Merge pull request #3396 from EricLuehrsen/unbound_uci2

Unbound: Migrate Working Directory to /var/lib/unbound and Prepare for UCI
8 years ago · 16c816e530
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=unbound
 PKG_VERSION:=1.5.10
 PKG_RELEASE:=2
 PKG_RELEASE:=3

 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@ -137,12 +137,17 @@ define Package/unbound/install
 		$(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \
 		$(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/etc/unbound
 	$(INSTALL_CONF) \
 	$(INSTALL_DATA) \
 		$(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \
 		$(1)/etc/unbound/
 	$(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/
 		$(1)/etc/unbound/unbound.conf
 	$(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
 	$(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
 	$(INSTALL_DIR) $(1)/usr/lib/unbound
 	$(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh
 	$(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh
 endef

 define Package/unbound-anchor/install
--- a/net/unbound/files/rootzone.sh
+++ b/net/unbound/files/rootzone.sh
@ -0,0 +1,106 @@
 #!/bin/sh
 ##############################################################################
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 # 
 # Copyright (C) 2016 Eric Luehrsen
 #
 ##############################################################################
 #
 # This component needs to be used within the unbound.sh as an include. It uses
 # defaults and UCI scope variables defined there. It will copy root.key back
 # to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option).
 #
 ##############################################################################

 rootzone_uci() {
  # TODO: Just structure to real UCI coming soon.
  echo
 }

 ##############################################################################

 roothints_update() {
  # TODO: Maybe this will not be implemented.
  echo
 }

 ##############################################################################

 rootkey_update() {
  local basekey_date rootkey_date rootkey_age filestuff

  # TODO: Just structure to real UCI coming soon.
  if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then
    # Feature disabled
    return 0
  fi
   
  
  if [ -f /etc/unbound/root.key ] ; then
    basekey_date=$( date -r /etc/unbound/root.key +%s )
    
  else
    # No persistent storage key
    basekey_date=$( date -d 2000-01-01 +%s )
  fi
  
  
  if [ -f "$UNBOUND_KEYFILE" ] ; then
    # Unbound maintains it itself
    rootkey_date=$( date -r $UNBOUND_KEYFILE +%s )
    rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
    
  elif [ -x "$UNBOUND_ANCHOR" ] ; then
    # No tmpfs key - use unbound-anchor
    rootkey_date=$( date -I +%s )
    rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) 
    $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
    
  else 
    # give up
    rootkey_age=0
  fi


  if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then
    filestuff=$( cat $UNBOUND_KEYFILE )
    
      
    case "$filestuff" in
      *NOERROR*)
        # Header comment for drill and dig
        logger -t unbound -s "root.key updated after $rootkey_age days"
        cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
        ;;
        
      *"state=2 [  VALID  ]"*)
        # Comment inline to key for unbound-anchor
        logger -t unbound -s "root.key updated after $rootkey_age days"
        cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
        ;;
        
      *) 
        logger -t unbound -s "root.key still $rootkey_age days old" 
        ;;
    esac
  fi
 }

 ##############################################################################

 rootzone_update() {
  rootzone_uci
  roothints_update
  rootkey_update
 }

 ##############################################################################

--- a/net/unbound/files/unbound.iface
+++ b/net/unbound/files/unbound.iface
@ -0,0 +1,20 @@
 #!/bin/sh
 ##############################################################################
 #
 # Copyright (C) 2016 Eric Luehrsen
 #
 ##############################################################################
 #
 # "Restart" Unbound on hotplug interface up:
 # - Clean rebind of unbound to new interfaces
 # - Some of Unbound conf options to not reload run time
 # - Unbound can grow a bit so this will shrink it back
 #
 ##############################################################################

 if [ "$ACTION" = ifup ] && /etc/init.d/unbound enabled ; then
  /etc/init.d/unbound restart
 fi

 ##############################################################################

--- a/net/unbound/files/unbound.init
+++ b/net/unbound/files/unbound.init
@ -1,20 +1,38 @@
 #!/bin/sh /etc/rc.common
 # Copyright (C) 2016 Michael Hanselmann

 START=61
 ##############################################################################
 #
 # Copyright (C) 2016 Michael Hanselmann, Eric Luehrsen
 #
 ##############################################################################
 #
 # This init script is just the entry point for Unbound UCI.
 #
 ##############################################################################

 START=60
 USE_PROCD=1
 PROG=/usr/sbin/unbound

 ##############################################################################

 . /usr/lib/unbound/unbound.sh

 ##############################################################################

 start_service() {
 	find /etc/unbound \! \( -user unbound -group unbound \) \
 		-exec chown unbound:unbound {} \;
  unbound_prepare

 	find /etc/unbound \( -perm +027 -o \! -perm -600 \) \
 		-exec chmod u=rwX,g=rX,o= {} \;
  procd_open_instance
  procd_set_param command $PROG -d -c $UNBOUND_CONFFILE
  procd_set_param respawn
  procd_close_instance
 }

 ##############################################################################

 	procd_open_instance
 	procd_set_param command /usr/sbin/unbound
 	procd_append_param command -d # don't daemonize
 	procd_set_param respawn
 	procd_close_instance
 stop_service() {
  rootzone_update
 }

