Unbound: Incorporate hotplug/iface and root.key in tmpfs

-Patch for /etc/unbound/unbound.conf
--All work done in /var/lib/unbound/
--chroot or jail to /var/lib/unbound/
-Init script points to /usr/lib/unbound.sh
-Makefile to install new scripts in the package

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>

diff --git a/net/unbound/Makefile b/net/unbound/Makefile
index b9ee19f3610554bbbbc274f17f364166cea3e8b1..62367f758fb70ec4aa0fa3e0770fe785097614bd 100644 (file)
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.5.10
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@@ -137,12 +137,17 @@ define Package/unbound/install
                $(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \
                $(1)/usr/sbin/
        $(INSTALL_DIR) $(1)/etc/unbound
-       $(INSTALL_CONF) \
+       $(INSTALL_DATA) \
                $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \
-               $(1)/etc/unbound/
-       $(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/
+               $(1)/etc/unbound/unbound.conf
+       $(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key
+       $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+       $(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound
        $(INSTALL_DIR) $(1)/etc/init.d
        $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
+       $(INSTALL_DIR) $(1)/usr/lib/unbound
+       $(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh
+       $(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh
 endef
 
 define Package/unbound-anchor/install

diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init
index 7ad2e7c74cc9518c1afa750da188cf234b149cb1..119289449a0c3c54ffe208dd1bd0f0f09b5e7c10 100755 (executable)
--- a/net/unbound/files/unbound.init
+++ b/net/unbound/files/unbound.init
@@ -1,20 +1,38 @@
 #!/bin/sh /etc/rc.common
-# Copyright (C) 2016 Michael Hanselmann
-
-START=61
+##############################################################################
+#
+# Copyright (C) 2016 Michael Hanselmann, Eric Luehrsen
+#
+##############################################################################
+#
+# This init script is just the entry point for Unbound UCI.
+#
+##############################################################################
 
+START=60
 USE_PROCD=1
+PROG=/usr/sbin/unbound
+
+##############################################################################
+
+. /usr/lib/unbound/unbound.sh
+
+##############################################################################
 
 start_service() {
-       find /etc/unbound \! \( -user unbound -group unbound \) \
-               -exec chown unbound:unbound {} \;
+  unbound_prepare
 
-       find /etc/unbound \( -perm +027 -o \! -perm -600 \) \
-               -exec chmod u=rwX,g=rX,o= {} \;
+  procd_open_instance
+  procd_set_param command $PROG -d -c $UNBOUND_CONFFILE
+  procd_set_param respawn
+  procd_close_instance
+}
+
+##############################################################################
 
-       procd_open_instance
-       procd_set_param command /usr/sbin/unbound
-       procd_append_param command -d # don't daemonize
-       procd_set_param respawn
-       procd_close_instance
+stop_service() {
+  rootzone_update
 }
+
+##############################################################################
+

diff --git a/net/unbound/patches/001-conf.patch b/net/unbound/patches/001-conf.patch
index a318f6092e7449374fe3c9bfd045d188fdfa7b32..5f6b4c5e74b1d785edad1acfe92ac06990bce263 100644 (file)
--- a/net/unbound/patches/001-conf.patch
+++ b/net/unbound/patches/001-conf.patch
@@ -1,8 +1,8 @@
 diff --git a/doc/example.conf.in b/doc/example.conf.in
-index c520c88..af92a87 100644
+index c520c88..98a148a 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
-@@ -1,20 +1,81 @@
+@@ -1,20 +1,82 @@
 -#
 -# Example configuration file.
 -#
@@ -28,11 +28,14 @@ index c520c88..af92a87 100644
 +      # verbosity 1 is default
        verbosity: 1
  
-+      # prevent any upstream core surprises (OpenWrt assumptions)
++      # Self jail Unbound with user "unbound" to /var/lib/unbound
++      # The script /etc/init.d/unbound will setup the location
 +      username: "unbound"
++      directory: "/var/lib/unbound"
++      chroot: "/var/lib/unbound"
++
++      # The pid file is created before privleges drop so no concern
 +      pidfile: "/var/run/unbound.pid"
-+      directory: "/etc/unbound"
-+      chroot: ""
 +
 +      # no threads and no memory slabs for threads
 +      num-threads: 1
@@ -54,7 +57,7 @@ index c520c88..af92a87 100644
 +      # use somewhat higher port numbers versus possible NAT issue
 +      outgoing-port-permit: "10240-65335"
 +
-+      # uses less memory, but less performance
++      # uses less memory but less performance
 +      outgoing-range: 60
 +      num-queries-per-thread: 30
 +
@@ -73,13 +76,11 @@ index c520c88..af92a87 100644
 +      harden-large-queries: yes
 +      harden-short-bufsize: yes
 +
-+      # Enable a trust anchor and modules "validator iterator." However, Unbound
-+      # RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM.
-+      # "/etc/unbound" (directory & files) needs chown for write access. Else, use 
-+      # plain "trust-anchor-" to treat the key file as static.
++      # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
++      # -anchor-file:" The init script will copy root key to /var/lib/unbound.
++      # See package documentation for crontab entry to copy RFC5011 results back.
 +      #module-config: "validator iterator"
-+      #auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
-+      #trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
++      #auto-trust-anchor-file: "/var/lib/unbound/root.key"
 +
 +      # DNSSEC needs real time to validate signatures. If your device does not
 +      # have power off clock (reboot), then you may need this work around.