The
rc.conf file specifies which services are enabled during system startup by the startup scripts invoked by
/etc/rc (see
rc(8)), and the shutdown scripts invoked by
/etc/rc.shutdown. The
rc.conf file is a shell script that is sourced by
rc(8), meaning that
rc.conf must contain valid shell commands.
Listed below are the standard
rc.conf variables that may be set, the values to which each may be set, a brief description of what each variable does, and a reference to relevant manual pages. Third party packages may test for additional variables.
By default,
rc.conf reads
/etc/defaults/rc.conf (if it is readable) to obtain default values for various variables, and the end-user may override these by appending appropriate entries to the end of
rc.conf.
rc.d(8) scripts that use
load_rc_config from
rc.subr(8) also support sourcing an optional end-user provided per-script override file
/etc/rc.conf.d/service, (where
service is the contents of the
name variable in the
rc.d(8) script). This may contain variable overrides, including allowing the end-user to override various
run_rc_command rc.d(8) control variables, and thus changing the operation of the script without requiring editing of the script.
Variable naming conventions and data types
Most variables are one of two types: enabling variables or flags variables. Enabling variables, such as
inetd, are generally named after the program or the system they enable, and have boolean values (specified using ‘
YES', ‘
TRUE', ‘
ON' or ‘
1' for true, and ‘
NO', ‘
FALSE', ‘
OFF' or ‘
0' for false, with the values being case insensitive). Flags variables, such as
inetd_flags have the same name with "_flags" appended, and determine what arguments are passed to the program if it is enabled.
If a variable that
rc(8) expects to be set is not set, or the value is not one of the allowed values, a warning will be printed.
Overall control
do_rcshutdown
Boolean value. If false,
shutdown(8) will not run
/etc/rc.shutdown.
rcshutdown_rcorder_flags
A string. Extra arguments to the
rcorder(8) run by
/etc/rc.shutdown.
rcshutdown_timeout
A number. If non-blank, use this as the number of seconds to run a watchdog timer for which will terminate /etc/rc.shutdown if the timer expires before the shutdown script completes.
rc_configured
Boolean value. If false then the system will drop into single-user mode during boot.
rc_fast_and_loose
If set to a non-empty string, each script in
/etc/rc.d will be executed in the current shell rather than a sub shell. This may be faster on slow machines that have an expensive
fork(2) operation.
Note:
Use this at your own risk! A rogue command or script may inadvertently prevent boot to multiuser.
rc_rcorder_flags
A string. Extra arguments to the
rcorder(8) run by
/etc/rc.
rc_directories
A string. Space separated list of directories searched for rc scripts. The default is /etc/rc.d. All directories in rc_directories must be located in the root filesystem, otherwise they will be silently skipped.
rc_silent
Boolean value. If true then the usual output is suppressed, and
rc(8) invokes the command specified in the
rc_silent_cmd variable once for each line of suppressed output. The default value of
rc_silent is set from the
AB_SILENT flag in the kernel's
boothowto variable (see
boot(8),
reboot(2)).
rc_silent_cmd
A command to be executed once per line of suppressed output, when rc_silent is true. The default value of rc_silent_cmd is “twiddle”, which will display a spinning symbol instead of each line of output. Another useful value is “:”, which will display nothing at all.
Basic network configuration
defaultroute
A string. Default IPv4 network route. If empty or not set, then the contents of /etc/mygate (if it exists) are used.
defaultroute6
A string. Default IPv6 network route. If empty or not set, then the contents of /etc/mygate6 (if it exists) are used.
domainname
A string. NIS (YP) domain of host. If empty or not set, then the contents of /etc/defaultdomain (if it exists) are used.
force_down_interfaces
A space separated list of interface names. These interfaces will be configured down when going from multiuser to singleuser mode or on system shutdown.
This is important for some stateful interfaces, for example PPP over ISDN connections that cost money by connection time or PPPoE interfaces which have no direct means of noticing “disconnect” events.
All active
pppoe(4) and
ippp(4) interfaces will be automatically added to this list.
hostname
A string. Name of host. If empty or not set, then the contents of /etc/myname (if it exists) are used.
