@

Finally deal with background processes: "rc_cmd start" will now return
the correct code according whether the daemon did start successfully or
not.

rc_wait()
This function has been extended, first we need to pass in which mode we
are running (start or stop) and second we can pass a number of seconds
to wait (optionnal, will default to 30s).
The function will return the correct code whether we are running during
"rc_cmd start" or "rc_cmd stop".

rc_cmd() start
If we are running in background mode, then we call rc_wait with the
"start" argument.
The sleep(1) is needed to prevent a race condition where the process
will appear in the list before failing and rc_check will see it as
running. Call rc_post() when failing to prevent being left in an
inconsistent state (because rc_pre() would have run successfully)

rc_cmd() stop
We are now calling rc_wait with the "stop" argument.

"looks good" sthen@, ok robert@

Setting RC_DEBUG is enough, it does not need to be explicitely set to
"1".

hint from MERIGHI Marcus
ok robert@

Fix multiple issues and make the code simpler and more robust:
- As noticed by ajacoutot@, re_format(7) does not treat '\t' as a tab,
so some t's got stripped from daemon names.
- The tr(1) failed to sanitize mixtures of blanks and tabs.
ok ajacoutot@

- in case reload fails, print the failed message (from Piotr Sikora)
- (ok) is only printed while in interactive mode, but (failed) stays
even for rc if the command fails

ok ajacoutot@

Remove leading/trailing spaces from daemon_flags.

ok schwarze@

Handle a daemon_flags of '-n' by using printf '%s\n' instead of echo
ok otto@, aja@

Quote $daemon_flags to prevent echo(1) picking them as input flags.

from Piotr Sikora
ok robert@

Bump timeout to 30s.

ok robert@

if daemon_flags=NO is set, just exit
ok ajacoutot@

Since we now use pkill -0 for "check", it must be run as root,
so remove that test condition. Commented by schwarze@, OK ajacoutot@

- introduce the INRC environment variable so that rc.subr(8) knows if it
gets called from rc.local or rc.shutdown
- notify the user if a given operation was successfull or not by appending
the (ok) or (failed) strings to the end of the daemon name
- hide stdout and stdin unless RC_DEBUG=1 is set, otherwise all the function
names will be printed out and all output sent to stdin or stdout
- since from now on rc.subr is taking care of printing out the daemon names
on startup, we don't need to do this from rc.{local,shutdown} anymore

brainkilling work done by me and ajacoutot@, ok ajacoutot@

Return proper codes so that we don't rc_start if rc_pre failed and we
don't rc_post if rc_stop failed.

"I agree with the direction" sthen@
ok robert@

Add a small comment at the top to explain what this file does.
Use $() constructs as it's safer than ``.
Both req. by deraadt@

Use pkill instead of pgrep in rc_check so that we don't need to fiddle
with redirections in reload.
prodded by schwarze@

ok robert@

Make reload and check consistent with start/stop.

ok robert@

Move the redirections into the rc_cmd itself instead of rc_start and
rc_stop so scripts don't need to set it.

ok sthen@ (on a much bigger diff) robert@

Move rc_pre and rc_post out of the rc_start/rc_stop functions into the
rc_cmd start/stop actions. This way when rc.d(8) scripts override these
functions, we don't loose rc_{pre,post}.

Add a max 5 secs loop after rc_stop in the rc_cmd top action. This seems
to be a good default for returning to command line only after the daemon
has really stopped. This fixes "restart" for some daemons and allows to
properly stop some others at shutdown time.
Note that this is just a best-effort default, some daemons may need a
lot more time to shutdown but this case is usually handled in the
rc.d(8) script itself and we obviously do not want to hang the shutdown
process.

Call rc_cmd start/stop in restart and _not_ rc_start/rc_stop which can
get overriden in a script.

discussed with and inputs from sthen@ and schwarze@
ok sthen@ robert@

Add an "rc_bg" variable that is undefined by default and allows to start
a daemon in the background.

man page tweaks from schwarze@
discussed with an ok schwarze@ robert@

Remove daemon_shell and force the use of /bin/sh for the su(1) call.

ok robert@ espie@ miod@

Put the "su -c ..." command into an rcexec variable so that we can
easily use it in rc scripts instead of copying/pasting the same huge
command lines everywhere.

ok robert@ sthen@

Check for a login class that match the rc script name and if we find one
let's use it. If not, then fall back to using daemon.
While here, do some reordering.

"I like this" sthen@, ok robert@

After the recent changes, there is no need for an rc_conf function.
As schwarze@ also stated, this will prevent anyone from calling it
(which would be an error) and makes it clearer that rc.subr is not just
a functions container.

No functionnal change, unless you were calling rc_conf from an rc script
which would have been wrong anyway.

ok schwarze@ robert@

There is no point in calling rc_conf manually from each and every rc
script; instead, rc.subr can call rc_conf itself right after reading in
rc.conf.

from schwarze@ (committing on his behalf)
ok robert@

Fix a flaw in the rc.subr framework reported by stephan@ where
local_rcconf would get overwritten by flags from the rc script itself.

Based on an original idea and diff from robert@, create an rc_conf
function that we add in the rc_script after the defaults daemon*
variables.
This way we can use defaults variables names in other part of the script
(when defining a specific pexp for instance).

While here, simplify setting up the default daemon variables so that we
don't need to do any substitution in rc_start.

rc scripts must include daemon variables before calling rc_conf. All
other locally modified variables (pexp, rc_reload, local additions...)
must come after.

feedback from and works for sthen@
ok robert@

Prefer '-l' over '-' which is deprecated.

Also noticed and agreed by eric@
ok robert@

simulate a full login with su, now that the environment is fine after
the last su(1) commit

Make it possible to mark an rc action as unsupported by setting the
corresponding variable to NO.
e.g.
rc_reload=NO

This will save us the trouble of copying the same rc_reload() function
(or others) all over the tree.

ok robert@

Sanitise daemon_flags: remove multiple whitespaces from _rcflags.

requested by okan@, ok robert@

Do not overwrite the settings in the rc scripts itself, so use the same
method to handle _class, _user and _shell as we do for _flags.

discussed with and ok ajacoutot@

Add support for setting _user _class and _shell for a specific daemon,
and use su to start the daemons.
By default if there is no class defined, daemon will be used. For a shell
it defaults to /bin/sh.

remove my debug printf

After discussing with Ingo and Antoine we decided to rename
files to not include -. This way we can easily overwrite
daemon flags from rc.conf.local.

add $

Protect variable names, to be consistent with rc(8).

ok robert@

Remove 'status', because 'check' is what is used internally and we don't
need two functions doing the same thing, and also allow check to run as
non-root.

