LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

Unbound: Incorporate hotplug/iface and root.key in tmpfs 

-Patch for /etc/unbound/unbound.conf
--All work done in /var/lib/unbound/
--chroot or jail to /var/lib/unbound/
-Init script points to /usr/lib/unbound.sh
-Makefile to install new scripts in the package

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
lilik-openwrt-22.03
Eric Luehrsen 8 years ago
parent
cb56829c98
commit
8dfd5d0b84
3 changed files with 52 additions and 28 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +9
    -4
      net/unbound/Makefile
  2. +30
    -12
      net/unbound/files/unbound.init
  3. +13
    -12
      net/unbound/patches/001-conf.patch

+ 9
- 4
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.5.10
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
@ -137,12 +137,17 @@ define Package/unbound/install
$(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \
$(1)/usr/sbin/
$(INSTALL_DIR) $(1)/etc/unbound
$(INSTALL_CONF) \
$(INSTALL_DATA) \
$(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \
$(1)/etc/unbound/
$(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/
$(1)/etc/unbound/unbound.conf
$(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
$(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
$(INSTALL_DIR) $(1)/usr/lib/unbound
$(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh
$(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh
endef
define Package/unbound-anchor/install


+ 30
- 12
net/unbound/files/unbound.init View File

@ -1,20 +1,38 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2016 Michael Hanselmann
START=61
##############################################################################
#
# Copyright (C) 2016 Michael Hanselmann, Eric Luehrsen
#
##############################################################################
#
# This init script is just the entry point for Unbound UCI.
#
##############################################################################
START=60
USE_PROCD=1
PROG=/usr/sbin/unbound
##############################################################################
. /usr/lib/unbound/unbound.sh
##############################################################################
start_service() {
find /etc/unbound \! \( -user unbound -group unbound \) \
-exec chown unbound:unbound {} \;
unbound_prepare
find /etc/unbound \( -perm +027 -o \! -perm -600 \) \
-exec chmod u=rwX,g=rX,o= {} \;
procd_open_instance
procd_set_param command $PROG -d -c $UNBOUND_CONFFILE
procd_set_param respawn
procd_close_instance
}
##############################################################################
procd_open_instance
procd_set_param command /usr/sbin/unbound
procd_append_param command -d # don't daemonize
procd_set_param respawn
procd_close_instance
stop_service() {
rootzone_update
}
##############################################################################

+ 13
- 12
net/unbound/patches/001-conf.patch View File

@ -1,8 +1,8 @@
diff --git a/doc/example.conf.in b/doc/example.conf.in
index c520c88..af92a87 100644
index c520c88..98a148a 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,20 +1,81 @@
@@ -1,20 +1,82 @@
-#
-# Example configuration file.
-#
@ -28,11 +28,14 @@ index c520c88..af92a87 100644
+ # verbosity 1 is default
verbosity: 1
+ # prevent any upstream core surprises (OpenWrt assumptions)
+ # Self jail Unbound with user "unbound" to /var/lib/unbound
+ # The script /etc/init.d/unbound will setup the location
+ username: "unbound"
+ directory: "/var/lib/unbound"
+ chroot: "/var/lib/unbound"
+
+ # The pid file is created before privleges drop so no concern
+ pidfile: "/var/run/unbound.pid"
+ directory: "/etc/unbound"
+ chroot: ""
+
+ # no threads and no memory slabs for threads
+ num-threads: 1
@ -54,7 +57,7 @@ index c520c88..af92a87 100644
+ # use somewhat higher port numbers versus possible NAT issue
+ outgoing-port-permit: "10240-65335"
+
+ # uses less memory, but less performance
+ # uses less memory but less performance
+ outgoing-range: 60
+ num-queries-per-thread: 30
+
@ -73,13 +76,11 @@ index c520c88..af92a87 100644
+ harden-large-queries: yes
+ harden-short-bufsize: yes
+
+ # Enable a trust anchor and modules "validator iterator." However, Unbound
+ # RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM.
+ # "/etc/unbound" (directory & files) needs chown for write access. Else, use
+ # plain "trust-anchor-" to treat the key file as static.
+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
+ # -anchor-file:" The init script will copy root key to /var/lib/unbound.
+ # See package documentation for crontab entry to copy RFC5011 results back.
+ #module-config: "validator iterator"
+ #auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ #trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+ # DNSSEC needs real time to validate signatures. If your device does not
+ # have power off clock (reboot), then you may need this work around.


Write Preview
Loading…
Cancel
Save