Boottime file-system and swap configuration
critical_filesystems_local
A string. File systems mounted very early in the system boot before networking services are available. Usually
/var is part of this, because it is needed by services such as
dhclient(8) which may be required to get the network operational. The default is “OPTIONAL:/var”, where the “OPTIONAL:” prefix means that it's not an error if the file system is not present in
fstab(5).
critical_filesystems_remote
A string. File systems such as
/usr that may require network services to be available to mount, that must be available early in the system boot for general services to use. The default is “OPTIONAL:/usr”, where the “OPTIONAL:” prefix means that it is not an error if the file system is not present in
fstab(5).
fsck_flags
A string. A file system is checked with
fsck(8) during boot before mounting it. This option may be used to override the default command-line options passed to the
fsck(8) program.
When set to
-y,
fsck(8) assumes yes as the answer to all operator questions during file system checks. This might be important with hosts where the administrator does not have access to the console and an unsuccessful shutdown must not make the host unbootable even if the file system checks would fail in preen mode.
no_swap
Boolean value. Should be true if you have deliberately configured your system with no swap. If false and no swap devices are configured, the system will warn you.
swapoff
Boolean value. Remove block-type swap devices at shutdown time. Useful if swapping onto RAIDframe devices.
One-time actions to perform or programs to run on boot-up
accounting
Boolean value. Enables process accounting with
accton(8). Requires
/var/account/acct to exist.
ccd
Boolean value. Configures concatenated disk devices according to
ccd.conf(5).
cgd
Boolean value. Configures cryptographic disk devices. Requires
/etc/cgd/cgd.conf. See
cgdconfig(8) for additional details.
clear_tmp
Boolean value. Clear /tmp after reboot.
dmesg
Boolean value. Create
/var/run/dmesg.boot from the output of
dmesg(8). Passes
dmesg_flags.
envsys
Boolean value. Sets preferences for the environmental systems framework,
envsys(4). Requires
/etc/envsys.conf, which is described in
envsys.conf(5).
ldconfig
Boolean value. Configures
a.out(5) runtime link editor directory cache.
mixerctl
Boolean value. Read
mixerctl.conf(5) for how to set mixer values. List in
mixerctl_mixers the devices whose settings are to be saved at shutdown and restored at start-up.
newsyslog
Boolean value. Run newsyslog to trim logfiles before syslogd starts. Intended for laptop users. Passes newsyslog_flags.
per_user_tmp
Boolean value. Enables a per-user
/tmp directory.
per_user_tmp_dir can be used to override the default location of the “real” temporary directories, “
/private/tmp”. See
security(8) for additional details.
raidframe
Boolean value. Configures
raid(4), RAIDframe disk devices. See
raidctl(8) for additional details.
rndctl
Boolean value. Runs the
rndctl(8) utility one or more times according to the specification in
rndctl_flags.
If
rndctl_flags does not contain a semicolon (‘;') then it is expected to contain zero or more flags, followed by one or more device or type names. The
rndctl(8) command will be executed once for each device or type name. If the specified flags do not include any of
-c,
-C,
-e, or
-E, then the flags
-c and
-e are added, to specify that entropy from the relevant device or type should be both collected and estimated. If the specified flags do not include either of
-d or
-t, then the flag
-d is added, to specify that the non-flag arguments are device names, not type names.
rndctl_flags may contain multiple semicolon-separated segments, in which each segment contains flags and device or type names as described above. This allows different flags to be associated with different device or type names. For example, given
rndctl_flags="wd0 wd1; -t tty; -c -t net", the following commands will be executed:
rndctl -c -e -d wd0;
rndctl -c -e -d wd1;
rndctl -c -e -t tty;
rndctl -c -t net.
rtclocaltime
Boolean value. Sets the real time clock to local time by adjusting the
sysctl(7) value of
kern.rtc_offset. The offset from UTC is calculated automatically according to the time zone information in the file
/etc/localtime.
savecore
Boolean value. Runs the
savecore(8) utility. Passes
savecore_flags. The directory where crash dumps are stored is specified by
savecore_dir. The default setting is “
/var/crash”.
sysdb
Boolean value. Builds various system databases, including
/var/run/dev.db,
/etc/spwd.db,
/var/db/netgroup.db,
/var/db/services.db, and entries for
utmp(5).
tpctl
Boolean value. Run
tpctl(8) to calibrate touch panel device. Passes
tpctl_flags.
update_motd
Boolean value. Updates the
NetBSD version string in the
/etc/motd file to reflect the version of the running kernel. See
motd(5).
veriexec
Boolean value. Load Veriexec fingerprints during startup. Read
veriexecctl(8) for more information.
virecover
Boolean value. Send notification mail to users if any recoverable files exist in
/var/tmp/vi.recover. Read
virecover(8) for more information.
wdogctl
Boolean value. Configures watchdog timers. Passes
wdogctl_flags. Refer to
wdogctl(8) for information on how to configure a timer.