Missing redirection to /dev/null in rc_start

quote $local_rcconf in [ ] and remove eval from rc_start()

Add a simple 'rc' system to base in order to start/stop/restart/reload
services installed by the ports system (for now).
It only uses pgrep/pkill to handle these processes. A manual page will
come later.

'put it in' deraadt@

Run non-daemons services in a different process group to avoid SIGHUP at boot

12 factors apps and similar don't daemonize and are thus vulnerable to
receiving a SIGHUP signal at the end of /etc/rc. Shield them by running
them in a different process group. Do this only for services that need
rc_bg=Yes, as suggested by ajacoutot@

There have been several reports about this issue in the past years, the
last one being from edd@ who successfully tested this fix. Input from
several folks, ok sthen@ ajacoutot@

Drop support for $rcexec; people should now use the rc_exec function.

prodded by jsg@

_rc_quirks is only called by _rc_parse_conf, so just merge the two.

ok robert@ sthen@ kn@

Make rc_configtest behave like rc_pre and rc_post; i.e. don't define a default
function (each rc.d script is supposed to define its own if wanted).
This way, we can filter out the "configtest" action depending on whether the
function exists or not.
Adapt documentation.

tweak/ok kn@

Add a new action: "configtest", to check configuration syntax of the daemon.
A few adjustments will be done in the next days (like disabling this action if
there's no specific rc_configtest function defined).

e.g.
/etc/rc.d/sshd configtest
rcctl configtest sshd

idea from naddy@

When using logger(1), also log the message to standard error so we don't
have to check syslog when running in debug mode (`-d').

Introduce the rc_configtest() function.
By default it just returns "0" but can be overriden by rc.d scripts to check
that the daemon configuration is valid when running "start", "reload" and
"restart".

Introduce a new daemon_execdir variable for changing to a specified directory
before running rc_rcexec.

Based on an proposal from openbsd.tech at aisha.cc
ok robert@ abieber@

Replace the $rcexec variable by an rc_exec function.
It is much cleaner to the eyes and makes more sense from a functionnal point of
view.
This will allow to extend rc_exec with other functionnalities (like upcoming
rc_startdir).
Bonus point: daemon_logger will now work with manually crafted rc_start
functions.

This will require a mechanical change from ${rcexec} to rc_exec in rc.d scripts.
ports will be fixed right after this commit but we will keep compatibility to
give a chance to people to fix their custom scripts.

positive tests from a few
ok robert@

look for the login class in both login.conf and login.conf.d/${class}

ok aja@

Tidy up; no change.

Improve and simplify timer handling in "stop" and "reload".
Rename _rc_wait to _rc_wait_for_start since only "start" uses this now (to
handle rc_bg daemons).
In any situation, none of these actions should be able to hang boot or shutdown.

We should now be able to manage most corner cases out there ("most" because it's
unreasonable to assume we can cope with all the non-default
rc_{start,stop,reload} crazyness).

Several tests have been made and no obvious regression has been found.
But that doesn't mean there isn't; if some behavior changed for the worst, talk
to me.

ok robert@ sthen@

Consistency in test; no behavior change.

Set SECONDS to 0 in _rc_wait.
While this is not strictly required, it's a failsafe and more fair to
daemon_timeout as we will effectively wait for the start/stop/reload sequence
instead of the duration of the rc.d script itself.

Simplify _rc_exit.

Run "_rc_wait stop" _before_ stopping the daemon and not after...
This doesn't change the default behavior but fixes rc.d scripts with a home made
rc_stop() function that can block and potentially hangs halt/reboot forever.

ok robert@

Return 0 in case we reach KILL; this allows "restart" to work as expected
in this situation.

reported by and ok robert@

check that the rc script including rc.subr is using ksh; rc.subr uses ksh
features and scripts will not work correctly with sh. tweak jca/ok kn/
ok with direction aja

rc_reload_signal & rc_stop_signal are not rc.conf(8) variables; they're
only for rc.d scripts.

Speed up _rc_wait: only sleep 1/2 second between rc_check tries and make sure
we have at least 1s for SIGTERM to do its job.

Use built-in SECONDS instead of hand roller timer.

with a tweak from kn@
ok sthen@

Always run _rc_rm_runfile when process is sent a SIGKILL or rc_post fails (at
this point the process has been terminated).

Drop uneeded sleep.

Allow passing a different signal than SIGTERM in the default rc_stop()
function. This will allow to simplify some rc.d script that cook there own
function to gracefully stop a process (e.g. web servers). There are other use
cases as well.
And do the same for rc_reload because it's cheap and can also simplify a
handful of rc.d scripts.

Behave like shutdown and if the process is still not down after daemon_timeout
(configurable; default to 30s), then send a SIGKILL.

While here, factorise pkill invocations into a _rc_sendsig() function that can
potentially be used by rc.d scripts instead of cooking pkill lines; this will
benefit from the configured routing table etc.

tested & ok robert@

Shuffle things around to have FUNCS_ONLY higher in the script so consummers
source only what they really needs.
Only expose the following which are used by /etc/rc, netstart and rcctl:
_rc_parse_conf
_rc_check_name
_rc_err
_rc_do
_rc_quirk

ok sthen@

Add logger(1) support for daemons that are logging to stdout/stderr (mostly from
the go ecosystem).
Properly handle failing daemon startup now that we have pipefail.

To take advantage of this new feature, just add foo_logger=facility to the
daemon rc.d(8) script or in rc.conf.local(8) or use rcctl:
rcctl set foo logger daemon.info

tweak for checking flags in rcctl(8) from martijn@
"this looks pretty good" deraadt@
ok sthen@

Use su -fl to avoid sourcing /etc/profile / the target user's .profile

This way rc.d and rcctl don't suffer from side effects in people's rc
files. If you somehow used those files to set environment variables,
you should have used login.conf as described in rc.d(8) instead.

ok ajacoutot@

Sort variables and fix a comment.
No functional change.

