Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Executing Commands at Boot

    Scheduled Pinned Locked Moved
    Documentation
    3
    5
    732
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vwaniel
      last edited by

      I'm not sure if this belongs in the Documentation or Development area, so I'm starting here...

      According to https://docs.netgate.com/pfsense/en/latest/development/boot-commands.html, one of the ways to have pfSense run commands at boot time is to put an executable script with a .sh file extension in /usr/local/etc/rc.d. What the documentation doesn't say is that the script(s) will also run any time an OpenVPN interface comes up. I think this is because (to the best of my very limited understanding of pfSense internals):

      -pfSense includes "up /usr/local/sbin/ovpn-linkup" in any system-generated OpenVPN configuration file
      -/usr/local/sbin/ovpn-linkup includes the line '/usr/local/sbin/pfSctl -c "interface newip ${1}"'
      -Based on my read of what I think is the source code (https://github.com/marcelloc/pfsense-tools/blob/master/pfPorts/check_reload_status/files/server.h), 'pfSctl -c "interface newip"' calls /etc/rc.newwanip.
      -/etc/rc.newwanip calls a function, "restart_packages()", which calls "send_event("service reload packages")". Based on some Googling, this ultimately triggers /etc/rc.start_packages
      -/etc/rc.start_packages includes code that effectively executes any scripts in /usr/local/etc/rc.d

      Normally this wouldn't be a problem, unless one needs to run certain commands at boot time and only at boot time. I'm toying with getting HA/CARP failover working with DHCP WAN interfaces using cloned MAC addresses and in order for everything to work it is necessary to shut down the WAN interface(s) on the secondary node when it boots. In order to do so I put a script in /usr/local/etc/rc.d. What I didn't realize (and spent an embarrassingly long time figuring out) was that when my OpenVPN site-to-site tunnel interface would come up on the secondary node during failover it was ultimately triggering my script which brought my WAN interfaces down, effectively defeating the purpose of HA. :-)

      In order to save anyone else the headache, I think it would be a good idea to update the documentation to indicate that shell scripts in /usr/local/etc/rc.d will get executed at boot time, but will also get executed any time packages are reloaded, which includes OpenVPN interface link up events and potentially other interface link up/down events. I'm not sure if the shellcmd and/or earlyshellcmd methods can also get triggered at times other than boot, but it's probably worth investigating and annotating those accordingly as well.

      Oh, and expect more to come regarding DHCP WAN and HA/failover. I have a couple more kinks to work out but I'm close to having everything working and plan to post what I've learned in the forum.

      S GertjanG 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @vwaniel
        last edited by

        @vwaniel There should be a feedback link on the doc page to suggest that.

        If memory serves the cron package can be used with @rebootโ€ฆ?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        V 1 Reply Last reply Reply Quote 0
        • V
          vwaniel @SteveITS
          last edited by vwaniel

          @SteveITS Thanks for the suggestion regarding documentation feedback. I've created https://redmine.pfsense.org/issues/15141.

          I have the cron package installed and it does appear that I can use @reboot with it. However I ended up solving my specific issue by having my script check the CARP status before executing so that interfaces get shut down only if the node is not master. This way, if the CARP master node reboots while the CARP backup node happens to be down, nothing effectively happens (assuming that CARP election has happened at boot prior to scripts in /usr/local/etc/rc.d being executed).

          #!/bin/csh
set carp_status=`/sbin/ifconfig $interface_to_monitor | grep 'carp:' | awk '{print $2}'`
if ( "$carp_status" != "MASTER" ) then
     ifconfig $wan_interface down
     # ...etc
endif
          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @vwaniel
            last edited by

            @vwaniel said in Executing Commands at Boot:

            According to https://docs.netgate.com/pfsense/en/latest/development/boot-commands.html, one of the ways to have pfSense run commands at boot time is to put an executable script with a .sh file extension in /usr/local/etc/rc.d. What the documentation doesn't say is that the script(s) will also run any time an OpenVPN interface comes up. I think this is because (to the best of my very limited understanding of pfSense internals):

            That 'pfSense help page' shouldn't even exist anymore ๐Ÿ˜Š
            Years ago, the pfSense Shellcmd package was created that does all this for you.

            See here : System > Package Manager > Available Packages

            a903b5d6-f319-4390-9eb9-11601903b08e-image.png

            Install it - and now have a new menu entry called Shellcmd under the Services menu :

            a32e581e-03d5-4b28-a244-d358053709d8-image.png

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            V 1 Reply Last reply Reply Quote 0
            • V
              vwaniel @Gertjan
              last edited by

              @Gertjan Yessir, I have that package installed since I'm using shellcmd to work around another issue. Much easier than manually editing config.xml, and also much easier to see if/how earlyshellcmd/shellcmd is being used on an existing install.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post