System security setting
securelevel
A number. The system securelevel is set to the specified value early in the boot process, before any external logins, or other programs that run users job, are started. If set to nothing, the default action is taken, as described in
init(8) and
secmodel_securelevel(9), which contains definitive information about the system securelevel. Note that setting
securelevel to 0 in
rc.conf will actually result in the system booting with securelevel set to 1, as
init(8) will raise the level when
rc(8) completes.
permit_nonalpha
Allow passwords to include non-alpha characters, usually to allow NIS/YP netgroups.
veriexec_strict
A number. Controls the strict level of Veriexec. Level 0 is learning mode, used when building the signatures file. It will only output messages but will not enforce anything. Level 1 will only prevent access to files with a fingerprint mismatch. Level 2 will also deny writing to and removing of monitored files, as well as enforce access type (as specified in the signatures file). Level 3 will take a step further and prevent access to files that are not monitored.
veriexec_verbose
A number. Controls the verbosity of Veriexec. Recommended operation is at level 0, verbose output (mostly used when building the signatures file) is at level 1. Level 2 is for debugging only and should not be used.
veriexec_flags
A string. Flags to pass to the veriexecctl command.
Networking startup
altqd
Boolean value. ALTQ configuration/monitoring daemon. Passes altqd_flags.
auto_ifconfig
Boolean value. Sets the
net_interfaces variable (see below) to the output of
ifconfig(8) with the “
-l” flag and suppresses warnings about interfaces in this list that do not have an ifconfig file or variable.
dhclient
Boolean value. Set true to configure some or all network interfaces using the ISC DHCP client. If you set
dhclient true, then
/var must be in
critical_filesystems_local, or
/var must be on the root file system, or you must modify the
dhclient_flags variable to direct the DHCP client to store the leases file in some other directory on the root file system. You must not provide ifconfig information or ifaliases information for any interface that is to be configured using the DHCP client. Interface aliases can be set up in the DHCP client configuration file if needed - see
dhclient.conf(5) for details.
Passes
dhclient_flags to the DHCP client. See
dhclient(8) for complete documentation. If you wish to configure all broadcast network interfaces using the DHCP client, you can leave this blank. To configure only specific interfaces, name the interfaces to be configured on the command line.
If you must run the DHCP client before mounting critical file systems, then you should specify an alternate location for the DHCP client's lease file in the
dhclient_flags variable - for example, "-lf /tmp/dhclient.leases".
dhcpcd_flags
Additional arguments to pass to
dhcpcd(8) when requesting configuration via
ifconfig_xxN or
/etc/ifconfig.xxN.
flushroutes
Boolean value. Flushes the route table on networking startup. Useful when coming up to multiuser mode after going down to single-user mode.
ftp_proxy
Boolean value. Runs
ftp-proxy(8), the proxy daemon for the Internet File Transfer Protocol.
hostapd
Boolean value. Runs
hostapd(8), the authenticator for IEEE 802.11 networks.
ifaliases_*
A string. List of ‘
address netmask' pairs to configure additional network addresses for the given configured interface “*” (e.g.
ifaliases_le0). If
netmask is “-”, then use the default netmask for the interface.
ifaliases_* covers limited cases only and considered unrecommended. We recommend using
ifconfig_nnX variables or
/etc/ifconfig.xxN files with multiple lines instead.
ifwatchd
Boolean value. Monitor dynamic interfaces and perform actions upon address changes. Passes ifwatchd_flags.