Do not run _rc_parse_conf of /var/run/rc.d/foobar on "start".
This is needed in case a foobar fails to start but still returns 0. Changing its
flags (in rc.conf.local) would then get ignored because of this cache (which is
around to handle stop/check/reload on flags changes).

claudio@ reported this issue when struggling with prometheus several weeks ago

Remove dependency on basename(1).

prodded by deraadt@
ok kn@ deraadt@ tb@

Start in the daemon configured routing table and not in the one we're currently
in. This fixes the case where one would be in a non default rdomain shell then
run an rdomain 0 rc.d daemon.

reported by YASUOKA Masahiko and Pierre Emeriaud
ok sthen@ claudio@ benno@

The shell will strip the quotes from daemon_flags when starting a daemon so make
sure pexp matches the process (i.e. doesn't include the quotes).
It's a bit hackish but it allows things like these in rc.conf.local:
relayd_flags=-D IPS="1.2.3.4 2.3.4.5"

And we properly end up with...
$ grep ^pexp /var/run/rc.d/relayd
pexp=/usr/sbin/relayd -D IPS=1.2.3.4 1.2.3.5
... which matches what is in the process list:
root 14217 <snip> 0:00.01 /usr/sbin/relayd -D IPS=1.2.3.4 1.2.3.5

There's always the possibility that we have introduced a regressions with hand
crafted functions in rc.d scripts (mostly from packags), so watch out.

reported by and debugged with claudio@

Revert previous (for now).
semarie found a few regressions with daemon that will fail if cwd is not
accessible.

Change the way we call su(1) in rcexec:
- drop `-'l' to prevent simulating a full login and running /root/.profile
(prodded by a mail from J Greely)
- use `-m' to preserve the environment because we now set HOME to "/" like
/etc/rc does; note that we now also clear the environment using `env -i' before
running su(1) which leaves us with only HOME, PATH and SHELL

Committing early to catch regressions fast, if any.
ok halex@

Temporarily disable the second call to rc_check until I figure out what
is going on. Should fix another case of false negative reported by sthen
(redis).

Fix logic in _rc_wait to properly cope with setproctitle(3) daemons. It was a
regression from my recent rc.subr changes.

reported by deraadt@ and naddy@ : pflogd was marked as failed during boot while
it was properly running

Introduce a scary rc.conf(8) knob library_aslr=(YES|NO) to turn off the
reordering of libraries by rc(8). This way machines with very slow disk I/O
have a chance of booting within reasonable time now that libcrypto is also
randomized.

Discussed with various;
input & ok from deraadt ajacoutot

Move check later to mitigate a possible race.

Indent and rename var; no functional change.

When a daemon reaches its timeout when starting, display "timeout" instead
of "ok" so the user is warned and has a chance to fix it (most of the time
due to bogus flags). Daemons reaching the timeout without being able to
start are still marked as "failed" (which should also give a clue to the
user that some investigation is needed).

prodded by beck@ a while ago
discussed with and ok sthen@

Drop useless lines continuation; no functional change.

Ok turns out we still want to keep the rc_bg variable around but we need
to know which daemon cannot background themselves (actually we want to
know the opposite, but there are much more). However, it's only needed in
_rc_wait and rc.subr still does its magic without the need to add `&'.

Add an ALRM timer to cope with 2 annoying issues in rc.d(8):
- prevent a daemon from hanging the boot
(typo in your flagsm e.g. httpd_flags=-d)
- make sure we can get the status of a backgrounded daemon instead of always
returning success

Side effect of this is that we can kill a knob! rip rc_bg :-)
Ports will need love, and a second commit is coming for that.

The diff is small yet not trivial so I am committing early in the release
process in one shot so it can easily be reverted if needed. I started working on
this during g2k16 in Cambridge then finished it in Brisbane for a2k17 where
robert@, beck@ and sthen@ agreed it was the correct way to go and I should move
ahead with it post 6.1.

If you see any regression, please talk to me!

Stop supporting the historical way of starting ypbind(8); that is setting
'ypbind_flags=""' when domainname is set and /var/yp/binding exists.
This can lead to inconsistent behavior at startup since /var may not be
mounted yet and /etc/rc's start_daemon() will not start ypbind.

A.K.A. make ypbind startup consistent with all other OpenBSD daemons.

ok deraadt@

Whitespace.

Introduce an _rc_check_name() function to check the input script name so that
we don't end up with cryptic error messages.
Regex help from rpe@
Issue reported by Anthony Coulter in rcctl(8), but better fix the root cause.

Also clarify the mage page that rc.d script name must follow ksh(1) variable
naming.

ok robert@ sthen@

use tab.

signal name should be first, fixes reload; ok deraadt@

Experiment on matching on the daemon_user is over. It needs more work.
portmap isn't happy with it as reported by naddy@

Revert the revert and match on the daemon_user again.
We'll see if something else breaks but it's the right thing to do.

discussed with robert@

Revert matching on the daemon user for now; it breaks sndiod handling which
does start as root but does not have a root master process and instead
changed its uid.

reported by deraadt@

Bump copyright.

Introduce rtable(4) support to rc.subr(8).
It works by adding daemon_rtable=$id in /etc/rc.conf.local.
rcctl(8) support coming in a few and so are the man pages bits.

If you want multiple instances of the same daemon running in different
routing tables, just symlink the original rc.d script.
e.g.
# cd /etc/rc.d && ln -s dhcpd dhcpd42

Then enable your daemons as such in rc.conf.local:
dhcpd_flags=
dhcpd42_flags=
dhcpd42_rtable=42

most work done by Jiri B <jirib@devio.us>; with a few tweaks and simplifications
by yours truly
ok robert@

... should make henning happy ;-)

Extend _RC_RUNFILE (/var/run/rc.d/scriptname) content with:
daemon_class, daemon_flags, daemon_timeout, daemon_user, pexp

Add "pexp" as a valid variable to _rc_parse_conf() and sort the list while here.

Besides having an easy way to see how a daemon was started exactly, it opens the
door to rdomain/rtable support in rc.d(8). We need to have as much information
on a daemon as possible if we want to target a specific rtable (using -T) and it
also makes it easier to start multiple instances of the same daemon with similar
flags as a different user...
Of course that only works with rc.d scripts *not* overwritting the default rc_*
functions.

Man page tweaks coming later.

discussed with and ok robert@

Make it possible to get usage as a non-root user.

ok robert@

Handle the rc_stop=NO => rc_restart=NO case within _rc_not_supported().

Revert, rc.d scripts have been fixed.

Comment the wait for start until I fix the x11 managers rc.d script.

After starting, unconditionally wait up to $daemon_timeout seconds to check that
the daemon is actually running (instead of only when using rc_bg).

