From 8dfd5d0b84c7174ae461af4173cc9664118d4fbc Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 20 Oct 2016 00:17:23 -0400 Subject: [PATCH] Unbound: Incorporate hotplug/iface and root.key in tmpfs -Patch for /etc/unbound/unbound.conf --All work done in /var/lib/unbound/ --chroot or jail to /var/lib/unbound/ -Init script points to /usr/lib/unbound.sh -Makefile to install new scripts in the package Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 13 ++++++--- net/unbound/files/unbound.init | 42 +++++++++++++++++++++--------- net/unbound/patches/001-conf.patch | 25 +++++++++--------- 3 files changed, 52 insertions(+), 28 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index b9ee19f36..62367f758 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.5.10 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE @@ -137,12 +137,17 @@ define Package/unbound/install $(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \ $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/etc/unbound - $(INSTALL_CONF) \ + $(INSTALL_DATA) \ $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \ - $(1)/etc/unbound/ - $(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/ + $(1)/etc/unbound/unbound.conf + $(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound + $(INSTALL_DIR) $(1)/usr/lib/unbound + $(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh + $(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh endef define Package/unbound-anchor/install diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index 7ad2e7c74..119289449 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -1,20 +1,38 @@ #!/bin/sh /etc/rc.common -# Copyright (C) 2016 Michael Hanselmann - -START=61 +############################################################################## +# +# Copyright (C) 2016 Michael Hanselmann, Eric Luehrsen +# +############################################################################## +# +# This init script is just the entry point for Unbound UCI. +# +############################################################################## +START=60 USE_PROCD=1 +PROG=/usr/sbin/unbound + +############################################################################## + +. /usr/lib/unbound/unbound.sh + +############################################################################## start_service() { - find /etc/unbound \! \( -user unbound -group unbound \) \ - -exec chown unbound:unbound {} \; + unbound_prepare - find /etc/unbound \( -perm +027 -o \! -perm -600 \) \ - -exec chmod u=rwX,g=rX,o= {} \; + procd_open_instance + procd_set_param command $PROG -d -c $UNBOUND_CONFFILE + procd_set_param respawn + procd_close_instance +} + +############################################################################## - procd_open_instance - procd_set_param command /usr/sbin/unbound - procd_append_param command -d # don't daemonize - procd_set_param respawn - procd_close_instance +stop_service() { + rootzone_update } + +############################################################################## + diff --git a/net/unbound/patches/001-conf.patch b/net/unbound/patches/001-conf.patch index a318f6092..5f6b4c5e7 100644 --- a/net/unbound/patches/001-conf.patch +++ b/net/unbound/patches/001-conf.patch @@ -1,8 +1,8 @@ diff --git a/doc/example.conf.in b/doc/example.conf.in -index c520c88..af92a87 100644 +index c520c88..98a148a 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -1,20 +1,81 @@ +@@ -1,20 +1,82 @@ -# -# Example configuration file. -# @@ -28,11 +28,14 @@ index c520c88..af92a87 100644 + # verbosity 1 is default verbosity: 1 -+ # prevent any upstream core surprises (OpenWrt assumptions) ++ # Self jail Unbound with user "unbound" to /var/lib/unbound ++ # The script /etc/init.d/unbound will setup the location + username: "unbound" ++ directory: "/var/lib/unbound" ++ chroot: "/var/lib/unbound" ++ ++ # The pid file is created before privleges drop so no concern + pidfile: "/var/run/unbound.pid" -+ directory: "/etc/unbound" -+ chroot: "" + + # no threads and no memory slabs for threads + num-threads: 1 @@ -54,7 +57,7 @@ index c520c88..af92a87 100644 + # use somewhat higher port numbers versus possible NAT issue + outgoing-port-permit: "10240-65335" + -+ # uses less memory, but less performance ++ # uses less memory but less performance + outgoing-range: 60 + num-queries-per-thread: 30 + @@ -73,13 +76,11 @@ index c520c88..af92a87 100644 + harden-large-queries: yes + harden-short-bufsize: yes + -+ # Enable a trust anchor and modules "validator iterator." However, Unbound -+ # RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM. -+ # "/etc/unbound" (directory & files) needs chown for write access. Else, use -+ # plain "trust-anchor-" to treat the key file as static. ++ # DNSSEC enable by removing comments on "module-config:" and "auto-trust- ++ # -anchor-file:" The init script will copy root key to /var/lib/unbound. ++ # See package documentation for crontab entry to copy RFC5011 results back. + #module-config: "validator iterator" -+ #auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" -+ #trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" ++ #auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # DNSSEC needs real time to validate signatures. If your device does not + # have power off clock (reboot), then you may need this work around.