From b228d5e969bb3f91e975dc830a6e8f8b5eba5575 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 20 Oct 2016 00:14:16 -0400 Subject: [PATCH 1/3] Unbound: Add hotplug/iface script to request restart -Rebind to new interfaces cleanly -Detach from old interfaces cleanly -Some conf options do not reload dynamically -Unbound grows some and this will shrink it Signed-off-by: Eric Luehrsen --- net/unbound/files/unbound.iface | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100755 net/unbound/files/unbound.iface diff --git a/net/unbound/files/unbound.iface b/net/unbound/files/unbound.iface new file mode 100755 index 000000000..172bcae51 --- /dev/null +++ b/net/unbound/files/unbound.iface @@ -0,0 +1,20 @@ +#!/bin/sh +############################################################################## +# +# Copyright (C) 2016 Eric Luehrsen +# +############################################################################## +# +# "Restart" Unbound on hotplug interface up: +# - Clean rebind of unbound to new interfaces +# - Some of Unbound conf options to not reload run time +# - Unbound can grow a bit so this will shrink it back +# +############################################################################## + +if [ "$ACTION" = ifup ] && /etc/init.d/unbound enabled ; then + /etc/init.d/unbound restart +fi + +############################################################################## + From cb56829c98d066417a07a3fb0ae37f342f15d91e Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 20 Oct 2016 00:19:51 -0400 Subject: [PATCH 2/3] Unbound: Add scripts to manage root.key in tmpfs -Unbound RFC 5011 is busy and writes frequently -RFC 5011 creates working files in same directory -DNSSEC root.key managed in /var/lib/unbound -Protect against flash ROM wear out in /etc/unbound -Scripts will copy back every 7 days instead Signed-off-by: Eric Luehrsen --- net/unbound/files/rootzone.sh | 106 ++++++++++++++++++++++++++++ net/unbound/files/unbound.sh | 126 ++++++++++++++++++++++++++++++++++ 2 files changed, 232 insertions(+) create mode 100644 net/unbound/files/rootzone.sh create mode 100644 net/unbound/files/unbound.sh diff --git a/net/unbound/files/rootzone.sh b/net/unbound/files/rootzone.sh new file mode 100644 index 000000000..fe71f3ef2 --- /dev/null +++ b/net/unbound/files/rootzone.sh @@ -0,0 +1,106 @@ +#!/bin/sh +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# Copyright (C) 2016 Eric Luehrsen +# +############################################################################## +# +# This component needs to be used within the unbound.sh as an include. It uses +# defaults and UCI scope variables defined there. It will copy root.key back +# to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option). +# +############################################################################## + +rootzone_uci() { + # TODO: Just structure to real UCI coming soon. + echo +} + +############################################################################## + +roothints_update() { + # TODO: Maybe this will not be implemented. + echo +} + +############################################################################## + +rootkey_update() { + local basekey_date rootkey_date rootkey_age filestuff + + # TODO: Just structure to real UCI coming soon. + if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then + # Feature disabled + return 0 + fi + + + if [ -f /etc/unbound/root.key ] ; then + basekey_date=$( date -r /etc/unbound/root.key +%s ) + + else + # No persistent storage key + basekey_date=$( date -d 2000-01-01 +%s ) + fi + + + if [ -f "$UNBOUND_KEYFILE" ] ; then + # Unbound maintains it itself + rootkey_date=$( date -r $UNBOUND_KEYFILE +%s ) + rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) + + elif [ -x "$UNBOUND_ANCHOR" ] ; then + # No tmpfs key - use unbound-anchor + rootkey_date=$( date -I +%s ) + rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) + $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE + + else + # give up + rootkey_age=0 + fi + + + if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then + filestuff=$( cat $UNBOUND_KEYFILE ) + + + case "$filestuff" in + *NOERROR*) + # Header comment for drill and dig + logger -t unbound -s "root.key updated after $rootkey_age days" + cp -p $UNBOUND_KEYFILE /etc/unbound/root.key + ;; + + *"state=2 [ VALID ]"*) + # Comment inline to key for unbound-anchor + logger -t unbound -s "root.key updated after $rootkey_age days" + cp -p $UNBOUND_KEYFILE /etc/unbound/root.key + ;; + + *) + logger -t unbound -s "root.key still $rootkey_age days old" + ;; + esac + fi +} + +############################################################################## + +rootzone_update() { + rootzone_uci + roothints_update + rootkey_update +} + +############################################################################## + diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh new file mode 100644 index 000000000..245bd18b2 --- /dev/null +++ b/net/unbound/files/unbound.sh @@ -0,0 +1,126 @@ +#!