This *may* trigger the following side effect: if a daemon starts then stops
right away (because of a config parsing issue for e.g.), then it will slow down
the boot process because rc will wait a bit before considering the start action
failed. But at least it will allow us to detect those daemons and fix them or
their rc.d(8) script.

At least as far as I can tell, all base daemons should cope with it just fine.

ok sthen@ robert@ on an earlier diff

Tidy up _rc_wait().

ok sthen@ robert@

It does not make sense to insert a specific route for 224/4 when the
default one is good enough.

So merge rc.conf(8)'s 'multicast_router' and 'multicast_host' into a
single 'multicast'. If set to YES the reject route for 224/4 is not
inserted by netstart(8).

Manual bits from jmc@

ok henning@, ajacoutot@

Missing local.

ok schwarze@

By default, require an exact match of the process name and argument list.
This allows running several instances of the same rc.d(8) script by just
linking it to different name.
e.g.
ln -s ftpproxy ftpproxy6
echo 'ftpproxy6_flags=-6' >>/etc/rc.conf.local

This is likely to break some rc.d scripts in ports. I will try and fix them all
in the next few days but I'd appreciate reports if I missed some.

ok halex@

Always use the default flags when running !start.
This is necessary so that rc.d scripts launched with `-f' can be properly
stopped, checked and reloaded.

ok schwarze@

Merge comments.

Really make daemon_class read-only; it's set to "daemon" of a matching
login class.

No more pf_rules ipsec_rules.

Check arguments before eval so we don't end up with a cryptic error message.
reported by jasper@

While here: _rc_is_supported() -> _rc_not_supported()
- saves a fork
- reduces triple negation to double negation in _rc_not_supported()
- simplifie condition for rc_restart=NO
from schwarze@

ok jasper@ schwarze@

_rc_err(): only display error message if there's an actual one.
Remove an exit() statement that could never be reached.

Fix return code of _rc_quirks().
ok robert@

Add a comment about the default values being duplicated in rcctl(8).
discussed with schwarze@

"reload" should fail if the service is not running in the first place.

ok robert@ sthen@

Make it possible to pass a specific error code to _rc_err().

ok robert@ schwarze@

Put _rc_err argument under quotes to respect the syntax we are passing.

Fix reversed logic.

ok schwarze@

Drop uneeded parenthesis in usage().

ok schwarze@

Drop unused variables.

In debug mode, make it clear when we are using the default flags when
none are set.

initial patch from me but reworked by schwarze@
ok schwarze@

In debug mode (`-d'), only print the flags relevant to the rc.d(8) we are
calling instead of all flags which makes it very difficult to see the
information we actually need.

ok schwarze@ robert@

Drop sanitation, _rc_parse_conf does this for us already.

ok schwarze@

When running interactively, display the output of the "check" action
(ok or failed) like we do with all other actions.

ok jung@ rpe@

Typo.

ok kili@

Let _rc_parse_conf stick to parsing /etc/rc.conf and /etc/rc.conf.local
if it's invoked without parameters. It's simpler than adding adding
/etc/rc.conf and /etc/rc.conf.local parameters whereever _rc_parse_conf
is used (e.g. /etc/rc and /etc/netstart).

While here, replace a

for foo in "$@"; do something; done

by

for foo; do something; done

ok aja@

Make it possible to pass arguments to _rc_parse_conf().

ok robert@

Don't return, just skip over non existing rc.conf or rc.conf.local file.

OK ajacoutot@ halex@

In debug mode, properly sort and drop duplicates so that we don't end
up with a confusing output like:
multicast_host >NO<
<...>
multicast_host >YES<

Also properly evaluate values _after_ running _rc_quirks() because these
can modify flags.

ok robert@ halex@

Fix evil typo (multicast_hosts -> multicast_host).

replace the heavy shell magic in quirks to handle backward compat with simpler
methods

Make rc.conf a parsed configuration file and stop sourcing it as a shell
script.
From now on rc.conf has a fixed syntax (key=val) and it is not allowed
to add anything to it besides the supported syntax, it all going to be
ignored.

discussed with and help from deraadt@ and halex@

Add a daemon_timeout variable for rc_wait().
It represents the maximum time in seconds to wait for the start, stop
and reload actions to return. Defaults to "30".
No default behavior is changed.

ok beck@ sthen@ jasper@ giovanni@

White spaces.

no double negatives in error message; ok aja@

Show only available actions in RC script usage messages.
Also, prettify representation of actions list a bit.

a lot of input and ok halex@ aja@
also ok schwarze@
small nit spotted by marc@
"makes a lot of sense to me" todd@

Remove useless test: rc_rm_runfile() uses rm -f which always returns 0
so we don't care if the file is present or not; also this function
should never return a failure.

ok halex@

Don't output "$action is not supported" when running an rc.d(8) script
from /etc/rc(8). This prevents the warning to be displayed at shutdown
time when the script has rc_stop=NO.

req. and input from fgsch@

"go ahead" schwarze@
input from an ok halex@, ok robert@

Don't check if ${local_rcconf} is defined before sourcing rc.conf but do
it unconditionally.
The only place local_rcconf could have been defined is from /etc/rc
sourcing rc.conf but then the variable is not exported so it will never
be seen by rc.subr.

ok robert@

Simplify the way we call the rc.d(8) script in "restart".

ok sthen@

Make '-f' only affects the "start" action.
There is no reason we couldn't reload|stop a daemon even when _flags is
set to NO.
As a bonus side effect, we can now see usage() on disabled scripts.

discussed with sthen@ and espie@
ok sthen@

Use the new "-q" option of pgrep(1) instead of redirecting stdout
to /dev/null.

unset _rcflags and _rcuser so that they don't get inherited by rc.d(8)
scripts; from robert at peichaer dot org
ok halex@

While here, put the "sanitation" commands in their own block.

