Unbound: Migrate Working Directory to /var/lib/unbound and Prepare for UCIlilik-openwrt-22.03
@ -0,0 +1,106 @@ | |||||
#!/bin/sh | |||||
############################################################################## | |||||
# | |||||
# This program is free software; you can redistribute it and/or modify | |||||
# it under the terms of the GNU General Public License version 2 as | |||||
# published by the Free Software Foundation. | |||||
# | |||||
# This program is distributed in the hope that it will be useful, | |||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||||
# GNU General Public License for more details. | |||||
# | |||||
# Copyright (C) 2016 Eric Luehrsen | |||||
# | |||||
############################################################################## | |||||
# | |||||
# This component needs to be used within the unbound.sh as an include. It uses | |||||
# defaults and UCI scope variables defined there. It will copy root.key back | |||||
# to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option). | |||||
# | |||||
############################################################################## | |||||
rootzone_uci() { | |||||
# TODO: Just structure to real UCI coming soon. | |||||
echo | |||||
} | |||||
############################################################################## | |||||
roothints_update() { | |||||
# TODO: Maybe this will not be implemented. | |||||
echo | |||||
} | |||||
############################################################################## | |||||
rootkey_update() { | |||||
local basekey_date rootkey_date rootkey_age filestuff | |||||
# TODO: Just structure to real UCI coming soon. | |||||
if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then | |||||
# Feature disabled | |||||
return 0 | |||||
fi | |||||
if [ -f /etc/unbound/root.key ] ; then | |||||
basekey_date=$( date -r /etc/unbound/root.key +%s ) | |||||
else | |||||
# No persistent storage key | |||||
basekey_date=$( date -d 2000-01-01 +%s ) | |||||
fi | |||||
if [ -f "$UNBOUND_KEYFILE" ] ; then | |||||
# Unbound maintains it itself | |||||
rootkey_date=$( date -r $UNBOUND_KEYFILE +%s ) | |||||
rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) | |||||
elif [ -x "$UNBOUND_ANCHOR" ] ; then | |||||
# No tmpfs key - use unbound-anchor | |||||
rootkey_date=$( date -I +%s ) | |||||
rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) | |||||
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE | |||||
else | |||||
# give up | |||||
rootkey_age=0 | |||||
fi | |||||
if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then | |||||
filestuff=$( cat $UNBOUND_KEYFILE ) | |||||
case "$filestuff" in | |||||
*NOERROR*) | |||||
# Header comment for drill and dig | |||||
logger -t unbound -s "root.key updated after $rootkey_age days" | |||||
cp -p $UNBOUND_KEYFILE /etc/unbound/root.key | |||||
;; | |||||
*"state=2 [ VALID ]"*) | |||||
# Comment inline to key for unbound-anchor | |||||
logger -t unbound -s "root.key updated after $rootkey_age days" | |||||
cp -p $UNBOUND_KEYFILE /etc/unbound/root.key | |||||
;; | |||||
*) | |||||
logger -t unbound -s "root.key still $rootkey_age days old" | |||||
;; | |||||
esac | |||||
fi | |||||
} | |||||
############################################################################## | |||||
rootzone_update() { | |||||
rootzone_uci | |||||
roothints_update | |||||
rootkey_update | |||||
} | |||||
############################################################################## | |||||
@ -0,0 +1,20 @@ | |||||
#!/bin/sh | |||||
############################################################################## | |||||
# | |||||
# Copyright (C) 2016 Eric Luehrsen | |||||
# | |||||
############################################################################## | |||||
# | |||||
# "Restart" Unbound on hotplug interface up: | |||||
# - Clean rebind of unbound to new interfaces | |||||
# - Some of Unbound conf options to not reload run time | |||||
# - Unbound can grow a bit so this will shrink it back | |||||
# | |||||
############################################################################## | |||||
if [ "$ACTION" = ifup ] && /etc/init.d/unbound enabled ; then | |||||
/etc/init.d/unbound restart | |||||
fi | |||||
############################################################################## | |||||
@ -1,20 +1,38 @@ | |||||
#!/bin/sh /etc/rc.common | #!/bin/sh /etc/rc.common | ||||
# Copyright (C) 2016 Michael Hanselmann | |||||
START=61 | |||||
############################################################################## | |||||
# | |||||
# Copyright (C) 2016 Michael Hanselmann, Eric Luehrsen | |||||
# | |||||
############################################################################## | |||||
# | |||||
# This init script is just the entry point for Unbound UCI. | |||||
# | |||||
############################################################################## | |||||
START=60 | |||||
USE_PROCD=1 | USE_PROCD=1 | ||||
PROG=/usr/sbin/unbound | |||||
############################################################################## | |||||
. /usr/lib/unbound/unbound.sh | |||||
