git: cb57f50e6404 - main - defaults: oomprotect sshd and local_unbound

From: Alexander Leidinger <netchild_at_FreeBSD.org>
Date: Mon, 13 Nov 2023 08:50:14 UTC
The branch main has been updated by netchild:

URL: https://cgit.FreeBSD.org/src/commit/?id=cb57f50e6404389e4314025caea487d63ddf0ee4

commit cb57f50e6404389e4314025caea487d63ddf0ee4
Author:     Alexander Leidinger <netchild@FreeBSD.org>
AuthorDate: 2023-11-13 08:48:51 +0000
Commit:     Alexander Leidinger <netchild@FreeBSD.org>
CommitDate: 2023-11-13 08:48:51 +0000

    defaults: oomprotect sshd and local_unbound
    
    Add sshd and local_unbound to the oom protected services.
    syslogd is protected by default already, document it.
    
    This was discussed on arch@, see
        https://lists.freebsd.org/archives/freebsd-arch/2023-November/000543.html
    
    sshd is protected to be able to investigate and fix oom issues on systems
    which don't have out-of-band console access.
    local_unbound is protected as it may be enabled for local use and without
    DNS a lot grinds to a halt (including sshd).
    
    Relnotes:               yes
    MFC after:              1 month
    Differential Revision:  https://reviews.freebsd.org/D42544
---
 libexec/rc/rc.conf       |  2 ++
 share/man/man5/rc.conf.5 | 20 +++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 26e189953044..3269288728b6 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -318,6 +318,7 @@ ggated_config="/etc/gg.exports"	# ggated(8) exports file.
 ggated_flags=""			# Extra parameters like which port to bind to.
 ctld_enable="NO"		# CAM Target Layer / iSCSI target daemon.
 local_unbound_enable="NO"	# Local caching DNS resolver
+local_unbound_oomprotect="YES"	# Don't kill local_unbound when swap space is exhausted.
 local_unbound_tls="NO"		# Use DNS over TLS
 blacklistd_enable="NO"		# Run blacklistd daemon (YES/NO).
 blacklistd_flags=""		# Optional flags for blacklistd(8).
@@ -364,6 +365,7 @@ pppoed_provider="*"		# Provider and ppp(8) config file entry.
 pppoed_flags="-P /var/run/pppoed.pid"	# Flags to pppoed (if enabled).
 pppoed_interface="em0"		# The interface that pppoed runs on.
 sshd_enable="NO"		# Enable sshd
+sshd_oomprotect="YES"		# Don't kill sshd when swap space is exhausted.
 sshd_program="/usr/sbin/sshd"	# path to sshd, if you want a different one.
 sshd_flags=""			# Additional flags for sshd.
 ftpd_enable="NO"		# Enable stand-alone ftpd.
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index a76cb1a04e0a..ad84bcbd576c 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -22,7 +22,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd September 18, 2023
+.Dd November 13, 2023
 .Dt RC.CONF 5
 .Os
 .Sh NAME
@@ -2318,6 +2318,12 @@ If set to
 run the
 .Xr syslogd 8
 daemon.
+Note, the
+.Va syslogd_oomprotect
+variable is set to
+.Dq Li YES
+by default in
+.Pa /etc/defaults/rc.conf .
 .It Va syslogd_program
 .Pq Vt str
 Path to
@@ -2381,6 +2387,12 @@ If set to
 run the
 .Xr unbound 8
 daemon as a local caching DNS resolver.
+Note, the
+.Va local_unbound_oomprotect
+variable is set to
+.Dq Li YES
+by default in
+.Pa /etc/defaults/rc.conf .
 .It Va nscd_enable
 .Pq Vt bool
 Set to
@@ -3840,6 +3852,12 @@ Set to
 to start
 .Xr sshd 8
 at system boot time.
+Note, the
+.Va sshd_oomprotect
+variable is set to
+.Dq Li YES
+by default in
+.Pa /etc/defaults/rc.conf .
 .It Va sshd_flags
 .Pq Vt str
 If