 ##############################################################################

--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@ -0,0 +1,126 @@
 #!/bin/sh
 ##############################################################################
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 # 
 # Copyright (C) 2016 Eric Luehrsen
 #
 ##############################################################################
 #
 # TODO: This file will build the UCI for Unbound. This iteration only puts
 # our default unbound configuration and root.key into /var/lib/unbound.
 #
 ##############################################################################

 # TODO: Just default definitions versus real UCI coming soon.
 UNBOUND_B_MAN_CONF=1
 UNBOUND_B_DNSSEC=1
 UNBOUND_N_ROOT_AGE=7

 ##############################################################################

 UNBOUND_ANCHOR=/usr/bin/unbound-anchor
 UNBOUND_CONTROL=/usr/bin/unbound-control

 UNBOUND_LIBDIR=/usr/lib/unbound

 UNBOUND_PIDFILE=/var/run/unbound.pid

 UNBOUND_VARDIR=/var/lib/unbound
 UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
 UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
 UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
 UNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check

 ##############################################################################

 . /lib/functions.sh
 . /lib/functions/network.sh

 . $UNBOUND_LIBDIR/rootzone.sh

 ##############################################################################

 unbound_mkdir() {
  mkdir -p $UNBOUND_VARDIR
  
  
  if [ -f /etc/unbound/root.hints ] ; then
    # Your own local copy of root.hints
    cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE
    
  elif [ -f /usr/share/dns/root.hints ] ; then
    # Debian-like package dns-root-data
    cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
    
  else
    logger -t unbound -s "iterator will use built-in root hints"
  fi
  
  
  if [ -f /etc/unbound/root.key ] ; then
    # Your own local copy of a root.key
    cp -p /etc/unbound/root.key $UNBOUND_KEYFILE
      
  elif [ -f /usr/share/dns/root.key ] ; then
    # Debian-like package dns-root-data
    cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
      
  elif [ -x "$UNBOUND_ANCHOR" ] ; then 
    $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
        
  else
    logger -t unbound -s "validator will use built-in trust anchor"
  fi
 }

 ##############################################################################

 unbound_conf() {
  # TODO: Just structure to real UCI coming soon.
  if [ "$UNBOUND_B_MAN_CONF" -gt 0 -a -f /etc/unbound/unbound.conf ] ; then
    # You don't want UCI and use your own manual configuration
    cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE
  fi
 }

 ##############################################################################

 unbound_own() {
  # Debug UCI
  {
    echo "# $UNBOUND_CHECKFILE generated by UCI $( date )"
    echo
    set | grep ^UNBOUND_
  } > $UNBOUND_CHECKFILE
    
  
  if [ ! -f "$UNBOUND_CONFFILE" ] ; then
    # if somehow this happened
    touch $UNBOUND_CONFFILE
  fi
  
  
  # Ensure Access
  chown -R unbound:unbound $UNBOUND_VARDIR
  chmod 775 $UNBOUND_VARDIR
  chmod 664 $UNBOUND_VARDIR/*
 }

 ##############################################################################

 unbound_prepare() {
  unbound_mkdir
  unbound_conf
  unbound_own
 }

 ##############################################################################

--- a/net/unbound/patches/001-conf.patch
+++ b/net/unbound/patches/001-conf.patch
@ -1,8 +1,8 @@
 diff --git a/doc/example.conf.in b/doc/example.conf.in
 index c520c88..af92a87 100644
 index c520c88..98a148a 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
@@ -1,20 +1,81 @@
@@ -1,20 +1,82 @@
 -#
 -# Example configuration file.
 -#
@ -28,11 +28,14 @@ index c520c88..af92a87 100644
 +	# verbosity 1 is default
 	verbosity: 1
 
 +	# prevent any upstream core surprises (OpenWrt assumptions)
 +	# Self jail Unbound with user "unbound" to /var/lib/unbound
 +	# The script /etc/init.d/unbound will setup the location
 +	username: "unbound"
 +	directory: "/var/lib/unbound"
 +	chroot: "/var/lib/unbound"
 +
 +	# The pid file is created before privleges drop so no concern
 +	pidfile: "/var/run/unbound.pid"
 +	directory: "/etc/unbound"
 +	chroot: ""
 +
 +	# no threads and no memory slabs for threads
 +	num-threads: 1
@ -54,7 +57,7 @@ index c520c88..af92a87 100644
 +	# use somewhat higher port numbers versus possible NAT issue
 +	outgoing-port-permit: "10240-65335"
 +
 +	# uses less memory, but less performance
 +	# uses less memory but less performance
 +	outgoing-range: 60
 +	num-queries-per-thread: 30
 +
@ -73,13 +76,11 @@ index c520c88..af92a87 100644
 +	harden-large-queries: yes
 +	harden-short-bufsize: yes
 +
 +	# Enable a trust anchor and modules "validator iterator." However, Unbound
 +	# RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM.
 +	# "/etc/unbound" (directory & files) needs chown for write access. Else, use 
 +	# plain "trust-anchor-" to treat the key file as static.
 +	# DNSSEC enable by removing comments on "module-config:" and "auto-trust-
 +	# -anchor-file:" The init script will copy root key to /var/lib/unbound.
 +	# See package documentation for crontab entry to copy RFC5011 results back.
 +	#module-config: "validator iterator"
 +	#auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
 +	#trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
 +	#auto-trust-anchor-file: "/var/lib/unbound/root.key"
 +
 +	# DNSSEC needs real time to validate signatures. If your device does not
 +	# have power off clock (reboot), then you may need this work around.