ip6mode
A string. An IPv6 node can be a router (nodes that forward packet for others) or a host (nodes that do not forward). A host can be autoconfigured based on the information advertised by adjacent IPv6 routers. By setting ip6mode to “router”, “host”, or “autohost”, you can configure your node as a router, a non-autoconfigured host, or an autoconfigured host. Invalid values will be ignored, and the node will be configured as a non-autoconfigured host. You may want to check rtsol and rtsold as well, if you set the variable to “autohost”.
ip6uniquelocal
Boolean value. If ip6mode is equal to “router”, and ip6uniquelocal is false, a reject route will be installed on boot to avoid misconfiguration relating to unique-local addresses. If ip6uniquelocal is true, the reject route won't be installed.
ipfilter
Boolean value. Runs
ipf(8) to load in packet filter specifications from
/etc/ipf.conf at network boot time, before any interfaces are configured. Passes
ipfilter_flags. See
ipf.conf(5).
ipfs
Boolean value. Runs
ipfs(8) to save and restore information for ipnat and ipfilter state tables. The information is stored in
/var/db/ipf/ipstate.ipf and
/var/db/ipf/ipnat.ipf. Passes
ipfs_flags.
ipmon
Boolean value. Runs
ipmon(8) to read
ipf(8) packet log information and log it to a file or the system log. Passes
ipmon_flags.
ipmon_flags
A string. Specifies arguments to supply to
ipmon(8). Defaults to “
-ns”. A typical example would be “
-nD /var/log/ipflog” to have
ipmon(8) log directly to a file bypassing
syslogd(8). If the “-D” argument is used, remember to modify
/etc/newsyslog.conf accordingly; for example:
/var/log/ipflog 640 10 100 * Z /var/run/ipmon.pid
ipnat
Boolean value. Runs
ipnat(8) to load in the IP network address translation (NAT) rules from
/etc/ipnat.conf at network boot time, before any interfaces are configured. See
ipnat.conf(5).
ipsec
Boolean value. Runs
setkey(8) to load in IPsec manual keys and policies from
/etc/ipsec.conf at network boot time, before any interfaces are configured.
net_interfaces
A string. The list of network interfaces to be configured at boot time. For each interface "xxN", the system first looks for ifconfig parameters in the variable
ifconfig_xxN, and then in the file
/etc/ifconfig.xxN. If
auto_ifconfig is false, and neither the variable nor the file is found, a warning is printed. Information in either the variable or the file is parsed identically, except that, if an
ifconfig_xxN variable contains a single line with embedded semicolons, then the value is split into multiple lines prior to further parsing, treating the semicolon as a line separator. One common case it to set
ifconfig_xxN=“dhcp”, which will cause
dhcpcd(8) to be started for the interface. Another common case it to set the
ifconfig_xxN variable to a set of arguments to be passed to an
ifconfig(8) command after the interface name. Refer to
ifconfig.if(5) for more details on
/etc/ifconfig.xxN files, and note that the information there also applies to
ifconfig_xxN variables (after the variables are split into lines).
ntpdate
Boolean value. Runs
ntpdate(8) to set the system time from one of the hosts in
ntpdate_hosts. If
ntpdate_hosts is empty, it will attempt to find a list of hosts in
/etc/ntp.conf. Passes
ntpdate_flags.
pf
Boolean value. Enable
pf(4) at network boot time: Load the initial configuration
pf.boot.conf(5) before the network is up. After the network has been configured, then load the final ruleset
pf.conf(5).
pf_rules
A string. The path of the
pf.conf(5) ruleset that will be used when loading the final ruleset.
pflogd
Boolean value. Run
pflogd(8) for dumping packet filter logging information to a file.
ppp_peers
A string. If
ppp_peers is not empty, then
/etc/rc.d/ppp will check each word in
ppp_peers for a corresponding ppp configuration file in
/etc/ppp/peers and will call
pppd(8) with the “call
peer” option.
racoon
Boolean value. Runs
racoon(8), the IKE (ISAKMP/Oakley) key management daemon.
rtsol
Boolean value. Run
rtsol(8), router solicitation command for IPv6 hosts. On nomadic hosts like notebook computers, you may want to enable
rtsold as well. Passes
rtsol_flags. This is only for autoconfigured IPv6 hosts, so set
ip6mode to “
autohost” if you use it.
wpa_supplicant
Boolean value. Run
wpa_supplicant(8), WPA/802.11i Supplicant for wireless network devices. If you set
wpa_suplicant true, then
/usr must be in
critical_filesystems_local, or
/usr must be on the root file system.
