Simon Deziel wrote: > Hi, > > The attached patch handles the creation/setup of the chroot directory > when/if specified in the file /etc/unbound/unbound.conf. It copies > thethe content of the config dir to the chroot location with the > exception of the unbound_control.* files as those are not needed by the > unbound daemon (only by unbound-control). > > It also uses unbound-checkconf to find the desired location of the > "auto-trust-anchor-file". Because of this, it is no longer needed to > configure the ROOT_TRUST_ANCHOR_FILE variable in /etc/default/unbound as > this is taken from unbound's config. > > Thank you, > Simon
hi, simon:
i've split your patch into a chroot part and an auto-trust-anchor-file
part (see attached). i'm going to apply the first patch but not the
second, because the auto-trust-anchor-file directive can be specified
multiple times and not necessarily for the root zone trust anchor only
(and the unbound-anchor utility only deals with the root trust anchor).
i think it would be possible to eliminate the ROOT_TRUST_ANCHOR_FILE
variable from /etc/default/unbound, but the handling would need to be a
bit more robust:
* loop over each line from the output of:
"unbound-checkconf $CHROOT_DIR/$UNBOUND_CONF -o auto-trust-anchor-file":
+ read the anchor file and extract the zone name
+ if the zone name is "." (i.e., the root zone), then the
unbound-anchor utility is invoked on the anchor file
this functionality could probably be extracted into a dedicated script
(say, /usr/sbin/unbound-update-root-trust-anchor-file) which gets called
from /etc/init.d/unbound, rather than embedding it into the init script.
though this is probably a bit too much effort to go to in order to
eliminate a single duplicated variable from /etc/default/unbound.
--
Robert Edmonds
edmo...@debian.org
From 0416ce7d49513dbe6492cc0669a89ad61106b0b9 Mon Sep 17 00:00:00 2001
From: "Robert S. Edmonds" <edmo...@debian.org>
Date: Sat, 13 Apr 2013 15:03:48 -0400
Subject: [PATCH 1/2] debian/unbound.init: automatically set up the chroot
directory if enabled (#579622)
patch from Simon Deziel <simon.dez...@gmail.com>
---
debian/unbound.init | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/debian/unbound.init b/debian/unbound.init
index 635216d..78f9c2f 100644
--- a/debian/unbound.init
+++ b/debian/unbound.init
@@ -19,6 +19,9 @@ test -x ${DAEMON}-checkconf || exit 0
. /lib/lsb/init-functions
UNBOUND_ENABLE=true
+UNBOUND_CONF=/etc/unbound/unbound.conf
+UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF)
+CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g")
ROOT_TRUST_ANCHOR_UPDATE=false
ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
RESOLVCONF=false
@@ -61,7 +64,7 @@ fi
do_resolvconf_start() {
if $RESOLVCONF; then
if [ -x /sbin/resolvconf ]; then
- unbound-checkconf -o interface | (
+ unbound-checkconf $CHROOT_DIR/$UNBOUND_CONF -o interface | (
default=yes
while read interface; do
default=no
@@ -88,9 +91,17 @@ do_resolvconf_stop() {
fi
}
+do_chroot_setup() {
+ if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then
+ cd /
+ tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR | sed 's#^/##') | (cd $CHROOT_DIR && tar -xf -)
+ fi
+}
+
case "$1" in
start)
if $UNBOUND_ENABLE; then
+ do_chroot_setup
if $ROOT_TRUST_ANCHOR_UPDATE; then
unbound-anchor -a $ROOT_TRUST_ANCHOR_FILE -v 2>&1 | logger -p daemon.info -t unbound-anchor
chown unbound:unbound $ROOT_TRUST_ANCHOR_FILE
@@ -125,6 +136,7 @@ case "$1" in
start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5
do_resolvconf_stop
if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
+ do_chroot_setup
do_resolvconf_start
log_end_msg 0
else
@@ -137,6 +149,7 @@ case "$1" in
if $UNBOUND_ENABLE; then
log_daemon_msg "Reloading $DESC" "$NAME"
if start-stop-daemon --stop --pidfile $PIDFILE --signal 1; then
+ do_chroot_setup
log_end_msg 0
else
log_end_msg 1
--
1.7.10.4
From e381884493c0dfab8e331386d75bba4a259bbe74 Mon Sep 17 00:00:00 2001
From: "Robert S. Edmonds" <edmo...@debian.org>
Date: Sat, 13 Apr 2013 15:04:44 -0400
Subject: [PATCH 2/2] debian/unbound.init: find the value of
$ROOT_TRUST_ANCHOR_FILE using unbound-checkconf
patch from Simon Deziel <simon.dez...@gmail.com>
---
debian/unbound.init | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/debian/unbound.init b/debian/unbound.init
index 78f9c2f..5a93190 100644
--- a/debian/unbound.init
+++ b/debian/unbound.init
@@ -23,7 +23,6 @@ UNBOUND_CONF=/etc/unbound/unbound.conf
UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF)
CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g")
ROOT_TRUST_ANCHOR_UPDATE=false
-ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
RESOLVCONF=false
RESOLVCONF_FORWARDERS=false
@@ -103,8 +102,11 @@ case "$1" in
if $UNBOUND_ENABLE; then
do_chroot_setup
if $ROOT_TRUST_ANCHOR_UPDATE; then
- unbound-anchor -a $ROOT_TRUST_ANCHOR_FILE -v 2>&1 | logger -p daemon.info -t unbound-anchor
- chown unbound:unbound $ROOT_TRUST_ANCHOR_FILE
+ ROOT_TRUST_ANCHOR_FILE=$(unbound-checkconf $CHROOT_DIR/$UNBOUND_CONF -o auto-trust-anchor-file)
+ if [ -n "$ROOT_TRUST_ANCHOR_FILE" ]; then
+ unbound-anchor -a $ROOT_TRUST_ANCHOR_FILE -v 2>&1 | logger -p daemon.info -t unbound-anchor
+ chown unbound:unbound $ROOT_TRUST_ANCHOR_FILE
+ fi
fi
log_daemon_msg "Starting $DESC" "$NAME"
if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
--
1.7.10.4
signature.asc
Description: Digital signature
