That's the way how DragonFlyBSD devs solved the problem
https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/451640b7cf6bcf7826b901ac9a51647442adb96b

Add SPDX BSD-2-Clause to safe_eval.sh

Use local.rc.subr rather than rc.subr.local

Validate load_rc_config_reader

Implement some feedback

Update doc in debug.sh

rc.subr add comment explaining the no-op Debug{On,Off} and safe_dot
at the end - in case the real ones could not be found.

Tweak debug.sh.8, use .Fn when refering to functions called.

Man page tweaks

Add man page for debug.sh

Further man page tweaks

Make a start on man pages

Fix some style issues in rc.subr

Will have a go at the style issues.

The comments for rc.subr also apply to the new files.
What about a man page update how to turn on the debug feature? To my current understanding DEBUG_SH can be set interactively in the loader, and administratively in loader.conf... maybe also in rc.conf? So more than one man page to touch at least with a cross-ref.

Check for -f as well as -s

This is overcome by D43671

Note: If the format of rc_log is deemed undesirable we could move it (and rc_trace) to rc.subr.local and just put a place holder in rc.subr

I know a few folk are interested in using mac_veriexec, but we could push the guts of vdot etc into rc.subr.local (I've moved it to the end of the file) and just put a place holder here like vdot() { dot "$@"; }. It is the callouts in run_rc_* etc which are most important.

Resigning from this; I tried to provide feedback over IRC, but that was seemingly not well-received (and questions unanswered) and I'm not interested in reviewing this as-is. I'd much prefer splitting it into two scripts, one with, e.g., verbs, that manages wireguard interfaces and then the rc script that simply drives that in an obvious way. The last objection I heard was that there's too much state to pass around, but it's not at all clear why unless this is trying to mix way too much rc.conf configuration in with wg config.

OK for the man page change. Make sure to bump the .Dd when you commit it for this content change.
Thanks for working on this, it's appreciated!

• make some scripts compatible with svcj (convert parts of the precmd into another way of settings variables), precmd is not run inside the same shell/jail = make it work with svcj
• add some support for nfs in svcj, not yet finished (precmd is not comaptible)
• exclude some scripts from svcj due to an incompatible precmd (not run in same shell/jail)

Make jls quiet.

In D41318#980524, @pauamma_gundo.com wrote:

No manual page to review, yet manpages is a group reviewer. Did a file get accidentally left out?

No manual page to review, yet manpages is a group reviewer. Did a file get accidentally left out?

In D36309#977969, @eugen_grosbein.net wrote:

In D36309#935684, @jlduran_gmail.com wrote:

Is there a reason why this change was not MFCd? Thank you!

Forgot about it. I've just merged it downto stable/12.

In D36309#935684, @jlduran_gmail.com wrote:

Is there a reason why this change was not MFCd? Thank you!

This script looks very promising, but it won't be easy to fulfill all committers' needs, but perhaps it would be easier to make it available as a port, for example, net-mgmt/ng_bpf_firewall ?

Only rc.d/opensm is missing.

Maybe to add to that: the main motivation was a user-side precmd type hook support since the precmd is hard or impossible to overwrite (being used in the rc scripts defined by the ports) and name_setup=path/to/file seemed to be the easiest solution.

Set up script variable:

can you show me an example of this in action?
how are you using it in your ports?

@oshogbo I've updated this again fixing a remaining issue with restart_precmd -- if you can find the time to review I'd appreciate it.

update to latest

Add support for nfs. Sort the options.

Add config for some more services.

Please send me the git-formatted patch, with the metadata filled in. Most important, please set the author field to appropriate name/email.

Incorporated feedback.

Change what was noticed in comments. Add a feature to enable the execution of extra commands inside the service jail.

This is my first review here, I hope to not be stepping on any toes. If I have, please correct me so I might do better next time. Overall your wireguard startup mechanism looks good and my suggestions are strictly cosmetic in nature. I would not be at all disappointed if this patch were committed unaltered.

Follow-up to discussion in IRC,

This has landed in 5ac2a874d070, closing it.

Two fixes for the man page.

The interface name restriction function is a judgment call restricting users from creating problematic (for shell scripts) interface names. Applying the same restrictions to existing services like netif and routing could break (partly) working configurations.

first pass…

Is there a reason why this change was not MFCd? Thank you!

I don't know the technology for this change, but the wording is good now.

address @grahamperrin's review

arc swallowed my previous commit

address @debdrup's review

I only spotted a minor nit.

So where is this review? It seems to have wound down a bit.

Changed novnetjail to nojailvnet.

s/novnetjail/nojailvnet/

Just use the KEYWORD novnetjail to indicate the
daemons can run in a vnet jail, as suggested by jamie@.