Browse Source

Merge pull request #3396 from EricLuehrsen/unbound_uci2

Unbound: Migrate Working Directory to /var/lib/unbound and Prepare for UCI
lilik-openwrt-22.03
Hannu Nyman 8 years ago
committed by GitHub
parent
commit
16c816e530
6 changed files with 304 additions and 28 deletions
  1. +9
    -4
      net/unbound/Makefile
  2. +106
    -0
      net/unbound/files/rootzone.sh
  3. +20
    -0
      net/unbound/files/unbound.iface
  4. +30
    -12
      net/unbound/files/unbound.init
  5. +126
    -0
      net/unbound/files/unbound.sh
  6. +13
    -12
      net/unbound/patches/001-conf.patch

+ 9
- 4
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound PKG_NAME:=unbound
PKG_VERSION:=1.5.10 PKG_VERSION:=1.5.10
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE PKG_LICENSE_FILES:=LICENSE
@ -137,12 +137,17 @@ define Package/unbound/install
$(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \ $(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \
$(1)/usr/sbin/ $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/etc/unbound $(INSTALL_DIR) $(1)/etc/unbound
$(INSTALL_CONF) \
$(INSTALL_DATA) \
$(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \ $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \
$(1)/etc/unbound/
$(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/
$(1)/etc/unbound/unbound.conf
$(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
$(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound
$(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
$(INSTALL_DIR) $(1)/usr/lib/unbound
$(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh
$(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh
endef endef
define Package/unbound-anchor/install define Package/unbound-anchor/install


+ 106
- 0
net/unbound/files/rootzone.sh View File

@ -0,0 +1,106 @@
#!/bin/sh
##############################################################################
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Copyright (C) 2016 Eric Luehrsen
#
##############################################################################
#
# This component needs to be used within the unbound.sh as an include. It uses
# defaults and UCI scope variables defined there. It will copy root.key back
# to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option).
#
##############################################################################
rootzone_uci() {
# TODO: Just structure to real UCI coming soon.
echo
}
##############################################################################
roothints_update() {
# TODO: Maybe this will not be implemented.
echo
}
##############################################################################
rootkey_update() {
local basekey_date rootkey_date rootkey_age filestuff
# TODO: Just structure to real UCI coming soon.
if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then
# Feature disabled
return 0
fi
if [ -f /etc/unbound/root.key ] ; then
basekey_date=$( date -r /etc/unbound/root.key +%s )
else
# No persistent storage key
basekey_date=$( date -d 2000-01-01 +%s )
fi
if [ -f "$UNBOUND_KEYFILE" ] ; then
# Unbound maintains it itself
rootkey_date=$( date -r $UNBOUND_KEYFILE +%s )
rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
elif [ -x "$UNBOUND_ANCHOR" ] ; then
# No tmpfs key - use unbound-anchor
rootkey_date=$( date -I +%s )
rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
else
# give up
rootkey_age=0
fi
if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then
filestuff=$( cat $UNBOUND_KEYFILE )
case "$filestuff" in
*NOERROR*)
# Header comment for drill and dig
logger -t unbound -s "root.key updated after $rootkey_age days"
cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
;;
*"state=2 [ VALID ]"*)
# Comment inline to key for unbound-anchor
logger -t unbound -s "root.key updated after $rootkey_age days"
cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
;;
*)
logger -t unbound -s "root.key still $rootkey_age days old"
;;
esac
fi
}
##############################################################################
rootzone_update() {
rootzone_uci
roothints_update
rootkey_update
}
##############################################################################

+ 20
- 0
net/unbound/files/unbound.iface View File

@ -0,0 +1,20 @@
#!/bin/sh
##############################################################################
#
# Copyright (C) 2016 Eric Luehrsen
#
##############################################################################
#
# "Restart" Unbound on hotplug interface up:
# - Clean rebind of unbound to new interfaces
# - Some of Unbound conf options to not reload run time
# - Unbound can grow a bit so this will shrink it back
#
##############################################################################
if [ "$ACTION" = ifup ] && /etc/init.d/unbound enabled ; then
/etc/init.d/unbound restart
fi
##############################################################################

+ 30
- 12
net/unbound/files/unbound.init View File

@ -1,20 +1,38 @@
#!/bin/sh /etc/rc.common #!/bin/sh /etc/rc.common
# Copyright (C) 2016 Michael Hanselmann
START=61
##############################################################################
#
# Copyright (C) 2016 Michael Hanselmann, Eric Luehrsen
#
##############################################################################
#
# This init script is just the entry point for Unbound UCI.
#
##############################################################################
START=60
USE_PROCD=1 USE_PROCD=1
PROG=/usr/sbin/unbound
##############################################################################
. /usr/lib/unbound/unbound.sh
##############################################################################
start_service() { start_service() {
find /etc/unbound \! \( -user unbound -group unbound \) \
-exec chown unbound:unbound {} \;
unbound_prepare
find /etc/unbound \( -perm +027 -o \! -perm -600 \) \
-exec chmod u=rwX,g=rX,o= {} \;
procd_open_instance
procd_set_param command $PROG -d -c $UNBOUND_CONFFILE
procd_set_param respawn
procd_close_instance
}
##############################################################################
procd_open_instance
procd_set_param command /usr/sbin/unbound
procd_append_param command -d # don't daemonize
procd_set_param respawn
procd_close_instance
stop_service() {
rootzone_update
} }
##############################################################################