Daemons required by other daemons
inetd
Boolean value. Runs the
inetd(8) daemon to start network server processes (as listed in
/etc/inetd.conf) as necessary. Passes
inetd_flags. The “
-l” flag turns on libwrap connection logging.
Commonly used daemons
ftpd
Runs the
ftpd(8) daemon and passes
ftpd_flags.
httpd
Boolean value. Runs the
httpd(8) daemon and passes
httpd_flags.
httpd_wwwdir
A string. The
httpd(8) WWW root directory. Used only if
httpd is true. The default setting is “
/var/www”.
httpd_wwwuser
A string. If non-blank and
httpd is true, run
httpd(8) and cause it to switch to the specified user after initialization. It is preferred to
httpd_user because
httpd(8) is requiring extra privileges to start listening on default port 80. The default setting is “
_httpd”.
lpd
Boolean value. Runs
lpd(8) and passes
lpd_flags. The “
-l” flag will turn on extra logging.
named
Boolean value. Runs
named(8) and passes
named_flags.
named_chrootdir
A string. If non-blank and
named is true, run
named(8) as the unprivileged user and group ‘named',
chroot(2)ed to
named_chrootdir.
named_chrootdir/var/run/log will be added to the list of log sockets that
syslogd(8) listens to.
ntpd
Boolean value. Runs
ntpd(8) and passes
ntpd_flags.
ntpd_chrootdir
A string. If non-blank and
ntpd is true, run
ntpd(8) as the unprivileged user and group ‘ntpd',
chroot(2)ed to
ntpd_chrootdir.
ntpd_chrootdir/var/run/log will be added to the list of log sockets that
syslogd(8) listens to. This option requires that the kernel has
pseudo-device clockctl
compiled in, and that
/dev/clockctl is present.
sshd
Boolean value. Runs
sshd(8) and passes
sshd_flags.
syslogd
Boolean value. Runs
syslogd(8) and passes
syslogd_flags.
timed
Boolean value. Runs
timed(8) and passes
timed_flags. The “
-M” option allows
timed(8) to be a master time source as well as a slave. If you are also running
ntpd(8), only one machine running both should have the “
-M” flag given to
timed(8).
Routing daemons
mrouted
Boolean value. Runs
mrouted(8), the DVMRP multicast routing protocol daemon. Passes
mrouted_flags.
route6d
Boolean value. Runs
route6d(8), the RIPng routing protocol daemon for IPv6. Passes
route6d_flags.
routed
Boolean value. Runs
routed(8), the RIP routing protocol daemon. Passes
routed_flags.
rtsold
Boolean value. Runs
rtsold(8), the IPv6 router solicitation daemon.
rtsold(8) periodically transmits router solicitation packets to find IPv6 routers on the network. This configuration is mainly for nomadic hosts like notebook computers. Stationary hosts should work fine with just
rtsol. Passes
rtsold_flags. This is only for autoconfigured IPv6 hosts, so set
ip6mode to “
autohost” if you use it.
Daemons used to boot other hosts over a network
bootparamd
Boolean value. Runs
bootparamd(8), the boot parameter server, with
bootparamd_flags as options. Used to boot
NetBSD and SunOS 4.x systems.
dhcpd
Boolean value. Runs
dhcpd(8), the Dynamic Host Configuration Protocol (DHCP) daemon, for assigning IP addresses to hosts and passing boot information. Passes
dhcpd_flags.
dhcrelay
Boolean value. Runs
dhcrelay(8). Passes
dhcrelay_flags.
mopd
Boolean value. Runs
mopd(8), the DEC MOP protocol daemon; used for booting VAX and other DEC machines. Passes
mopd_flags.
ndbootd
Boolean value. Runs
ndbootd(8), the Sun Network Disk (ND) Protocol server. Passes
ndbootd_flags.
rarpd
Boolean value. Runs
rarpd(8), the reverse ARP daemon, often used to boot
NetBSD and Sun workstations. Passes
rarpd_flags.
rbootd
Boolean value. Runs
rbootd(8), the HP boot protocol daemon; used for booting HP workstations. Passes
rbootd_flags.
rtadvd
Boolean value. Runs
rtadvd(8), the IPv6 router advertisement daemon, which is used to advertise information about the subnet to IPv6 end hosts. Passes
rtadvd_flags. This is only for IPv6 routers, so set
ip6mode to “
router” if you use it.
