Опубликован: 06.08.2012 | Уровень: специалист | Доступ: платный
Лекция 30:

FreeBSD configuration File

These parameters describe the use of alternate keyboard mappings when using the standard character-based terminals only. See the files in /usr/share/syscons/keymaps for key map files, and /usr/share/syscons/fonts for alternate fonts. These parameters have no effect on the X-based displays that this book assumes. You can enable a screen saver by setting the variable saver to YES.

moused_enable="NO"       # Run the mouse daemon.
moused_type="auto"       # See man page for available settings.
moused_port="/dev/psm0"  # Set to your mouse port.
moused_flags=" "         # Any additional flags to moused.
mousechar_start="NO"     # if 0xd0-0xd3 default range is occuped in your
                                   #language code table, specify alternative range
allscreens_flags=" "     # Set this vidcontrol mode for all virtual screens
allscreens_kbdflags=" "  # Set this kbdcontrol mode for all virtual screens

Parameters for moused, a mouse driver for the character-based terminals, and global flags for virtual screens. If you're using an X server, you should run moused. On andante, we add this line to /etc/rc.conf:

moused_enable="YES"

Next follow some definitions for the alternative console driver pcvt, which we don't look at here, followed by a section describing the mail configuration:

############################################################
### Mail Transfer Agent (MTA) options ######################
############################################################
mta_start_script="/etc/rc.sendmail"
                                           #Script to start your chosen MTA
#Settings for /etc/rc.sendmail:
sendmail_enable="NO"             # Run the sendmail inbound daemon (YES/NO).
sendmail_flags="-L sm-mta -bd -q30m"  # Flags to sendmail (as a server)
sendmail_submit_enable="YES"     # Start a localhost-only MTA for mail submission
sendmail_submit_flags="-L sm-mta -bd -q30m ODaemonPortCptions=Addr=localhost"
                                           #Flags for localhost-only MTA
sendmail_outbound_enable="YES"   # Dequeue stuck mail (YES/NO).
sendmail_outbound_flags="-L sm-queue -q30m"  # Flags to sendmail (outbound only)
sendmail_msp_queue_enable="YES"  # Dequeue stuck clientmqueue mail (YES/NO).
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m"

Since FreeBSD Release 5, the sendmail MTA is no longer enabled by default. If you have been running sendmail on an older release of FreeBSD, add an entry to /etc/rc.conf to keep it running.

##############################################################
### Miscellaneous administrative options #####################
##############################################################
cron_enable="YES"              # Run the periodic job daemon.
cron_program="/usr/sbin/cron"  # Which cron executable to run (if enabled).
cron_flags=" "                 # Which options to pass to the cron daemon.

Run cron, the daemon responsible for running things at specific times. See page 151 for a description of cron. Leave this enabled unless you have a good reason not to.

lpd_enable="NO"              # Run the line printer daemon.
lpd_program="/usr/sbin/lpd"  # path to lpd, if you want a different one.
lpd_flags=" "                # Flags to lpd (if enabled).

See page 263 for a discussion of printing. In older releases of FreeBSD, lpd_enable was set to YES. Now, to run lpd, we need to put the following line in /etc/rc.conf for both gw and adagio:

lpd_enable="YES"  # Run the line printer daemon.

Next, we see:

usbd_enable="NO"  # Run the usbd daemon.
usbd_flags=" "    # Flags to usbd (if enabled).

Run usbd, the Universal Serial Bus or USB daemon. See the man pages usbd(8) and usb(4) for more information.

dumpdev="NO"          # Device name to crashdunp to (if enabled).
dumpdir="/var/crash"  # Directory where crash dumps are to be stored
savecore_flags=" "    # Used if dunpdev is enabled above, and present.

These parameters specify how to take dumps when the system panics. See page 83 for details. As mentioned there, it is preferable to set this value in /boot/loader.conf: that way you can still get a dump if your system panics before reading /etc/rc.conf, sowe don't change anything here.