############################################################################## | |||||
start_service() { | start_service() { | ||||
find /etc/unbound \! \( -user unbound -group unbound \) \ | |||||
-exec chown unbound:unbound {} \; | |||||
unbound_prepare | |||||
find /etc/unbound \( -perm +027 -o \! -perm -600 \) \ | |||||
-exec chmod u=rwX,g=rX,o= {} \; | |||||
procd_open_instance | |||||
procd_set_param command $PROG -d -c $UNBOUND_CONFFILE | |||||
procd_set_param respawn | |||||
procd_close_instance | |||||
} | |||||
############################################################################## | |||||
procd_open_instance | |||||
procd_set_param command /usr/sbin/unbound | |||||
procd_append_param command -d # don't daemonize | |||||
procd_set_param respawn | |||||
procd_close_instance | |||||
stop_service() { | |||||
rootzone_update | |||||
} | } | ||||
############################################################################## | |||||
@ -0,0 +1,126 @@ | |||||
#!/bin/sh | |||||
############################################################################## | |||||
# | |||||
# This program is free software; you can redistribute it and/or modify | |||||
# it under the terms of the GNU General Public License version 2 as | |||||
# published by the Free Software Foundation. | |||||
# | |||||
# This program is distributed in the hope that it will be useful, | |||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||||
# GNU General Public License for more details. | |||||
# | |||||
# Copyright (C) 2016 Eric Luehrsen | |||||
# | |||||
############################################################################## | |||||
# | |||||
# TODO: This file will build the UCI for Unbound. This iteration only puts | |||||
# our default unbound configuration and root.key into /var/lib/unbound. | |||||
# | |||||
############################################################################## | |||||
# TODO: Just default definitions versus real UCI coming soon. | |||||
UNBOUND_B_MAN_CONF=1 | |||||
UNBOUND_B_DNSSEC=1 | |||||
UNBOUND_N_ROOT_AGE=7 | |||||
############################################################################## | |||||
UNBOUND_ANCHOR=/usr/bin/unbound-anchor | |||||
UNBOUND_CONTROL=/usr/bin/unbound-control | |||||
UNBOUND_LIBDIR=/usr/lib/unbound | |||||
UNBOUND_PIDFILE=/var/run/unbound.pid | |||||
UNBOUND_VARDIR=/var/lib/unbound | |||||
UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf | |||||
UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key | |||||
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints | |||||
UNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check | |||||
############################################################################## | |||||
. /lib/functions.sh | |||||
. /lib/functions/network.sh | |||||
. $UNBOUND_LIBDIR/rootzone.sh | |||||
############################################################################## | |||||
unbound_mkdir() { | |||||
mkdir -p $UNBOUND_VARDIR | |||||
if [ -f /etc/unbound/root.hints ] ; then | |||||
# Your own local copy of root.hints | |||||
cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE | |||||
elif [ -f /usr/share/dns/root.hints ] ; then | |||||
# Debian-like package dns-root-data | |||||
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE | |||||
else | |||||
logger -t unbound -s "iterator will use built-in root hints" | |||||
fi | |||||
if [ -f /etc/unbound/root.key ] ; then | |||||
# Your own local copy of a root.key | |||||
cp -p /etc/unbound/root.key $UNBOUND_KEYFILE | |||||
elif [ -f /usr/share/dns/root.key ] ; then | |||||
# Debian-like package dns-root-data | |||||
cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE | |||||
elif [ -x "$UNBOUND_ANCHOR" ] ; then | |||||
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE | |||||
else | |||||
logger -t unbound -s "validator will use built-in trust anchor" | |||||
fi | |||||
} | |||||
############################################################################## | |||||
unbound_conf() { | |||||
# TODO: Just structure to real UCI coming soon. | |||||
if [ "$UNBOUND_B_MAN_CONF" -gt 0 -a -f /etc/unbound/unbound.conf ] ; then | |||||
# You don't want UCI and use your own manual configuration | |||||
cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE | |||||
fi | |||||
} | |||||
############################################################################## | |||||
unbound_own() { | |||||
# Debug UCI | |||||
{ | |||||
echo "# $UNBOUND_CHECKFILE generated by UCI $( date )" | |||||
echo | |||||
set | grep ^UNBOUND_ | |||||
} > $UNBOUND_CHECKFILE | |||||
if [ ! -f "$UNBOUND_CONFFILE" ] ; then | |||||
# if somehow this happened | |||||
touch $UNBOUND_CONFFILE | |||||
fi | |||||
# Ensure Access | |||||
chown -R unbound:unbound $UNBOUND_VARDIR | |||||
chmod 775 $UNBOUND_VARDIR | |||||
chmod 664 $UNBOUND_VARDIR/* | |||||
} | |||||
############################################################################## | |||||
unbound_prepare() { | |||||
unbound_mkdir | |||||
unbound_conf | |||||
unbound_own | |||||
} | |||||
############################################################################## | |||||