Set the daemon_class as readonly as it should be (and is documented as
such).

from robert at peichaer dot org
modified after a discussion with halex@
ok halex@ robert@

Make a couple of variables local.

from robert at peichaer dot org
ok halex@

Add a new rc_usercheck variable (default to YES). When set to no, root
privilege is needed to run rc_check.
In effect this means /etc/rc.d/foobar check can now be run as a regular
user.
Discussed with robert@ during g2k12.

ok todd@

Simplify rc_wait() (no functionnal change).

initially from robert at peichaer dot org with some enhancement by halex@
ok halex@

in -d mode, display an error message before exiting, in the case the
daemon is not active (happens often to me, as I forget which box has
which daemons).

okay ajacoutot@

Fix an issue when uid != euid (e.g. when running shutdown(8) as a
regular user, member of the operator group); rm(1) was waiting for
interactive input to remove the runfiles which made no sense, so just
use `-f'.

issue spotted by weerd@
ok weerd@ robert@

either set or unset variables that are to be examined further on, don't
just leave them untouched

ok ajacoutot@ sthen@ schwarze@

Localize _new_pexp unconditionally, or rc_read_runfile()
might pick it up from a polluted environment.
Requested by halex@, ok ajacoutot@ halex@

When the _RC_RUNFILE (by some ill chance) happened to be empty or
reading it failed, ${pexp} ended up as the empty string and the script
would send SIGTERM to init(1), which was really inconvenient.
Fix that by never allowing pexp to become empty.
My patch considerably simplified by and ok ajacoutot@.

Finally make it possible to restart/stop a daemon after having changed
its _flags in rc.conf(8).
When the rc.d(8) system starts a daemon, it will record its pexp under
/var/run/rc.d/rcscriptname and use that to interact with it (errors in
creating /var/run/rc.d or missing pexp file are non fatal, the framework
will just fallback to what it currently does).

deraadt@ doesn't mind a long as it doesn't come in the way of people
manually managing their daemons.

discussed with and input from sthen@ halex@ robert@ schwarze@
ok sthen@ robert@

Check if we are root right from the start.

ok robert@

Prepend an underscore to internal variable names; this was reverted by
mistake in the previous commit.
No functionnal change.

ok robert@

revert previous and pass on the RC_DEBUG and RC_FORCE flags in the start+stop
dance on restart rather than exporting them and expose the script to a
potentially polluted environment

ok ajacoutot@ robert@

Repair "restart" debug and force modes (we need to export RC_DEBUG and
RC_FORCE since "restart" calls "stop" then "start").
While here, append "_" to these variable names to make it clear they are
internal.

ok robert@

Add missing "*)" case statement and make sure RC_DEBUG and RC_FORCE are
unset beforehands; prodded by halex@

Add rc_usage().

ok halex@

Use arugments for rc script instead of environment variables to indicate
debug mode.
This commit also adds a force mode for the script to allow one to force
operations even if daemon_flags is set to NO.
In this case the sane default values will be used for each script.

e.g.: "/etc/rc.d/foo -f start" will start sshd even if it's disabled

ok ajacoutot@

when reloading do an rc_wait instead of just an rc_check
from david@, okay sthen@ and input from schwarze@

redirect rc_err() output to stderr, from david@

Print the daemon name before starting, and ok/failed afterwards, providing
better visual cues as to what's happening. Feedback/ok aja@ schwarze@

add license, ok ajacoutot@, deraadt@

Fix reload:
* if we try to reload a non running daemon, just exit gracefully, like
we do for 'stop'
* add an rc_check call right after rc_reload to make sure the daemon is
still around; until now we only checked the pkill(1) return code but
that is not enough

ok robert@

Add rc.d(8) script for the system daemons that are restartable.
From now on rc(8) is going to call these scripts to start them up on boot
in the same order than before.
In addition the inetd and rwhod variables in rc.conf are deprecated so that
inetd_flags and rwhod_flags should be used. The old flags are still going
to be used for some time to allow users to switch.
There are more rc modifications to come later so let's put this in so
we can base more work on this.
It is important to mention that you can still keep using rc.local just
like the way you did before, and we have no intention to remove that either.

I'd also like to thank ajacoutot@, halex@, sthen@ and schwarze@ for working
on this with me.

let reload report (ok) or (failed) just like all other actions;
ajacoutot@ and robert@ couldn't really remember the reason to be different,
either

Refactoring for simplicity, no functional change:
* Instead of nesting subshells, perform a linear series of operations
and bail out as soon as one of them fails.
* Rename rc_print to rc_exit, let it calculate the exit code itself
and let it exit, considerably simplifying error handling; new name
suggested by sthen@.
OK ajacoutot@ sthen@

Finally deal with background processes: "rc_cmd start" will now return
the correct code according whether the daemon did start successfully or
not.

rc_wait()
This function has been extended, first we need to pass in which mode we
are running (start or stop) and second we can pass a number of seconds
to wait (optionnal, will default to 30s).
The function will return the correct code whether we are running during
"rc_cmd start" or "rc_cmd stop".

rc_cmd() start
If we are running in background mode, then we call rc_wait with the
"start" argument.
The sleep(1) is needed to prevent a race condition where the process
will appear in the list before failing and rc_check will see it as
running. Call rc_post() when failing to prevent being left in an
inconsistent state (because rc_pre() would have run successfully)

rc_cmd() stop
We are now calling rc_wait with the "stop" argument.

"looks good" sthen@, ok robert@

Setting RC_DEBUG is enough, it does not need to be explicitely set to
"1".

hint from MERIGHI Marcus
ok robert@

Fix multiple issues and make the code simpler and more robust:
- As noticed by ajacoutot@, re_format(7) does not treat '\t' as a tab,
so some t's got stripped from daemon names.
- The tr(1) failed to sanitize mixtures of blanks and tabs.
ok ajacoutot@

- in case reload fails, print the failed message (from Piotr Sikora)
- (ok) is only printed while in interactive mode, but (failed) stays
even for rc if the command fails

ok ajacoutot@

Remove leading/trailing spaces from daemon_flags.

ok schwarze@

Handle a daemon_flags of '-n' by using printf '%s\n' instead of echo
ok otto@, aja@

Quote $daemon_flags to prevent echo(1) picking them as input flags.

from Piotr Sikora
ok robert@

Bump timeout to 30s.

ok robert@

if daemon_flags=NO is set, just exit
ok ajacoutot@

Since we now use pkill -0 for "check", it must be run as root,
so remove that test condition. Commented by schwarze@, OK ajacoutot@

- introduce the INRC environment variable so that rc.subr(8) knows if it
gets called from rc.local or rc.shutdown
- notify the user if a given operation was successfull or not by appending
the (ok) or (failed) strings to the end of the daemon name
- hide stdout and stdin unless RC_DEBUG=1 is set, otherwise all the function
names will be printed out and all output sent to stdin or stdout
- since from now on rc.subr is taking care of printing out the daemon names
on startup, we don't need to do this from rc.{local,shutdown} anymore

brainkilling work done by me and ajacoutot@, ok ajacoutot@

Return proper codes so that we don't rc_start if rc_pre failed and we
don't rc_post if rc_stop failed.

