This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Add a setup script for unbound(8) called local-unbound-setup. It

generates a configuration suitable for running unbound as a caching
forwarding resolver, and configures resolvconf(8) to update unbound's
list of forwarders in addition to /etc/resolv.conf.  The initial list
is taken from the existing resolv.conf, which is rewritten to point to
localhost.  Alternatively, a list of forwarders can be provided on the
command line.

To assist this script, add an rc.subr command called "enabled" which
does nothing except return 0 if the service is enabled and 1 if it is
not, without going through the usual checks.  We should consider doing
the same for "status", which is currently pointless.

Add an rc script for unbound, called local_unbound.  If there is no
configuration file, the rc script runs local-unbound-setup to generate
one.

Note that these scripts place the unbound configuration files in
/var/unbound rather than /etc/unbound.  This is necessary so that
unbound can reload its configuration while chrooted.  We should
probably provide symlinks in /etc.

Approved by:	re (blanket)
  • Loading branch information...
dag-erling committed Sep 23, 2013
1 parent 5acce3c commit b1d537a11d2a680fc34947d3883280e75b3d6b71
View
@@ -270,6 +270,7 @@ hastd_enable="NO" # Run the HAST daemon (YES/NO).
hastd_program="/sbin/hastd" # path to hastd, if you want a different one.
hastd_flags="" # Optional flags to hastd.
ctld_enable="NO" # CAM Target Layer / iSCSI target daemon.
+local_unbound_enable="NO" # local caching resolver
#
# named. It may be possible to run named in a sandbox, man security for
# details.
View
@@ -150,6 +150,7 @@ FILES= DAEMON \
tmp \
${_ubthidhci} \
ugidfw \
+ ${_unbound} \
${_utx} \
var \
virecover \
@@ -184,6 +185,10 @@ _nscd= nscd
_ubthidhci= ubthidhci
.endif
+.if ${MK_UNBOUND} != "no"
+_unbound= local_unbound
+.endif
+
.if ${MK_UTMPX} != "no"
_utx= utx
.endif
View
@@ -0,0 +1,91 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: local_unbound
+# REQUIRE: SERVERS cleanvar
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="local_unbound"
+desc="local caching forwarding resolver"
+rcvar="local_unbound_enable"
+
+command="/usr/sbin/unbound"
+extra_commands="anchor configtest reload setup"
+start_precmd="local_unbound_prestart"
+reload_precmd="local_unbound_configtest"
+anchor_cmd="local_unbound_anchor"
+configtest_cmd="local_unbound_configtest"
+setup_cmd="local_unbound_setup"
+pidfile="/var/run/${name}.pid"
+
+: ${local_unbound_workdir:=/var/unbound}
+: ${local_unbound_config:=${local_unbound_workdir}/unbound.conf}
+: ${local_unbound_flags:=-c${local_unbound_config}}
+: ${local_unbound_forwardconf:=${local_unbound_workdir}/forward.conf}
+: ${local_unbound_anchor:=${local_unbound_workdir}/root.key}
+: ${local_unbound_forwarders:=}
+
+load_rc_config $name
+
+do_as_unbound()
+{
+ echo "$@" | su -m unbound
+}
+
+#
+# Retrieve or update the DNSSEC root anchor
+#
+local_unbound_anchor()
+{
+ do_as_unbound /usr/sbin/unbound-anchor -a ${local_unbound_anchor}
+ # we can't trust the exit code - check if the file exists
+ [ -f ${local_unbound_anchor} ]
+}
+
+#
+# Check the unbound configuration file
+#
+local_unbound_configtest()
+{
+ do_as_unbound /usr/sbin/unbound-checkconf ${local_unbound_config}
+}
+
+#
+# Create the unbound configuration file and update resolv.conf to
+# point to unbound.
+#
+local_unbound_setup()
+{
+ echo "Performing initial setup."
+ /usr/sbin/local-unbound-setup -n \
+ -u unbound \
+ -w ${local_unbound_workdir} \
+ -c ${local_unbound_config} \
