fix(rc): FreeBSD rc.d deep-audit — 6 bugs after live-host testing #75

Merged

clawdie merged 3 commits from fix/freebsd-rc-d-deep-audit into main 2026-06-15 09:24:20 +02:00

Conversation 0 Commits 3 Files changed 8 +266 -54

clawdie commented 2026-06-15 08:28:53 +02:00

Owner

Copy link

Deep-dive analysis of the FreeBSD rc.d/rc.conf after the live-copy-safe fix (7d23905). Six bugs found:

#	Bug	Severity	Fix
1	colibri_cost_mode breaks rc.subr ${name}_ convention — colibri_daemon_cost_mode=fast silently ignored	Medium	Renamed everywhere
2	Redundant socket chmod 660 in poststart conflicts with Rust-side 0770	Low	Removed
3	Unnecessary pidfile chmod 644 in poststart (directory is 0750)	Low	Removed
4	ISO-SERVICE-LAYOUT.md stale permissions + wrong pidfile labels	Low	Corrected
5	health_cmd only checked connectivity, not daemon response	Low	Now checks non-empty response
6	rc.conf.sample $(hostname) vs rc.d $(/bin/hostname)	Very low	Use /bin/hostname

Checks: sh -n OK, cargo fmt --check OK, cargo clippy clean, cargo test --workspace 207 passed.

Attribution: Sam & Hermes

Deep-dive analysis of the FreeBSD rc.d/rc.conf after the live-copy-safe fix (7d23905). Six bugs found: | # | Bug | Severity | Fix | |---|-----|----------|-----| | 1 | `colibri_cost_mode` breaks rc.subr `${name}_` convention — `colibri_daemon_cost_mode=fast` silently ignored | **Medium** | Renamed everywhere | | 2 | Redundant socket `chmod 660` in poststart conflicts with Rust-side `0770` | Low | Removed | | 3 | Unnecessary pidfile `chmod 644` in poststart (directory is 0750) | Low | Removed | | 4 | ISO-SERVICE-LAYOUT.md stale permissions + wrong pidfile labels | Low | Corrected | | 5 | `health_cmd` only checked connectivity, not daemon response | Low | Now checks non-empty response | | 6 | rc.conf.sample `$(hostname)` vs rc.d `$(/bin/hostname)` | Very low | Use `/bin/hostname` | **Checks:** `sh -n` OK, `cargo fmt --check` OK, `cargo clippy` clean, `cargo test --workspace` 207 passed. **Attribution:** Sam & Hermes

clawdie added 1 commit 2026-06-15 08:28:56 +02:00

fix(rc): FreeBSD rc.d deep-audit — cost mode naming, chmod cleanup, health check, docs (Sam & Hermes) ... df5fbab051

Six bugs found in deep-dive analysis of FreeBSD rc.d/rc.conf after the
live-copy-safe fix (7d23905):

1. colibri_cost_mode → colibri_daemon_cost_mode: naming broke rc.subr
   ${name}_ convention — operator setting colibri_daemon_cost_mode=fast
   in rc.conf was silently ignored. Fixed in rc.d, staging script,
   rc.conf.sample, and all docs.

2. Removed redundant chmod 660 on socket in poststart: Rust code already
   sets 0770 with documented rationale. The poststart override to 0660
   was conflicting, fragile, and had no comment.

3. Removed unnecessary chmod 644 on pidfile in poststart: pidfile lives
   in a 0750 directory — world-readable permission is pointless and
   security-negative.

4. Fixed ISO-SERVICE-LAYOUT.md: socket perms were wrong (said 750, actual
   770), colibri-daemon.pid was labeled supervisor pidfile (it's the
   child), supervisor pidfile was missing entirely, shutdown behavior
   didn't mention custom stop_cmd targeting the supervisor.

5. health_cmd now checks for non-empty daemon response instead of just
   connectvity — a hung daemon accepting connections but returning
   garbage was reported healthy.

6. rc.conf.sample hostname path: $ (hostname) → $(/bin/hostname) for
   consistency with rc.d script and early-boot PATH safety.