"I agree with the direction" sthen@
ok robert@

Add a small comment at the top to explain what this file does.
Use $() constructs as it's safer than ``.
Both req. by deraadt@

Use pkill instead of pgrep in rc_check so that we don't need to fiddle
with redirections in reload.
prodded by schwarze@

ok robert@

Make reload and check consistent with start/stop.

ok robert@

Move the redirections into the rc_cmd itself instead of rc_start and
rc_stop so scripts don't need to set it.

ok sthen@ (on a much bigger diff) robert@

Move rc_pre and rc_post out of the rc_start/rc_stop functions into the
rc_cmd start/stop actions. This way when rc.d(8) scripts override these
functions, we don't loose rc_{pre,post}.

Add a max 5 secs loop after rc_stop in the rc_cmd top action. This seems
to be a good default for returning to command line only after the daemon
has really stopped. This fixes "restart" for some daemons and allows to
properly stop some others at shutdown time.
Note that this is just a best-effort default, some daemons may need a
lot more time to shutdown but this case is usually handled in the
rc.d(8) script itself and we obviously do not want to hang the shutdown
process.

Call rc_cmd start/stop in restart and _not_ rc_start/rc_stop which can
get overriden in a script.

discussed with and inputs from sthen@ and schwarze@
ok sthen@ robert@

Add an "rc_bg" variable that is undefined by default and allows to start
a daemon in the background.

man page tweaks from schwarze@
discussed with an ok schwarze@ robert@

Remove daemon_shell and force the use of /bin/sh for the su(1) call.

ok robert@ espie@ miod@

Put the "su -c ..." command into an rcexec variable so that we can
easily use it in rc scripts instead of copying/pasting the same huge
command lines everywhere.

ok robert@ sthen@

Check for a login class that match the rc script name and if we find one
let's use it. If not, then fall back to using daemon.
While here, do some reordering.

"I like this" sthen@, ok robert@

After the recent changes, there is no need for an rc_conf function.
As schwarze@ also stated, this will prevent anyone from calling it
(which would be an error) and makes it clearer that rc.subr is not just
a functions container.

No functionnal change, unless you were calling rc_conf from an rc script
which would have been wrong anyway.

ok schwarze@ robert@

There is no point in calling rc_conf manually from each and every rc
script; instead, rc.subr can call rc_conf itself right after reading in
rc.conf.

from schwarze@ (committing on his behalf)
ok robert@

Fix a flaw in the rc.subr framework reported by stephan@ where
local_rcconf would get overwritten by flags from the rc script itself.

Based on an original idea and diff from robert@, create an rc_conf
function that we add in the rc_script after the defaults daemon*
variables.
This way we can use defaults variables names in other part of the script
(when defining a specific pexp for instance).

While here, simplify setting up the default daemon variables so that we
don't need to do any substitution in rc_start.

rc scripts must include daemon variables before calling rc_conf. All
other locally modified variables (pexp, rc_reload, local additions...)
must come after.

feedback from and works for sthen@
ok robert@

Prefer '-l' over '-' which is deprecated.

Also noticed and agreed by eric@
ok robert@

simulate a full login with su, now that the environment is fine after
the last su(1) commit

Make it possible to mark an rc action as unsupported by setting the
corresponding variable to NO.
e.g.
rc_reload=NO

This will save us the trouble of copying the same rc_reload() function
(or others) all over the tree.

ok robert@

Sanitise daemon_flags: remove multiple whitespaces from _rcflags.

requested by okan@, ok robert@

Do not overwrite the settings in the rc scripts itself, so use the same
method to handle _class, _user and _shell as we do for _flags.

discussed with and ok ajacoutot@

Add support for setting _user _class and _shell for a specific daemon,
and use su to start the daemons.
By default if there is no class defined, daemon will be used. For a shell
it defaults to /bin/sh.

remove my debug printf

After discussing with Ingo and Antoine we decided to rename
files to not include -. This way we can easily overwrite
daemon flags from rc.conf.local.

add $

Protect variable names, to be consistent with rc(8).

ok robert@

Remove 'status', because 'check' is what is used internally and we don't
need two functions doing the same thing, and also allow check to run as
non-root.

Missing redirection to /dev/null in rc_start

quote $local_rcconf in [ ] and remove eval from rc_start()

Add a simple 'rc' system to base in order to start/stop/restart/reload
services installed by the ports system (for now).
It only uses pgrep/pkill to handle these processes. A manual page will
come later.

'put it in' deraadt@

Drop support for $rcexec; people should now use the rc_exec function.

prodded by jsg@

_rc_quirks is only called by _rc_parse_conf, so just merge the two.

ok robert@ sthen@ kn@

Make rc_configtest behave like rc_pre and rc_post; i.e. don't define a default
function (each rc.d script is supposed to define its own if wanted).
This way, we can filter out the "configtest" action depending on whether the
function exists or not.
Adapt documentation.

tweak/ok kn@

Add a new action: "configtest", to check configuration syntax of the daemon.
A few adjustments will be done in the next days (like disabling this action if
there's no specific rc_configtest function defined).

e.g.
/etc/rc.d/sshd configtest
rcctl configtest sshd

idea from naddy@

When using logger(1), also log the message to standard error so we don't
have to check syslog when running in debug mode (`-d').

Introduce the rc_configtest() function.
By default it just returns "0" but can be overriden by rc.d scripts to check
that the daemon configuration is valid when running "start", "reload" and
"restart".

Introduce a new daemon_execdir variable for changing to a specified directory
before running rc_rcexec.

Based on an proposal from openbsd.tech at aisha.cc
ok robert@ abieber@

Replace the $rcexec variable by an rc_exec function.
It is much cleaner to the eyes and makes more sense from a functionnal point of
view.
This will allow to extend rc_exec with other functionnalities (like upcoming
rc_startdir).
Bonus point: daemon_logger will now work with manually crafted rc_start
functions.

This will require a mechanical change from ${rcexec} to rc_exec in rc.d scripts.
ports will be fixed right after this commit but we will keep compatibility to
give a chance to people to fix their custom scripts.

positive tests from a few
ok robert@

look for the login class in both login.conf and login.conf.d/${class}

ok aja@

Tidy up; no change.

