Unbound: Incorporate hotplug/iface and root.key in tmpfs

-Patch for /etc/unbound/unbound.conf --All work done in /var/lib/unbound/ --chroot or jail to /var/lib/unbound/ -Init script points to /usr/lib/unbound.sh -Makefile to install new scripts in the package Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-20 00:17:23 -04:00 · 2016-10-20 00:17:23 -04:00 · 8dfd5d0b84
parent cb56829c98
commit 8dfd5d0b84
3 changed files with 53 additions and 29 deletions
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=unbound
 PKG_VERSION:=1.5.10
-PKG_RELEASE:=2
+PKG_RELEASE:=3

 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@ -137,12 +137,17 @@ define Package/unbound/install
 		$(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \
 		$(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/etc/unbound
-	$(INSTALL_CONF) \
+	$(INSTALL_DATA) \
 		$(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \
-		$(1)/etc/unbound/
-	$(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/
+		$(1)/etc/unbound/unbound.conf
+	$(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
+	$(INSTALL_DIR) $(1)/usr/lib/unbound
+	$(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh
+	$(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh
 endef

 define Package/unbound-anchor/install
--- a/net/unbound/files/unbound.init
+++ b/net/unbound/files/unbound.init
@ -1,20 +1,38 @@
 #!/bin/sh /etc/rc.common
-# Copyright (C) 2016 Michael Hanselmann
-
-START=61
+##############################################################################
+#
+# Copyright (C) 2016 Michael Hanselmann, Eric Luehrsen
+#
+##############################################################################
+#
+# This init script is just the entry point for Unbound UCI.
+#
+##############################################################################

+START=60
 USE_PROCD=1
+PROG=/usr/sbin/unbound
+
+##############################################################################
+
+. /usr/lib/unbound/unbound.sh
+
+##############################################################################

 start_service() {
-	find /etc/unbound \! \( -user unbound -group unbound \) \
-		-exec chown unbound:unbound {} \;
+  unbound_prepare

-	find /etc/unbound \( -perm +027 -o \! -perm -600 \) \
-		-exec chmod u=rwX,g=rX,o= {} \;
-
-	procd_open_instance
-	procd_set_param command /usr/sbin/unbound
-	procd_append_param command -d # don't daemonize
-	procd_set_param respawn
-	procd_close_instance
+  procd_open_instance
+  procd_set_param command $PROG -d -c $UNBOUND_CONFFILE
+  procd_set_param respawn
+  procd_close_instance
 }
+
+##############################################################################
+
+stop_service() {
+  rootzone_update
+}
+
+##############################################################################
+
--- a/net/unbound/patches/001-conf.patch
+++ b/net/unbound/patches/001-conf.patch
@ -1,8 +1,8 @@
 diff --git a/doc/example.conf.in b/doc/example.conf.in
-index c520c88..af92a87 100644
+index c520c88..98a148a 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
-@@ -1,20 +1,81 @@
+@@ -1,20 +1,82 @@
 -#
 -# Example configuration file.
 -#
@ -28,11 +28,14 @@ index c520c88..af92a87 100644
 +	# verbosity 1 is default
 	verbosity: 1
 
-+	# prevent any upstream core surprises (OpenWrt assumptions)
+	# Self jail Unbound with user "unbound" to /var/lib/unbound
+	# The script /etc/init.d/unbound will setup the location
 +	username: "unbound"
+	directory: "/var/lib/unbound"
+	chroot: "/var/lib/unbound"
+
+	# The pid file is created before privleges drop so no concern
 +	pidfile: "/var/run/unbound.pid"
-+	directory: "/etc/unbound"
-+	chroot: ""
 +
 +	# no threads and no memory slabs for threads
 +	num-threads: 1
@ -54,7 +57,7 @@ index c520c88..af92a87 100644
 +	# use somewhat higher port numbers versus possible NAT issue
 +	outgoing-port-permit: "10240-65335"
 +
-+	# uses less memory, but less performance
+	# uses less memory but less performance
 +	outgoing-range: 60
 +	num-queries-per-thread: 30
 +
@ -73,13 +76,11 @@ index c520c88..af92a87 100644
 +	harden-large-queries: yes
 +	harden-short-bufsize: yes
 +
-+	# Enable a trust anchor and modules "validator iterator." However, Unbound
-+	# RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM.
-+	# "/etc/unbound" (directory & files) needs chown for write access. Else, use 
-+	# plain "trust-anchor-" to treat the key file as static.
+	# DNSSEC enable by removing comments on "module-config:" and "auto-trust-
+	# -anchor-file:" The init script will copy root key to /var/lib/unbound.
+	# See package documentation for crontab entry to copy RFC5011 results back.
 +	#module-config: "validator iterator"
-+	#auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
-+	#trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+	#auto-trust-anchor-file: "/var/lib/unbound/root.key"
 +
 +	# DNSSEC needs real time to validate signatures. If your device does not
 +	# have power off clock (reboot), then you may need this work around.