how to autostart a daemon at startup

[vinnie]

I wanted to try putting a daemon (opensnithd) on startup but right now in live mode (without maintaining the "changes" directory to be clear).

Maybe there's a cheatcode, I don't know, but I tried to create a module with the necessary settings for openrc, so with this files:

Code: Select all

/etc/init.d/opensnitchd
/etc/opensnitchd/rules
/etc/runlevels/default/opensnitchd

even though i can launch the daemon with rc-service opensnitchd start, the daemon does not self-start on start, how should i do?

[ncmprhnsbl]

/etc/runlevels/default/opensnitchd

this should be a link to /etc/init.d/opensnitchd (see below)
presuming you're using this: https://github.com/evilsocket/opensnitc ... chd-openrc as /etc/init.d/opensnitchd?
take a look at <your_install>/config/services ... if you add opensnitchd here, that link above shouldn't be needed.
so the answer to "how to autostart a daemon at startup" (if it has a openrc service file) is: add it to <your_install>/config/services file.

if you're wondering how this works:
/init.d/prelogin parses /etc/porteus.d/services and creates links in /etc/runlevels/default/ for any entries there. (the contents of /etc/porteus.d/ are copied from /config/ by initrd at boot)

[vinnie]

this should be a link to /etc/init.d/opensnitchd (see below)
presuming you're using this:

No, my init script was completely wrong! I thought it was a link to the daemon instead it's a script to prepare and then start the daemon. So thank you for this resource.
I still had to change a script a bit, small changes (pre-create the log file and correct the opensnitchd binary path):

Code: Select all

#!/sbin/openrc-run
# OpenSnitch firewall service

depend() {
    before net
    after iptables ip6tables 
    use logger
    provide firewall
}

start_pre() {
        /bin/mkdir -p /etc/opensnitchd/rules
        /bin/chown -R root:root /etc/opensnitchd
        /bin/touch /var/log/opensnitchd.log
        /bin/chown root:root /var/log/opensnitchd.log
        /bin/chmod -R 755 /etc/opensnitchd
        /bin/chmod -R 0644 /etc/opensnitchd/rules
        /bin/chmod 0600 /var/log/opensnitchd.log
}

start() {
    ebegin "Starting application firewall"
    # only if the verbose flag is not set (rc-service opensnitchd start -v)
    if [ -z "$VERBOSE" ]; then
        # redirect stdout and stderr to /dev/null
        /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules -log-file /var/log/opensnitchd.log > /dev/null 2>&1 &
    else
        /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules -log-file /var/log/opensnitchd.log
    fi
    eend $?
}

stop() {
    ebegin "Stopping application firewall"
    /usr/bin/pkill -SIGINT opensnitchd 
    eend $?
}

I merged the xzm with this init script, now the only thing is opensnitch complaining that it can't use ebpf but still works fine.

take a look at <your_install>/config/services ...

Great system, I find that there are so many things in nemesis/porteus.

[ncmprhnsbl]

opensnitch complaining that it can't use ebpf

this: https://aur.archlinux.org/packages/open ... bpf-module ?

[vinnie]

Yes, I think it's it, are you saying it's a good time to understand how aur works on nemesis?

[ncmprhnsbl]

are you saying it's a good time to understand how aur works on nemesis?

well, i'm not saying it's not
but i'm guessing that you built opensnitch from source? here's the ebpf module source: https://github.com/evilsocket/opensnitc ... /ebpf_prog
it'll require clang/llvm to build.. even if not using the AUR directly it's web interface is handy for built hints and dependency resolution.

[vinnie]

No, I downloaded it with pmod but still it reports me unable to use epbf (which is not mandatory anyway).
Probably whoever created the package for arch/artix did not consider necessary to support it however left it as default in the setting.
However, I believe it is one of the packages that was modified by the creators of artix because its use is tied to the init system.
is there any documentation anywhere on how to use aur to create an xzm ?

[beny]

[guest@porteus ~]$ '/usr/bin/opensnitch-ui'
Themes not available. Install qt-material if you want to change GUI's appearance: pip3 install qt-material.
~ OpenSnitch GUI - 1.6.5.1 ~
protobuf: 4.25.3 - grpc: 1.64.2
--------------------------------------------------

GUI already running, opening its window and exiting.
[guest@porteus ~]$ sudo '/usr/bin/opensnitchd'
[sudo] password for root:
[2024-07-05 21:47:21] IMP Starting opensnitch-daemon v1.6.5
[2024-07-05 21:47:21] INF Loading configuration file /etc/opensnitchd/default-config.json ...
[2024-07-05 21:47:21] INF Loading rules from /etc/opensnitchd/rules ...
OK: libnetfiler_queue supports nfq_get_uid
OK: libnetfiler_queue supports nfq_get_uid
but you have network manager filtered by opensnich that ask you permission for every connection that you have,if you have xfce4 you can add the daemon service to the start at login, in setting manager session and startup maybe mate it have something like that or make make a script that start daemon convert in xzm and activate maybe this software start after networkmanager connection.

[vinnie]

but you have network manager filtered by opensnich that ask you permission for every connection that you have,if you have xfce4 you can add the daemon service to the start at login, in setting manager session and startup maybe mate it have something like that or make make a script that start daemon convert in xzm and activate maybe this software start after networkmanager connection.