+ 126
- 0
net/unbound/files/unbound.sh View File

@ -0,0 +1,126 @@
#!/bin/sh
##############################################################################
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Copyright (C) 2016 Eric Luehrsen
#
##############################################################################
#
# TODO: This file will build the UCI for Unbound. This iteration only puts
# our default unbound configuration and root.key into /var/lib/unbound.
#
##############################################################################
# TODO: Just default definitions versus real UCI coming soon.
UNBOUND_B_MAN_CONF=1
UNBOUND_B_DNSSEC=1
UNBOUND_N_ROOT_AGE=7
##############################################################################
UNBOUND_ANCHOR=/usr/bin/unbound-anchor
UNBOUND_CONTROL=/usr/bin/unbound-control
UNBOUND_LIBDIR=/usr/lib/unbound
UNBOUND_PIDFILE=/var/run/unbound.pid
UNBOUND_VARDIR=/var/lib/unbound
UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check
##############################################################################
. /lib/functions.sh
. /lib/functions/network.sh
. $UNBOUND_LIBDIR/rootzone.sh
##############################################################################
unbound_mkdir() {
mkdir -p $UNBOUND_VARDIR
if [ -f /etc/unbound/root.hints ] ; then
# Your own local copy of root.hints
cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE
elif [ -f /usr/share/dns/root.hints ] ; then
# Debian-like package dns-root-data
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
else
logger -t unbound -s "iterator will use built-in root hints"
fi
if [ -f /etc/unbound/root.key ] ; then
# Your own local copy of a root.key
cp -p /etc/unbound/root.key $UNBOUND_KEYFILE
elif [ -f /usr/share/dns/root.key ] ; then
# Debian-like package dns-root-data
cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
elif [ -x "$UNBOUND_ANCHOR" ] ; then
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
else
logger -t unbound -s "validator will use built-in trust anchor"
fi
}
##############################################################################
unbound_conf() {
# TODO: Just structure to real UCI coming soon.
if [ "$UNBOUND_B_MAN_CONF" -gt 0 -a -f /etc/unbound/unbound.conf ] ; then
# You don't want UCI and use your own manual configuration
cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE
fi
}
##############################################################################
unbound_own() {
# Debug UCI
{
echo "# $UNBOUND_CHECKFILE generated by UCI $( date )"
echo
set | grep ^UNBOUND_
} > $UNBOUND_CHECKFILE
if [ ! -f "$UNBOUND_CONFFILE" ] ; then
# if somehow this happened
touch $UNBOUND_CONFFILE
fi
# Ensure Access
chown -R unbound:unbound $UNBOUND_VARDIR
chmod 775 $UNBOUND_VARDIR
chmod 664 $UNBOUND_VARDIR/*
}
##############################################################################
unbound_prepare() {
unbound_mkdir
unbound_conf
unbound_own
}
##############################################################################

+ 13
- 12
net/unbound/patches/001-conf.patch View File

@ -1,8 +1,8 @@
diff --git a/doc/example.conf.in b/doc/example.conf.in diff --git a/doc/example.conf.in b/doc/example.conf.in
index c520c88..af92a87 100644
index c520c88..98a148a 100644
--- a/doc/example.conf.in --- a/doc/example.conf.in
+++ b/doc/example.conf.in +++ b/doc/example.conf.in
@@ -1,20 +1,81 @@
@@ -1,20 +1,82 @@
-# -#
-# Example configuration file. -# Example configuration file.
-# -#
@ -28,11 +28,14 @@ index c520c88..af92a87 100644
+ # verbosity 1 is default + # verbosity 1 is default
verbosity: 1 verbosity: 1
+ # prevent any upstream core surprises (OpenWrt assumptions)
+ # Self jail Unbound with user "unbound" to /var/lib/unbound
+ # The script /etc/init.d/unbound will setup the location
+ username: "unbound" + username: "unbound"
+ directory: "/var/lib/unbound"
+ chroot: "/var/lib/unbound"
+
+ # The pid file is created before privleges drop so no concern
+ pidfile: "/var/run/unbound.pid" + pidfile: "/var/run/unbound.pid"
+ directory: "/etc/unbound"
+ chroot: ""
+ +
+ # no threads and no memory slabs for threads + # no threads and no memory slabs for threads
+ num-threads: 1 + num-threads: 1
@ -54,7 +57,7 @@ index c520c88..af92a87 100644
+ # use somewhat higher port numbers versus possible NAT issue + # use somewhat higher port numbers versus possible NAT issue
+ outgoing-port-permit: "10240-65335" + outgoing-port-permit: "10240-65335"
+ +
+ # uses less memory, but less performance
+ # uses less memory but less performance
+ outgoing-range: 60 + outgoing-range: 60
+ num-queries-per-thread: 30 + num-queries-per-thread: 30
+ +
@ -73,13 +76,11 @@ index c520c88..af92a87 100644
+ harden-large-queries: yes + harden-large-queries: yes
+ harden-short-bufsize: yes + harden-short-bufsize: yes
+ +
+ # Enable a trust anchor and modules "validator iterator." However, Unbound
+ # RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM.
+ # "/etc/unbound" (directory & files) needs chown for write access. Else, use
+ # plain "trust-anchor-" to treat the key file as static.
+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
+ # -anchor-file:" The init script will copy root key to /var/lib/unbound.
+ # See package documentation for crontab entry to copy RFC5011 results back.
+ #module-config: "validator iterator" + #module-config: "validator iterator"
+ #auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ #trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
+ +
+ # DNSSEC needs real time to validate signatures. If your device does not + # DNSSEC needs real time to validate signatures. If your device does not
+ # have power off clock (reboot), then you may need this work around. + # have power off clock (reboot), then you may need this work around.


Loading…
Cancel
Save