rpc.tlsservd.c: Pin max threads at 1 for now
PR#289734 reports a crash in tcp_use_close() when the rpc.tlsservd
daemon is being used. Although I have no, as yet, had time to track
down/fix the race, it turns out setting rpctls_maxthreads to 1
avoids the problem.
This patch pins rpctls_maxthreads to 1 to avoid the problem,
until there is a proper fix.
PR: 289734
(cherry picked from commit 7a289fe3cd5c6de7ddbe394b7700b20b0bafdb3e)
vmimage.subr: Sort METALOG before running makefs
When creating VM images from pkgbase, the METALOG may not be in order;
in particular, files may be listed before the directories which contain
them. This causes makefs to create directories with 000 permissions.
Interestingly, such VM images boot just fine, since root ignores those
permissions; the first sign of trouble was sshd refusing logins with an
error message which said absolutely nothing about /etc/ having
incorrect permissions or being unable to read files inside it.
Immediately prior to running makefs, sort the METALOG file. While
we're here, uniquify as well; this does not guarantee that we do not
have duplicate paths, but if there are duplicate paths with different
settings something else has gone wrong and we don't really have any
good way of solving the problem anyway.
Reviewed by: ivy
Hint from: imp
[3 lines not shown]
blocklist-helper: Silence a bogus pf warning
Silence a bogus warning about (an ethernet) anchor not being found.
It has been reported as PR 280516. In the meantime, just sweep under
the carpet.
Approved by: emaste (mentor)
MFC after: 2 days
blocklist: Rename blacklist to blocklist
Follow up upstream rename from blacklist to blocklist.
- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anchor names should work, but emitting an ugly
warning
- Old MK_BLACKLIST* knobs are wired to the new ones
Although care has been taken not to break current configurations, this
is a large patch containing mostly duplicated code. If issues arise, it
will be swiftly reverted.
Reviewed by: ivy (pkgbase)
Approved by: emaste (mentor)
MFC after: 2 days
Relnotes: yes
blocklist: Revert upstream commit ddf6d71
Upstream commit ddf6d71 ("implement BLOCKLIST_BAD_USER as a "one-count"
failure") introduced BLOCKLIST_BAD_USER with a one-count failure
mechanism. BLOCKLIST_AUTH_FAIL was implemented with a two-count failure
mechanism. Since we have been utilizing BLOCKLIST_AUTH_FAIL, the number
of failed attempts now doubles towards the maximum limit (nfails),
giving system administrators the impression that the number of failed
authentication attempts is inaccurate.
Revert this commit until a consensus has been reached. We do not want
to introduce yet another breaking change with the renaming of the
library.
Approved by: emaste (mentor)
MFC after: 2 days
MFV: Import blocklist 2025-04-28 (8aa81bf)
Merge commit '70f30afd4e9af5a51ee324d97e4d8c5f2124ec15'
Breaking changes:
- Upstream commit 24932b6 ("blocklistd: log the conf file line number
with bad protocol errors") breaks backward database compatibility.
An error will be displayed:
Key size mismatch 296 != 288
A new and compatible database, with the new name, will be created when the
service starts (committed separately).
- Upstream commit ddf6d71 ("implement BLOCKLIST_BAD_USER as a
"one-count" failure") introduced BLOCKLIST_BAD_USER with a one-count
failure mechanism. BLOCKLIST_AUTH_FAIL was implemented with a
two-count failure mechanism. Since we utilize BLOCKLIST_AUTH_FAIL, the
number of failed attempts now doubles towards the maximum limit
(nfails). This commit will be reverted separately.
[8 lines not shown]
virtual_oss: Move plugins to the sound package
This is the correct place for them, and also issues an incorrect
dependency from utilities to sound.
Fixes: 1b806e607f52 ("packages: Add a sound package")
MFC after: 3 days
Reviewed by: christos, dch
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53015
libbluetooth: Move to the bluetooth-lib package
Move the library, but not any of the runtime. This allows executables
to link against libbluetooth without having to pull in the entire BT
stack.
MFC after: 3 days
Reviewed by: dch, emaste
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53016
libcasper: explicit cast in cap_fileargs header
The implicit cast is incompatible with standard compiler options in a
C++ project, making the library difficult to use.
Signed-off-by: Quentin Thébault <quentin.thebault at defenso.fr>
Sponsored by: Defenso
MFC after: 3 days
Discussed with: kevans
Reviewed by: emaste, vexeduxr
Pull request: https://github.com/freebsd/freebsd-src/pull/1857
(cherry picked from commit 349da4dbff722a58affd13d84729b1d399b41fb3)
(cherry picked from commit 998dd4a11a2b4857a55af8e656feaebc4fc78fe8)
libcasper: explicit cast in cap_fileargs header
The implicit cast is incompatible with standard compiler options in a
C++ project, making the library difficult to use.
Signed-off-by: Quentin Thébault <quentin.thebault at defenso.fr>
Sponsored by: Defenso
MFC after: 3 days
Discussed with: kevans
Reviewed by: emaste, vexeduxr
Pull request: https://github.com/freebsd/freebsd-src/pull/1857
(cherry picked from commit 349da4dbff722a58affd13d84729b1d399b41fb3)
EC2: Fix additional files on small+builder AMIs
The file /usr/local/etc/ssl/cert.pem is not present on "small" and
"builder" AMIs, so we don't need to add it to METALOG.
Fixes: 2b0ffc0ee48c ("EC2: metalog_add missing files from packages")
MFC after: 3 days
Sponsored by: https://www.patreon.com/cperciva
bsdinstall: Tweak pkgbase/dist set labels
Have the button labels refer to the artifact type directly (distribution
sets / packages), and use "Tech Preview" as packaged base is no longer
experimental.
Reviewed by: ivy, cperciva
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52999