Improve and simplify timer handling in "stop" and "reload".
Rename _rc_wait to _rc_wait_for_start since only "start" uses this now (to
handle rc_bg daemons).
In any situation, none of these actions should be able to hang boot or shutdown.

We should now be able to manage most corner cases out there ("most" because it's
unreasonable to assume we can cope with all the non-default
rc_{start,stop,reload} crazyness).

Several tests have been made and no obvious regression has been found.
But that doesn't mean there isn't; if some behavior changed for the worst, talk
to me.

ok robert@ sthen@

Consistency in test; no behavior change.

Set SECONDS to 0 in _rc_wait.
While this is not strictly required, it's a failsafe and more fair to
daemon_timeout as we will effectively wait for the start/stop/reload sequence
instead of the duration of the rc.d script itself.

Simplify _rc_exit.

Run "_rc_wait stop" _before_ stopping the daemon and not after...
This doesn't change the default behavior but fixes rc.d scripts with a home made
rc_stop() function that can block and potentially hangs halt/reboot forever.

ok robert@

Return 0 in case we reach KILL; this allows "restart" to work as expected
in this situation.

reported by and ok robert@

check that the rc script including rc.subr is using ksh; rc.subr uses ksh
features and scripts will not work correctly with sh. tweak jca/ok kn/
ok with direction aja

rc_reload_signal & rc_stop_signal are not rc.conf(8) variables; they're
only for rc.d scripts.

Speed up _rc_wait: only sleep 1/2 second between rc_check tries and make sure
we have at least 1s for SIGTERM to do its job.

Use built-in SECONDS instead of hand roller timer.

with a tweak from kn@
ok sthen@

Always run _rc_rm_runfile when process is sent a SIGKILL or rc_post fails (at
this point the process has been terminated).

Drop uneeded sleep.

Allow passing a different signal than SIGTERM in the default rc_stop()
function. This will allow to simplify some rc.d script that cook there own
function to gracefully stop a process (e.g. web servers). There are other use
cases as well.
And do the same for rc_reload because it's cheap and can also simplify a
handful of rc.d scripts.

Behave like shutdown and if the process is still not down after daemon_timeout
(configurable; default to 30s), then send a SIGKILL.

While here, factorise pkill invocations into a _rc_sendsig() function that can
potentially be used by rc.d scripts instead of cooking pkill lines; this will
benefit from the configured routing table etc.

tested & ok robert@

Shuffle things around to have FUNCS_ONLY higher in the script so consummers
source only what they really needs.
Only expose the following which are used by /etc/rc, netstart and rcctl:
_rc_parse_conf
_rc_check_name
_rc_err
_rc_do
_rc_quirk

ok sthen@

Add logger(1) support for daemons that are logging to stdout/stderr (mostly from
the go ecosystem).
Properly handle failing daemon startup now that we have pipefail.

To take advantage of this new feature, just add foo_logger=facility to the
daemon rc.d(8) script or in rc.conf.local(8) or use rcctl:
rcctl set foo logger daemon.info

tweak for checking flags in rcctl(8) from martijn@
"this looks pretty good" deraadt@
ok sthen@

Use su -fl to avoid sourcing /etc/profile / the target user's .profile

This way rc.d and rcctl don't suffer from side effects in people's rc
files. If you somehow used those files to set environment variables,
you should have used login.conf as described in rc.d(8) instead.

ok ajacoutot@

Sort variables and fix a comment.
No functional change.

Do not run _rc_parse_conf of /var/run/rc.d/foobar on "start".
This is needed in case a foobar fails to start but still returns 0. Changing its
flags (in rc.conf.local) would then get ignored because of this cache (which is
around to handle stop/check/reload on flags changes).

claudio@ reported this issue when struggling with prometheus several weeks ago

Remove dependency on basename(1).

prodded by deraadt@
ok kn@ deraadt@ tb@

Start in the daemon configured routing table and not in the one we're currently
in. This fixes the case where one would be in a non default rdomain shell then
run an rdomain 0 rc.d daemon.

reported by YASUOKA Masahiko and Pierre Emeriaud
ok sthen@ claudio@ benno@

The shell will strip the quotes from daemon_flags when starting a daemon so make
sure pexp matches the process (i.e. doesn't include the quotes).
It's a bit hackish but it allows things like these in rc.conf.local:
relayd_flags=-D IPS="1.2.3.4 2.3.4.5"

And we properly end up with...
$ grep ^pexp /var/run/rc.d/relayd
pexp=/usr/sbin/relayd -D IPS=1.2.3.4 1.2.3.5
... which matches what is in the process list:
root 14217 <snip> 0:00.01 /usr/sbin/relayd -D IPS=1.2.3.4 1.2.3.5

There's always the possibility that we have introduced a regressions with hand
crafted functions in rc.d scripts (mostly from packags), so watch out.

reported by and debugged with claudio@

Revert previous (for now).
semarie found a few regressions with daemon that will fail if cwd is not
accessible.

Change the way we call su(1) in rcexec:
- drop `-'l' to prevent simulating a full login and running /root/.profile
(prodded by a mail from J Greely)
- use `-m' to preserve the environment because we now set HOME to "/" like
/etc/rc does; note that we now also clear the environment using `env -i' before
running su(1) which leaves us with only HOME, PATH and SHELL

Committing early to catch regressions fast, if any.
ok halex@

Temporarily disable the second call to rc_check until I figure out what
is going on. Should fix another case of false negative reported by sthen
(redis).

Fix logic in _rc_wait to properly cope with setproctitle(3) daemons. It was a
regression from my recent rc.subr changes.

reported by deraadt@ and naddy@ : pflogd was marked as failed during boot while
it was properly running

Introduce a scary rc.conf(8) knob library_aslr=(YES|NO) to turn off the
reordering of libraries by rc(8). This way machines with very slow disk I/O
have a chance of booting within reasonable time now that libcrypto is also
randomized.

Discussed with various;
input & ok from deraadt ajacoutot

Move check later to mitigate a possible race.

Indent and rename var; no functional change.

When a daemon reaches its timeout when starting, display "timeout" instead
of "ok" so the user is warned and has a chance to fix it (most of the time
due to bogus flags). Daemons reaching the timeout without being able to
start are still marked as "failed" (which should also give a clue to the
user that some investigation is needed).

prodded by beck@ a while ago
discussed with and ok sthen@

Drop useless lines continuation; no functional change.

Ok turns out we still want to keep the rc_bg variable around but we need
to know which daemon cannot background themselves (actually we want to
know the opposite, but there are much more). However, it's only needed in
_rc_wait and rc.subr still does its magic without the need to add `&'.

