From 145668c3dd67c5271eddcb62d1e7843487d768a7 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Tue, 15 Oct 2024 23:35:53 -0400 Subject: huge amount of fixes --- scripts/os/freebsd/10-cpu | 2 ++ scripts/os/freebsd/10-sysctls | 2 ++ scripts/os/freebsd/20-zfs | 2 +- scripts/os/freebsd/50-idm | 9 +++++++-- scripts/os/freebsd/51-autofs | 33 +++++++++++++++++++++++++++++++++ 5 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 scripts/os/freebsd/51-autofs (limited to 'scripts/os/freebsd') diff --git a/scripts/os/freebsd/10-cpu b/scripts/os/freebsd/10-cpu index adc27d4..ea2afcf 100644 --- a/scripts/os/freebsd/10-cpu +++ b/scripts/os/freebsd/10-cpu @@ -19,6 +19,8 @@ sysrc -v \ performance_cx_lowest="$cx_lowest" \ economy_cx_lowest="$cx_lowest" +set_loader_conf machdep.hwpstate_pkg_ctrl=0 + # Set energy/performance preference for Intel P-states. # 0 = most performance, 100 = most power savings if sysctl -n dev.hwpstate_intel.0.epp >/dev/null 2>&1; then diff --git a/scripts/os/freebsd/10-sysctls b/scripts/os/freebsd/10-sysctls index 865544a..b07a46c 100644 --- a/scripts/os/freebsd/10-sysctls +++ b/scripts/os/freebsd/10-sysctls @@ -70,6 +70,8 @@ if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then security.bsd.see_other_gids="$see_other_uids" \ security.bsd.see_other_uids="$see_other_uids" \ security.bsd.unprivileged_read_msgbuf=0 \ + vfs.nfsd.enable_locallocks=0 \ + vfs.nfsd.issue_delegations=1 \ vfs.zfs.min_auto_ashift=12 # FreeBSD automatically scales kern.maxfilesperproc with the amount of memory. diff --git a/scripts/os/freebsd/20-zfs b/scripts/os/freebsd/20-zfs index aa37c0a..1cdc465 100644 --- a/scripts/os/freebsd/20-zfs +++ b/scripts/os/freebsd/20-zfs @@ -3,7 +3,7 @@ # Every host should have a "state" dataset, which is a ZFS dataset which # persists across OS rebuilds. [ -n "${state_dataset:-}" ] || die 'state_dataset not defined!' -create_dataset "$state_dataset" +create_dataset -o mountpoint=none "$state_dataset" # If this is baremetal host or a VM, trim the zpools periodically. if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm index d9c2541..0a9e882 100644 --- a/scripts/os/freebsd/50-idm +++ b/scripts/os/freebsd/50-idm @@ -20,7 +20,8 @@ pkg install -y \ # Configure PAM/NSS integration. install_file -m 0644 \ /etc/nsswitch.conf \ - /etc/pam.d/sshd + /etc/pam.d/sshd \ + /etc/pam.d/sudo install_template -m 0644 \ /etc/krb5.conf \ @@ -114,7 +115,11 @@ install_file -m 0555 \ /usr/local/libexec/idm-ssh-authorized-keys # Create user for running SSH AuthorizedKeysCommand. -add_user -u "$ssh_authzkeys_uid" -g "$host_keytab_groupname" "$ssh_authzkeys_username" +add_user \ + -u "$ssh_authzkeys_uid" \ + -g "$host_keytab_groupname" \ + -d /nonexistent \ + "$ssh_authzkeys_username" # Enable and start nslcd/nscd. sysrc -v \ diff --git a/scripts/os/freebsd/51-autofs b/scripts/os/freebsd/51-autofs new file mode 100644 index 0000000..4fe3c52 --- /dev/null +++ b/scripts/os/freebsd/51-autofs @@ -0,0 +1,33 @@ +#!/bin/sh + +# NFS mounts are not supported within jails. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" = jail ] || \ + [ "$BOXCONF_HOSTCLASS" = nfs_server ] || \ + [ "${enable_idm:-}" = false ] || \ + [ "${enable_autofs:-}" = false ]; then + return 0 +fi + +: ${nfsuserd_cache_size:='256'} +: ${nfsuserd_num_servers:='4'} +: ${nfsuserd_cache_timeout:='1'} + +sysrc -v \ + nfsuserd_enable=YES \ + nfsuserd_flags="-usermax ${nfsuserd_cache_size} -usertimeout ${nfsuserd_cache_timeout} ${nfsuserd_num_servers}" \ + gssd_enable=YES \ + gssd_flags='-h -s /tmp' \ + gssd_env="KRB5_KTNAME=${keytab_dir}/host.keytab" + nfs_client_enable=YES \ + nfscbd_enable=NO \ + nfscbd_flags="-p ${nfscbd_port} -P host" \ + autofs_enable=YES + +install_file -m 0644 /etc/auto_master +install_file -m 0555 /usr/local/libexec/idm-autofs-map +ln -snfv /usr/local/libexec/idm-autofs-map /etc/autofs/include + +# No nfscbd: causes kernel panics on FreeBSD 14.1 +for service in gssd nfsclient nfsuserd automount automountd autounmountd; do + service "$service" status || service "$service" start +done -- cgit v1.2.3