Um, it may be an alternative when I start saving the state of the distribution, but for now ncmprhnsbl's solution is perfectly congenial to me, because it works precisely without having to save anything from the distro.
One of the things I like about these kinds of distrubutions is just that you can do what you want without saving the state of the system. I use it a lot, so for me the PC becomes a workbench.

opensnitch is a bit pedantic though, it allowed me to see how quiet nemesis is
Basically the only thing it does is ping sometimes archlinux.org (exactly networkmanager you saw), and it only seems to do that to see if you're online, a behavior that can be disabled.
It also allowed me to find out how much firefox sucks.
I am now using ungoogled chromium.

[ncmprhnsbl]

is there any documentation anywhere on how to use aur to create an xzm ?

there's bits and pieces throughout this area of the forum, ..maybe..
something i need to write
trizen is included in 05-devel and here's a link to trizen's document https://github.com/trizen/trizen/blob/master/TRIZEN.md (not overly helpful)
there's many other aur helper/pacman wrappers to choose from with varying features that some may prefer. https://wiki.archlinux.org/title/AUR_helpers
i'll post a how-to soon, hopefully..

[vinnie]

this: https://aur.archlinux.org/packages/open ... bpf-module ?

These days I had been experimenting with firejail and it motivated me to try to create the package you pointed out with trizen.
I succeeded even though I had to modify the PKGBUILD (KDIR="/usr/lib/modules/6.9.4-artix1-1/build" , without this change the package it is still created, but I doubt it works since nemesis has a custom kernel).
However it seems to me that ebpf support doesn't work, I found a software on arch's extra repositories that should always use ebpf .
I'll preface by saying that I don't understand either what ebpf is or what it's for, I looked up a couple of commands in the help to see if bpftrace would work:

Code: Select all

bpftrace --info
System
  OS: Linux 6.9.7-porteus #1 SMP PREEMPT_DYNAMIC Sat Jun 29 11:43:36 UTC 2024
  Arch: x86_64

Build
  version: v0.20.4
  LLVM: 17.0.6
  unsafe probe: no
  bfd: yes
  libdw (DWARF support): yes

libbpf: kernel BTF is missing at '/sys/kernel/btf/vmlinux', was CONFIG_DEBUG_INFO_BTF enabled?
Kernel helpers
  probe_read: no
  probe_read_str: no
  probe_read_user: no
  probe_read_user_str: no
  probe_read_kernel: no
  probe_read_kernel_str: no
  get_current_cgroup_id: no
  send_signal: no
  override_return: no
  get_boot_ns: no
  dpath: no
  skboutput: no
  get_tai_ns: no
  get_func_ip: no
  jiffies64: no

Kernel features
  Instruction limit: -1
  Loop support: no
  btf: yes
  module btf: no
  map batch: yes
  uprobe refcount (depends on Build:bcc bpf_attach_uprobe refcount): no

Map types
  hash: yes
  percpu hash: yes
  array: yes
  percpu array: yes
  stack_trace: yes
  perf_event_array: yes
  ringbuf: yes

Probe types
  kprobe: no
  tracepoint: no
  perf_event: no
  kfunc: no
  kprobe_multi: no
  uprobe_multi: no
  raw_tp_special: no
  iter: no

Code: Select all

bpftrace -l '*sleep*'
WARNING: The kernel contains bpf_iter__bpf_map struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__bpf_link struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__cgroup struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__bpf_prog struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__ipv6_route struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__udp struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__ksym struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__task_vma struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__bpf_map_elem struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__task_file struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__bpf_sk_storage_map struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__sockmap struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__netlink struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__task struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__unix struct but does not support loading an iterator program against it. Please report this bug.
WARNING: The kernel contains bpf_iter__tcp struct but does not support loading an iterator program against it. Please report this bug.
WARNING: Could not read symbols from /sys/kernel/tracing/available_events: No such file or directory
/usr/include/c++/14.1.1/bits/unique_ptr.h:447: typename std::add_lvalue_reference<_Tp>::type std::unique_ptr<_Tp, _Dp>::operator*() const [with _Tp = std::basic_istream<char>; _Dp = std::default_delete<std::basic_istream<char> >; typename std::add_lvalue_reference<_Tp>::type = std::basic_istream<char>&]: Assertion 'get() != pointer()' failed.
Aborted

It seems not, so either there's some operation missing that I haven't done (like modprobe or something) or maybe there's simply something missing in the kernel.
It was just to report

[ncmprhnsbl]

It seems not, so either there's some operation missing that I haven't done (like modprobe or something) or maybe there's simply something missing in the kernel.

indeed, no trace of CONFIG_DEBUG_INFO_BTF in the kernel build .config (whereas in the standard arch kernel it is present and set) https://gitlab.archlinux.org/archlinux/ ... type=heads
might be as simple as enabling that in the build, or it might require other options enabled as well.

[vinnie]

Nuuuuu, too difficult for me!
I have always considered compiling a kernel a tedious task for my experience.
I don't know how long it takes but I think it takes a lot and debugging is not really a simple matter