Browse Source

Unbound: fix regression of manual conf for power user

- History: prior to package 1.5.10-3 /var/lib/unbound was not used
- History: prior to package 1.5.10-4 no UCI scripts were provided
- Problem: UCI 'option manual_conf 1' only copied unbound.conf and root.key
- Problem: power users that had complex file nests cannot use this
- Fix: README.md includes instructions for /var/lib/unbound jail
- Fix: unbound.sh copies ALL of /etc/unbound for 'option manual_conf 1'

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
lilik-openwrt-22.03
Eric Luehrsen 8 years ago
parent
commit
1ed2270670
3 changed files with 18 additions and 13 deletions
  1. +1
    -1
      net/unbound/Makefile
  2. +12
    -1
      net/unbound/files/README.md
  3. +5
    -11
      net/unbound/files/unbound.sh

+ 1
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.5.10
PKG_RELEASE:=4
PKG_RELEASE:=5
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE


+ 12
- 1
net/unbound/files/README.md View File

@ -20,7 +20,18 @@ Some UCI options will help Unbound and dnsmasq work together in **parallel**. Th
Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay.
## UCI Options
## Back to Manual Configuration
You don't want UCI, but don't worry. We have UCI for that. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM.
All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`.
Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider this UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash). Keep the DNSKEY updated with your choice of flash activity.
config unbound
option manual_conf '1'
option root_age '30'
## Complete List of UCI Options
**/etc/config/unbound**:
config unbound


+ 5
- 11
net/unbound/files/unbound.sh View File

@ -104,6 +104,7 @@ create_domain_insecure() {
unbound_mkdir() {
mkdir -p $UNBOUND_VARDIR
touch $UNBOUND_CONFFILE
if [ -f /etc/unbound/root.hints ] ; then
@ -478,13 +479,6 @@ unbound_uci() {
if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
if [ -f /etc/unbound/unbound.conf ] ; then
# You don't want UCI and use your own manual configuration
# or with no base file whatever Unbound defaults are.
cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE
fi
# Don't want this being triggered. Maybe we could, but then the
# base conf you provide would need to be just right.
UNBOUND_B_DNSMASQ=0
@ -505,13 +499,13 @@ unbound_own () {
} > $UNBOUND_CHECKFILE
if [ ! -f "$UNBOUND_CONFFILE" ] ; then
# if somehow this happened
touch $UNBOUND_CONFFILE
if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
# You are doing your own thing, so just copy /etc/ to /var/
cp -p /etc/unbound/* $UNBOUND_VARDIR/
fi
# Ensure Access
# Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR
chmod 775 $UNBOUND_VARDIR
chmod 664 $UNBOUND_VARDIR/*


Loading…
Cancel
Save