Continuing with /etc/defaults/rc.conf,

enable_quotas="NO"      # turn on quotas on startup
check_quotas="YES"      # Check quotas on startup
accounting_enable="NO"  # Turn on process accounting
ibcs2_enable="NO"       # Ibcs2 (SCO) emulation loaded at startup
ibcs2_loaders="coff"    # List of additional Ibcs2 loaders
sysvipc_enable="NO"     # Load System V IPC primitives at startup
linux_enable="NO"       # Linux binary compatibility loaded at startup
svr4_enable="NO"        # SysVR4 emulation loaded at startup
osf1_enable="NO"        # Alpha OSF/1 emulation loaded at startup

We don't discuss quotas or accounting in this book. We looked at the parameters ibcs2_enable on page 164 and linux_enable on page 163. We also don't discuss System V and OSF-1 emulation.

Clear_tmp_enable="NO"  # Clear /tmp at startup.

In the old days, the startup sequence automatically deleted everything in the file system /tmp. Sometimes this wasn't desirable, so now it's your choice. Change this value to YES if you want the old behaviour.

Note that if you use a /tmp based on MFS (memory file system), this variable has no effect. The contents of MFS file systems disappear on reboot.

ldconfig_insecure="NO"  # Set to YES to disable ldconfig security checks
ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib"
                                  #shared library search paths
ldconfig_paths_aout="/usr/lib/compat/aout /usr/X11R6/lib/aout/usr/local/lib/aout"
                                  #a.out shared library search paths

ldconfig maintains the dynamic library cache required for finding libraries when starting most processes. Potentially this can be a security issue, and ldconfig makes a number of security checks before accepting libraries. If you really want to, you can disable these checks by setting ldconfig_insecure. The two other variables are lists of the directories that are searched to find ELF and a.out dynamic libraries, respectively. See page 638 for more details. You would normally not remove anything from these lists, but you might want to add something.

kern_securelevel_enable="NO"  # kernel security level (see init(8)),
kern_securelevel="-1"         # range: -1..3; '-1' is the most insecure
update_motd="YES"             # update version info in /etc/motd (or NO)

The kernel runs with five different levels of security. Any super-user process can raise the security level, but only init can lower it. The security levels are:

  • -1 Permanently insecure mode: always run the system in level 0 mode. This is the default initial value.
  • 0 Insecure mode: the immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions.
  • 1 Secure mode: the immutable and append-only flags may not be turned off. Disks for mounted file systems, /dev/mem and /dev/kmem may not be opened for writing.
  • 2 Highly secure mode. This is the same as secure mode with the addition that disks may not be opened for writing (except by mount(2)), whether or not they are mounted. This level precludes tampering with file systems by unmounting them, but it also prevents running newfs(8) while the system is multi-user.
  • 3 Network secure mode. This is the same as highly secure mode with the addition that IP packet filter rules (see page 389) can not be changed and dummynet configuration can not be adjusted. We don't discuss dummynet in this book.

To set the secure level to anything except -1, set the variable kern_securelevel to the value you want, and set kern_securelevel_enable to YES.

start_vinum="NO"  # set to YES to start vinum

We looked at Vinum on page 221. There we put the following text into /etc/rc.conf to start it on booting:

start_vinum="YES"  # set to YES to start vinum

Finally we have a few miscellaneous entries:

unaligned_print="YES"          # print unaligned access warnings on the alpha
entropy_file="/entropy"        # Set to NO disables caching entropy through reboots
entropy_dir="/var/db/entropy"  # Set to NO to disable caching entropy via cron.
entropy_save_sz="2048"         # Size of the entropy cache files.
entropy_save_num="8"           # Number of entropy cache files to save.
harvest_interrupt="YES"        # Entropy device harvests interrupt randomness
harvest_ethernet="YES"         # Entropy device harvests ethernet randomness
harvest_p_to_p="YES"           # Entropy device harvests point-to-point randomness
dmesg_enable="YES"             # Save dmesg(8) to /var/run/dmesg.boot

unaligned_print is a diagnostic tool for the Alpha processor; there's a good chance it will go away. dmesg_enable saves the boot messages to the file /var/run/dmesg.boot. Leave it this way; the messages are often useful for reference, and after a certain number of messages, they get flushed from the kernel internal message buffer.

The other messages are used for configuring entropy harvesting for the random number devices, /dev/random and /dev/urandom. See random(4) for further details. Under normal circumstances you shouldn't change them.

Бехзод Сайфуллаев
Бехзод Сайфуллаев
Узбекистан, Бухара, Бухарский институт высоких технологий, 2013
Василь Остапенко
Василь Остапенко
Россия