On Fri, Jun 3, 2022 at 12:57 PM Stuart Henderson <stu.li...@spacehopper.org> wrote: > > On 2022-06-02, Mike Fischer <fischer+o...@lavielle.com> wrote: > > I think the issue is more general. It applies whenever multiple > > instances of any service are needed. > > > > I have a similar issue with php_fpm which I am using in multiple PHP > > versions and with different settings (chroot(2) for httpd(8) or without > > chroot(2) for Apache httpd). > > With php-fpm it's a bit awkward to handle, because it doesn't include > all the flags in the process name, but just the config filename, so the > rc.d script would need to parse the flags itself, it's possible but it > makes things more complex/fragile.
Yes I agree its a bit different than the pflog case mostly because pflogd is on by default. Also, for packages these complexities can be addressed by their pkg readmes. Maybe addressing that on pflogd(8) is also an option? > ...so I'd prefer to keep php-fpm like it is, unless I'm missing some big > benefit of running multiple main processes of the same version. (Big benefit > of running a single version is that you don't need to restart each daemon > separately after updates). The only big downside to that is that php-fpm has a really bad history at handling these sorts of things and even though it is supported my advice would be if you can afford having a separate process you'll be somewhat safer. I think there was even a recent bug which was present in this shared setup scenario described. I know this was also a case since php5. I have adapted to use separate processes for each of my chroots as a precaution. It has its administrative overhead, but its a good tradeoff. > There's another case, where somebody runs two copies of pflogd, one from > the default rc.d script, one standalone by running pflogd directly. So, > it probably would be helpful if the dedault rc.d script was more targetted. We could use a pkill command similar to the one used in newsyslog.conf to limit the extent of that, something like `-u root -U root -t - -x` to address the direct invocation cases?