/bin/sh +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# Copyright (C) 2016 Eric Luehrsen +# +############################################################################## +# +# TODO: This file will build the UCI for Unbound. This iteration only puts +# our default unbound configuration and root.key into /var/lib/unbound. +# +############################################################################## + +# TODO: Just default definitions versus real UCI coming soon. +UNBOUND_B_MAN_CONF=1 +UNBOUND_B_DNSSEC=1 +UNBOUND_N_ROOT_AGE=7 + +############################################################################## + +UNBOUND_ANCHOR=/usr/bin/unbound-anchor +UNBOUND_CONTROL=/usr/bin/unbound-control + +UNBOUND_LIBDIR=/usr/lib/unbound + +UNBOUND_PIDFILE=/var/run/unbound.pid + +UNBOUND_VARDIR=/var/lib/unbound +UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf +UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key +UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints +UNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check + +############################################################################## + +. /lib/functions.sh +. /lib/functions/network.sh + +. $UNBOUND_LIBDIR/rootzone.sh + +############################################################################## + +unbound_mkdir() { + mkdir -p $UNBOUND_VARDIR + + + if [ -f /etc/unbound/root.hints ] ; then + # Your own local copy of root.hints + cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE + + elif [ -f /usr/share/dns/root.hints ] ; then + # Debian-like package dns-root-data + cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE + + else + logger -t unbound -s "iterator will use built-in root hints" + fi + + + if [ -f /etc/unbound/root.key ] ; then + # Your own local copy of a root.key + cp -p /etc/unbound/root.key $UNBOUND_KEYFILE + + elif [ -f /usr/share/dns/root.key ] ; then + # Debian-like package dns-root-data + cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE + + elif [ -x "$UNBOUND_ANCHOR" ] ; then + $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE + + else + logger -t unbound -s "validator will use built-in trust anchor" + fi +} + +############################################################################## + +unbound_conf() { + # TODO: Just structure to real UCI coming soon. + if [ "$UNBOUND_B_MAN_CONF" -gt 0 -a -f /etc/unbound/unbound.conf ] ; then + # You don't want UCI and use your own manual configuration + cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE + fi +} + +############################################################################## + +unbound_own() { + # Debug UCI + { + echo "# $UNBOUND_CHECKFILE generated by UCI $( date )" + echo + set | grep ^UNBOUND_ + } > $UNBOUND_CHECKFILE + + + if [ ! -f "$UNBOUND_CONFFILE" ] ; then + # if somehow this happened + touch $UNBOUND_CONFFILE + fi + + + # Ensure Access + chown -R unbound:unbound $UNBOUND_VARDIR + chmod 775 $UNBOUND_VARDIR + chmod 664 $UNBOUND_VARDIR/* +} + +############################################################################## + +unbound_prepare() { + unbound_mkdir + unbound_conf + unbound_own +} + +############################################################################## + From 8dfd5d0b84c7174ae461af4173cc9664118d4fbc Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 20 Oct 2016 00:17:23 -0400 Subject: [PATCH 3/3] Unbound: Incorporate hotplug/iface and root.key in tmpfs -Patch for /etc/unbound/unbound.conf --All work done in /var/lib/unbound/ --chroot or jail to /var/lib/unbound/ -Init script points to /usr/lib/unbound.sh -Makefile to install new scripts in the package Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 13 ++++++--- net/unbound/files/unbound.init | 42 +++++++++++++++++++++--------- net/unbound/patches/001-conf.patch | 25 +++++++++--------- 3 files changed, 52 insertions(+), 28 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index b9ee19f36..62367f758 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.5.10 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE @@ -137,12 +137,17 @@ define Package/unbound/install $(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \ $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/etc/unbound - $(INSTALL_CONF) \ + $(INSTALL_DATA) \ $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \ - $(1)/etc/unbound/ - $(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/ + $(1)/etc/unbound/unbound.conf + $(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound + $(INSTALL_DIR) $(1)/usr/lib/unbound + $(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh + $(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh endef define Package/unbound-anchor/install diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index 7ad2e7c74..119289449 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -1,20 +1,38 @@ #!/bin/sh /etc/rc.common -# Copyright (C) 2016 Michael Hanselmann - -START=61 +############################################################################## +# +# Copyright (C) 2016 Michael Hanselmann, Eric Luehrsen +# +############################################################################## +# +# This init script is just the entry point for Unbound UCI. +# +############################################################################## +START=60 USE_PROCD=1 +PROG=/usr/sbin/unbound + +############################################################################## + +. /usr/lib/unbound/unbound.sh + +############################################################################## start_service() { - find /etc/unbound \! \( -user unbound -group unbound \) \ - -exec chown unbound:unbound {} \; + unbound_prepare - find /etc/unbound \( -perm +027 -o \! -perm -600 \) \ - -exec chmod u=rwX,g=rX,o= {} \; + procd_open_instance + procd_set_param command $PROG -d -c $UNBOUND_CONFFILE + procd_set_param respawn + procd_close_instance +} + +############################################################################## - procd_open_instance - procd_set_param command /usr/sbin/unbound - procd_append_param command -d # don't daemonize - procd_set_param respawn - procd_close_instance +stop_service() { + rootzone_update } + +############################################################################## + diff --git a/net/unbound/patches/001-conf.patch b/net/unbound/patches/001-conf.patch index a318f6092..5f6b4c5e7 100644 --- a/net/unbound/patches/001-conf.patch +++ b/net/unbound/patches/001-conf.patch @@ -1,8 +1,8 @@ diff --git a/doc/example.conf.in b/doc/example.conf.in -index c520c88..af92a87 100644 +index c520c88..98a148a 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -1,20 +1,81 @@ +@@ -1,20 +1,82 @@ -# -# Example configuration file. -# @@ -28,11 +28,14 @@ index c520c88..af92a87 100644 + # verbosity 1 is default verbosity: 1 -+ # prevent any upstream core surprises (OpenWrt assumptions) ++ # Self jail Unbound with user "unbound" to /var/lib/unbound ++ # The script /etc/init.d/unbound will setup the location + username: "unbound" ++ directory: "/var/lib/unbound" ++ chroot: "/var/lib/unbound" ++ ++ # The pid file is created before privleges drop so no concern + pidfile: "/var/run/unbound.pid" -+ directory: "/etc/unbound" -+ chroot: "" + + # no threads and no memory slabs for threads + num-threads: 1 @@ -54,7 +57,7 @@ index c520c88..af92a87 100644 + # use somewhat higher port numbers versus possible NAT issue + outgoing-port-permit: "10240-65335" + -+ # uses less memory, but less performance ++ # uses less memory but less performance + outgoing-range: 60 + num-queries-per-thread: 30 + @@ -73,13 +76,11 @@ index c520c88..af92a87 100644 + harden-large-queries: yes + harden-short-bufsize: yes + -+ # Enable a trust anchor and modules "validator iterator." However, Unbound -+ # RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM. -+ # "/etc/unbound" (directory & files) needs chown for write access. Else, use -+ # plain "trust-anchor-" to treat the key file as static. ++ # DNSSEC enable by removing comments on "module-config:" and "auto-trust- ++ # -anchor-file:" The init script will copy root key to /var/lib/unbound. ++ # See package documentation for crontab entry to copy RFC5011 results back. + #module-config: "validator iterator" -+ #auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" -+ #trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" ++ #auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # DNSSEC needs real time to validate signatures. If your device does not + # have power off clock (reboot), then you may need this work around.