Checks: sh -n OK, cargo fmt --check OK, cargo clippy clean,
cargo test --workspace 207 passed.

claude-domedog referenced this pull request from a commit 2026-06-15 08:37:16 +02:00

fix(daemon): handle SIGTERM + liveness-aware socket cleanup (Sam & Claude)

claude-domedog added 1 commit 2026-06-15 08:37:18 +02:00

fix(daemon): handle SIGTERM + liveness-aware socket cleanup (Sam & Claude) ... b32c3acaed

The rc.d "rm stale socket on prestart" fix (07e4660) was a band-aid over
two daemon-side defects that surfaced on the live FreeBSD host:

1. colibri-daemon never handled SIGTERM. main.rs awaited only ctrl_c()
   (SIGINT), so `service stop`/`restart` — which sends SIGTERM via
   daemon(8) to the child — killed it on the default disposition with no
   cleanup. The graceful path (socket removal, agent reaping) never ran,
   leaking the socket file and orphaning spawned agents across restarts.
   Now wait_for_shutdown_signal() selects on SIGTERM or SIGINT, so the
   same graceful path runs on a normal service stop. New integration test
   (tests/sigterm_shutdown.rs) spawns the binary, sends SIGTERM, and
   asserts the socket is removed.

2. Stale-socket cleanup had no liveness check — both the daemon
   (socket.rs) and the rc prestart would unconditionally rm the socket
   before bind, which could delete a *running* instance's socket if
   rc.subr's pid detection misfires and starts a second daemon. Cleanup
   now probes first (clear_stale_socket): connect succeeds -> refuse to
   start; refused/dead -> remove and bind. Unit-tested for absent, stale,
   and live cases.

With the daemon owning safe socket cleanup, the rc prestart no longer
removes the socket (only stale pidfiles), eliminating the restart-time
clobber hazard. This also makes the SIGTERM shutdown described in
ISO-SERVICE-LAYOUT.md (PR #75) actually true.

Gates: cargo fmt --check, clippy -D warnings, cargo test --workspace all
green on Linux; sh -n on the rc script OK. FreeBSD runtime validation
still pending per FREEBSD-BUILD-LANE-HANDOFF.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

codex-osa added 1 commit 2026-06-15 09:09:04 +02:00

fix(daemon): fail closed when socket ownership is unsafe (Sam & Codex) ... 4517e13935

Return an error from the socket server when another daemon owns the Unix socket or bind setup fails, and broadcast shutdown so the daemon does not stay alive without a control socket. Also format the PR docs.\n\nChecks: cargo fmt --check; ./scripts/check-format.sh; git diff --check; cargo test -p colibri-daemon clear_stale_socket -- --nocapture; cargo test -p colibri-daemon --test sigterm_shutdown -- --nocapture.

clawdie merged commit 2addce9e01 into main 2026-06-15 09:24:20 +02:00

clawdie deleted branch fix/freebsd-rc-d-deep-audit 2026-06-15 09:24:21 +02:00

clawdie referenced this pull request from a commit 2026-06-15 09:24:22 +02:00

Merge pull request 'fix(rc): FreeBSD rc.d deep-audit — 6 bugs after live-host testing' (#75) from fix/freebsd-rc-d-deep-audit into main

claude-domedog referenced this pull request from a commit 2026-06-15 17:33:42 +02:00

docs: handoff — rc.d / release gate audit findings (Sam & Hermes)

clawdie referenced this pull request 2026-06-15 17:33:51 +02:00

docs: handoff — rc.d / release gate audit findings #77

clawdie referenced this pull request 2026-06-15 17:42:04 +02:00

fix(test): handle serve() Result in live_socket_check (unbreak clippy on main) #78

claude-domedog referenced this pull request from a commit 2026-06-15 17:42:07 +02:00

fix(test): handle serve() Result in live_socket_check (Sam & Claude)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

first-proof blocker

gates the first proven end-to-end

  

hardening

security/robustness follow-up, not a first-proof gate

No labels

first-proof blocker

hardening

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

3 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/colibri#75

No description provided.