+ -f ${local_unbound_forwardconf} \
+ -a ${local_unbound_anchor} \
+ ${local_unbound_forwarders}
+}
+
+#
+# Before starting, check that the configuration file and root anchor
+# exist. If not, attempt to generate them.
+#
+local_unbound_prestart()
+{
+ # Create configuration file
+ if [ ! -f ${local_unbound_config} ] ; then
+ run_rc_command setup
+ fi
+
+ # Retrieve DNSSEC root key
+ if [ ! -f ${local_unbound_anchor} ] ; then
+ run_rc_command anchor
+ fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
View
@@ -546,6 +546,8 @@ check_startmsgs()
#
# rcvar Display what rc.conf variable is used (if any).
#
+# enabled Return true if the service is enabled.
+#
# Variables available to methods, and after run_rc_command() has
# completed:
#
@@ -614,7 +616,7 @@ run_rc_command()
eval _override_command=\$${name}_program
command=${_override_command:-$command}
- _keywords="start stop restart rcvar $extra_commands"
+ _keywords="start stop restart rcvar enabled $extra_commands"
rc_pid=
_pidcmd=
_procname=${procname:-${command}}
@@ -635,6 +637,11 @@ run_rc_command()
rc_usage $_keywords
fi
+ if [ "$rc_arg" = "enabled" ] ; then
+ checkyesno ${rcvar}
+ return $?
+ fi
+
if [ -n "$flags" ]; then # allow override from environment
rc_flags=$flags
else
View
@@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd September 10, 2013
+.Dd September 23, 2013
.Dt RC.CONF 5
.Os
.Sh NAME
@@ -2041,6 +2041,13 @@ is set to
.Dq Li YES ,
these are the flags to pass to
.Xr hastd 8 .
+.It Va local_unbound_enable
+.Pq Vt bool
+If set to
+.Dq Li YES ,
+run the
+.Xr unbound 8
+daemon as a local caching resolver.
.It Va named_enable
.Pq Vt bool
If set to
@@ -4786,6 +4793,7 @@ The default is 30.
.Xr sysctl 8 ,
.Xr syslogd 8 ,
.Xr timed 8 ,
+.Xr unbound 8 ,
.Xr usbconfig 8 ,
.Xr wlandebug 8 ,
.Xr yp 8 ,
View
@@ -35,7 +35,7 @@
.\" @(#)rc.8 8.2 (Berkeley) 12/11/93
.\" $FreeBSD$
.\"
-.Dd January 14, 2012
+.Dd September 23, 2013
.Dt RC 8
.Os
.Sh NAME
@@ -312,6 +312,9 @@ Defaults to displaying the process ID of the program (if running).
If the script starts a process (rather than performing a one-off
operation), wait for the command to exit.
Otherwise it is not necessary to support this argument.
+.It Cm enabled
+Return 0 if the service is enabled and 1 if it is not.
+This command does not print anything.
.It Cm rcvar
Display which
.Xr rc.conf 5
View
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd January 14, 2012
+.Dd September 23, 2012
.Dt RC.SUBR 8
.Os
.Sh NAME
@@ -379,6 +379,9 @@ Perform a
then a
.Cm start .
Defaults to displaying the process ID of the program (if running).
+.It Cm enabled
+Return 0 if the service is enabled and 1 if it is not.
+This command does not print anything.
.It Cm rcvar
Display which
.Xr rc.conf 5
@@ -4375,6 +4375,7 @@ OLD_FILES+=usr/share/man/man8/telnetd.8.gz
#.endif
.if ${MK_UNBOUND} == no
+OLD_FILES+=etc/rc.d/local_unbound
OLD_FILES+=usr/lib/private/libunbound.a
OLD_FILES+=usr/lib/private/libunbound.so
OLD_LIBS+=usr/lib/private/libunbound.so.5
@@ -4385,6 +4386,7 @@ OLD_FILES+=usr/lib32/private/libunbound.so
OLD_LIBS+=usr/lib32/private/libunbound.so.5
OLD_FILES+=usr/lib32/private/libunbound_p.a
.endif
+OLD_FILES+=usr/sbin/local-unbound-setup
OLD_FILES+=usr/sbin/unbound
OLD_FILES+=usr/sbin/unbound-anchor
OLD_FILES+=usr/sbin/unbound-checkconf
@@ -1,5 +1,6 @@
# $FreeBSD$
SUBDIR= daemon anchor checkconf control
+SUBDIR+= local-setup
.include <bsd.subdir.mk>
@@ -0,0 +1,6 @@
+# $FreeBSD$
+
+SCRIPTS= local-unbound-setup.sh
+MAN= #
+
+.include <bsd.prog.mk>
Oops, something went wrong.

0 comments on commit b1d537a

Please sign in to comment.