Add an ALRM timer to cope with 2 annoying issues in rc.d(8):
- prevent a daemon from hanging the boot
(typo in your flagsm e.g. httpd_flags=-d)
- make sure we can get the status of a backgrounded daemon instead of always
returning success

Side effect of this is that we can kill a knob! rip rc_bg :-)
Ports will need love, and a second commit is coming for that.

The diff is small yet not trivial so I am committing early in the release
process in one shot so it can easily be reverted if needed. I started working on
this during g2k16 in Cambridge then finished it in Brisbane for a2k17 where
robert@, beck@ and sthen@ agreed it was the correct way to go and I should move
ahead with it post 6.1.

If you see any regression, please talk to me!

Stop supporting the historical way of starting ypbind(8); that is setting
'ypbind_flags=""' when domainname is set and /var/yp/binding exists.
This can lead to inconsistent behavior at startup since /var may not be
mounted yet and /etc/rc's start_daemon() will not start ypbind.

A.K.A. make ypbind startup consistent with all other OpenBSD daemons.

ok deraadt@

Whitespace.

Introduce an _rc_check_name() function to check the input script name so that
we don't end up with cryptic error messages.
Regex help from rpe@
Issue reported by Anthony Coulter in rcctl(8), but better fix the root cause.

Also clarify the mage page that rc.d script name must follow ksh(1) variable
naming.

ok robert@ sthen@

use tab.

signal name should be first, fixes reload; ok deraadt@

Experiment on matching on the daemon_user is over. It needs more work.
portmap isn't happy with it as reported by naddy@

Revert the revert and match on the daemon_user again.
We'll see if something else breaks but it's the right thing to do.

discussed with robert@

Revert matching on the daemon user for now; it breaks sndiod handling which
does start as root but does not have a root master process and instead
changed its uid.

reported by deraadt@

Bump copyright.

Introduce rtable(4) support to rc.subr(8).
It works by adding daemon_rtable=$id in /etc/rc.conf.local.
rcctl(8) support coming in a few and so are the man pages bits.

If you want multiple instances of the same daemon running in different
routing tables, just symlink the original rc.d script.
e.g.
# cd /etc/rc.d && ln -s dhcpd dhcpd42

Then enable your daemons as such in rc.conf.local:
dhcpd_flags=
dhcpd42_flags=
dhcpd42_rtable=42

most work done by Jiri B <jirib@devio.us>; with a few tweaks and simplifications
by yours truly
ok robert@

... should make henning happy ;-)

Extend _RC_RUNFILE (/var/run/rc.d/scriptname) content with:
daemon_class, daemon_flags, daemon_timeout, daemon_user, pexp

Add "pexp" as a valid variable to _rc_parse_conf() and sort the list while here.

Besides having an easy way to see how a daemon was started exactly, it opens the
door to rdomain/rtable support in rc.d(8). We need to have as much information
on a daemon as possible if we want to target a specific rtable (using -T) and it
also makes it easier to start multiple instances of the same daemon with similar
flags as a different user...
Of course that only works with rc.d scripts *not* overwritting the default rc_*
functions.

Man page tweaks coming later.

discussed with and ok robert@

Make it possible to get usage as a non-root user.

ok robert@

Handle the rc_stop=NO => rc_restart=NO case within _rc_not_supported().

Revert, rc.d scripts have been fixed.

Comment the wait for start until I fix the x11 managers rc.d script.

After starting, unconditionally wait up to $daemon_timeout seconds to check that
the daemon is actually running (instead of only when using rc_bg).

This *may* trigger the following side effect: if a daemon starts then stops
right away (because of a config parsing issue for e.g.), then it will slow down
the boot process because rc will wait a bit before considering the start action
failed. But at least it will allow us to detect those daemons and fix them or
their rc.d(8) script.

At least as far as I can tell, all base daemons should cope with it just fine.

ok sthen@ robert@ on an earlier diff

Tidy up _rc_wait().

ok sthen@ robert@

It does not make sense to insert a specific route for 224/4 when the
default one is good enough.

So merge rc.conf(8)'s 'multicast_router' and 'multicast_host' into a
single 'multicast'. If set to YES the reject route for 224/4 is not
inserted by netstart(8).

Manual bits from jmc@

ok henning@, ajacoutot@

Missing local.

ok schwarze@

By default, require an exact match of the process name and argument list.
This allows running several instances of the same rc.d(8) script by just
linking it to different name.
e.g.
ln -s ftpproxy ftpproxy6
echo 'ftpproxy6_flags=-6' >>/etc/rc.conf.local

This is likely to break some rc.d scripts in ports. I will try and fix them all
in the next few days but I'd appreciate reports if I missed some.

ok halex@

Always use the default flags when running !start.
This is necessary so that rc.d scripts launched with `-f' can be properly
stopped, checked and reloaded.

ok schwarze@

Merge comments.

Really make daemon_class read-only; it's set to "daemon" of a matching
login class.

No more pf_rules ipsec_rules.

Check arguments before eval so we don't end up with a cryptic error message.
reported by jasper@

While here: _rc_is_supported() -> _rc_not_supported()
- saves a fork
- reduces triple negation to double negation in _rc_not_supported()
- simplifie condition for rc_restart=NO
from schwarze@

ok jasper@ schwarze@

_rc_err(): only display error message if there's an actual one.
Remove an exit() statement that could never be reached.

Fix return code of _rc_quirks().
ok robert@

Add a comment about the default values being duplicated in rcctl(8).
discussed with schwarze@

"reload" should fail if the service is not running in the first place.

ok robert@ sthen@

Make it possible to pass a specific error code to _rc_err().

ok robert@ schwarze@

Put _rc_err argument under quotes to respect the syntax we are passing.

Fix reversed logic.

ok schwarze@

Drop uneeded parenthesis in usage().

ok schwarze@

Drop unused variables.

In debug mode, make it clear when we are using the default flags when
none are set.

initial patch from me but reworked by schwarze@
ok schwarze@

In debug mode (`-d'), only print the flags relevant to the rc.d(8) we are
calling instead of all flags which makes it very difficult to see the
information we actually need.

ok schwarze@ robert@

Drop sanitation, _rc_parse_conf does this for us already.

ok schwarze@

When running interactively, display the output of the "check" action
(ok or failed) like we do with all other actions.

ok jung@ rpe@

Typo.

ok kili@