X Window System daemons
xdm
Boolean value. Runs the
xdm(1) X display manager. These X daemons are available only with the optional X distribution of
NetBSD.
xfs
Boolean value. Runs the
xfs(1) X11 font server, which supplies local X font files to X terminals.
NIS (YP) daemons
ypbind
Boolean value. Runs
ypbind(8), which lets NIS (YP) clients use information from a NIS server. Passes
ypbind_flags.
yppasswdd
Boolean value. Runs
yppasswdd(8), which allows remote NIS users to update password on master server. Passes
yppasswdd_flags.
ypserv
Boolean value. Runs
ypserv(8), the NIS (YP) server for distributing information from certain files in
/etc. Passes
ypserv_flags. The “
-d” flag causes it to use DNS for lookups in
/etc/hosts that fail.
NFS daemons and parameters
amd
Boolean value. Runs
amd(8), the automounter daemon, which automatically mounts NFS file systems whenever a file or directory within that file system is accessed. Passes
amd_flags.
amd_dir
A string. The
amd(8) mount directory. Used only if
amd is true.
lockd
Boolean value. Runs
rpc.lockd(8) if
nfs_server and/or
nfs_client are true. Passes
lockd_flags.
mountd
Boolean value. Runs
mountd(8) and passes
mountd_flags.
nfs_client
Boolean value. The number of local NFS asynchronous I/O server is now controlled via
sysctl(8).
nfs_server
Boolean value. Sets up a host to be a NFS server by running
nfsd(8) and passing
nfsd_flags.
statd
Boolean value. Runs
rpc.statd(8), a status monitoring daemon used when
rpc.lockd(8) is running, if
nfs_server and/or
nfs_client are true. Passes
statd_flags.
Bluetooth configuration and daemons
btattach
Boolean value. Attach serial bluetooth interfaces as listed in the configuration file /etc/bluetooth/btdevctl.conf.
btconfig
Boolean value. Configure bluetooth devices. If the btconfig_devices variable below is not specified, all devices known to the system will be configured. For each device, configuration arguments are first looked for in the btconfig_{dev} variable, otherwise the value of the btconfig_args variable will be used, and if that is not specified the default string is ‘enable'.
btconfig_devices
An optional space separated list of bluetooth devices to be configured at boot time.
btconfig_args
An optional string, containing default arguments for bluetooth devices to be configured.
btdevctl
Boolean value. Configure Bluetooth devices as listed in the configuration file /etc/bluetooth/btdevctl.conf.
bthcid
Boolean value. Runs
bthcid(8), the Bluetooth HCI daemon, which manages link keys and PIN codes for Bluetooth links. Passes
bthcid_flags.
sdpd
Boolean value. Runs the Service Discovery Profile daemon,
sdpd(8). Passes
sdpd_flags.
Other daemons
identd
Boolean value. Runs
identd(8), the daemon for the user identification protocol. Passes
identd_flags.
iscsi_target
Boolean value. Runs the server for iSCSI requests,
iscsi-target(8). Passes
iscsi_target_flags.
isdnd
Boolean value. Runs
isdnd(8), the isdn4bsd ISDN connection management daemon. Passes
isdnd_flags.
isdn_autoupdown
Boolean value. Set all configured ISDN interfaces to “up”. If isdn_interfaces is not blank, only the listed interfaces will be modified. Used only if isdnd is true.
kdc
Boolean value. Runs the
kdc(8) Kerberos v4 and v5 server. This should be run on Kerberos master and slave servers.
Hardware daemons
apmd
Boolean value. Runs
apmd(8) and passes
apmd_flags.
moused
Boolean value. Runs
moused(8), to pass serial mouse data to the wscons mouse mux. Passes
moused_flags.
wscons
Boolean value. Configures the
wscons(4) console driver, from the configuration file
/etc/wscons.conf.
wsmoused
Boolean value. Runs
wsmoused(8), to provide copy and paste text support in wscons displays. Passes
wsmoused_flags.