cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-30 07:28:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

unbound: fix boot time and default run directory

Browse Source 
Unbound struggles with boot ifup, so procd triggers changed to push
outside of this noise. Unbound has run in /var/lib/unbound/, so chroot
(jail) protects /etc/, and it can save flash wear. Compiled defaults
reflect this now, so Unbound tools are easier run on the command line.

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
This commit is contained in:
Eric Luehrsen
2018-07-31 22:59:24 -04:00
parent 74c043276a
commit 8830d72bbd
6 changed files with 211 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/unbound/files/unbound.sh
+183 -170
View File
@@ -61,6 +61,9 @@ UB_TXT_HOSTNAME=thisrouter
##############################################################################
# reset as a combo with UB_B_NTP_BOOT and some time stamp files
UB_B_READY=1
# keep track of assignments during inserted resource records
UB_LIST_NETW_ALL=""
UB_LIST_NETW_LAN=""
@@ -219,7 +222,7 @@ unbound_mkdir() {
# Debian-like package dns-root-data
cp -p /usr/share/dns/root.hints $UB_RHINT_FILE
elif [ ! -f "$UB_TIME_FILE" ] ; then
elif [ "$UB_B_READY" -eq 0 ] ; then
logger -t unbound -s "default root hints (built in root-servers.net)"
fi
fi
@@ -233,7 +236,7 @@ unbound_mkdir() {
elif [ -x $UB_ANCHOR ] ; then
$UB_ANCHOR -a $UB_RKEY_FILE
elif [ ! -f "$UB_TIME_FILE" ] ; then
elif [ "$UB_B_READY" -eq 0 ] ; then
logger -t unbound -s "default trust anchor (built in root DS record)"
fi
fi
@@ -285,9 +288,21 @@ unbound_mkdir() {
fi
if [ "$UB_B_NTP_BOOT" -eq 0 ] ; then
# time is considered okay on this device (skip /etc/hotplug/ntpd/unbound)
if [ -f "$UB_TIME_FILE" ] ; then
# NTP is done so its like you actually had an RTC
UB_B_READY=1
UB_B_NTP_BOOT=0
elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then
# time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
date -Is > $UB_TIME_FILE
UB_B_READY=0
UB_B_NTP_BOOT=0
else
# DNSSEC-TIME will not reconcile
UB_B_READY=0
UB_B_NTP_BOOT=1
fi
}
@@ -407,8 +422,8 @@ unbound_zone() {
case $zone_type in
auth_zone)
if [ -n "$UB_LIST_ZONE_NAMES" ] \
&& [ -n "$url_dir" -o -n "$UB_LIST_ZONE_SERVERS" ] ; then
if [ -n "$UB_LIST_ZONE_NAMES" \
-a \( -n "$url_dir" -o -n "$UB_LIST_ZONE_SERVERS" \) ] ; then
for zone_name in $UB_LIST_ZONE_NAMES ; do
if [ "$zone_name" = "." ] ; then
zone_sym=.
@@ -626,7 +641,7 @@ unbound_conf() {
;;
*)
if [ ! -f "$UB_TIME_FILE" ] ; then
if [ "$UB_B_READY" -eq 0 ] ; then
logger -t unbound -s "default protocol configuration"
fi
@@ -686,7 +701,7 @@ unbound_conf() {
echo
} >> $UB_CORE_CONF
elif [ ! -f "$UB_TIME_FILE" ] ; then
elif [ "$UB_B_READY" -eq 0 ] ; then
logger -t unbound -s "default memory configuration"
fi
@@ -696,7 +711,7 @@ unbound_conf() {
if [ "$UB_B_DNSSEC" -gt 0 ] ; then
if [ ! -f "$UB_TIME_FILE" -a "$UB_B_NTP_BOOT" -gt 0 ] ; then
if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then
# DNSSEC chicken and egg with getting NTP time
echo " val-override-date: -1" >> $UB_CORE_CONF
fi
@@ -777,7 +792,7 @@ unbound_conf() {
;;
*)
if [ ! -f "$UB_TIME_FILE" ] ; then
if [ "$UB_B_READY" -eq 0 ] ; then
logger -t unbound -s "default recursion configuration"
fi
;;
@@ -898,8 +913,8 @@ unbound_hostname() {
echo
} >> $UB_HOST_CONF
elif [ -n "$UB_TXT_DOMAIN" ] \
&& [ "$UB_D_WAN_FQDN" -gt 0 -o "$UB_D_LAN_FQDN" -gt 0 ] ; then
elif [ -n "$UB_TXT_DOMAIN" \
-a \( "$UB_D_WAN_FQDN" -gt 0 -o "$UB_D_LAN_FQDN" -gt 0 \) ] ; then
case "$UB_D_DOMAIN_TYPE" in
deny|inform_deny|refuse|static)
{
@@ -947,180 +962,178 @@ unbound_hostname() {
} >> $UB_HOST_CONF
if [ -f "$UB_TIME_FILE" ] ; then
if [ -n "$UB_LIST_NETW_WAN" ] ; then
for ifsubnet in $UB_LIST_NETW_WAN ; do
ifaddr=${ifsubnet#*@}
ifaddr=${ifaddr%/*}
ifarpa=$( host_ptr_any "$ifaddr" )
if [ -n "$UB_LIST_NETW_WAN" ] ; then
for ifsubnet in $UB_LIST_NETW_WAN ; do
ifaddr=${ifsubnet#*@}
ifaddr=${ifaddr%/*}
ifarpa=$( host_ptr_any "$ifaddr" )
if [ -n "$ifarpa" ] ; then
if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
{
# Create a static zone for WAN host record only (singular)
echo " domain-insecure: $ifarpa"
echo " private-address: $ifaddr"
echo " local-zone: $ifarpa static"
echo " local-data: \"$ifarpa. $UB_XSOA\""
echo " local-data: \"$ifarpa. $UB_XNS\""
echo " local-data: '$ifarpa. $UB_MTXT'"
echo
} >> $UB_HOST_CONF
if [ -n "$ifarpa" ] ; then
if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
{
# Create a static zone for WAN host record only (singular)
echo " domain-insecure: $ifarpa"
echo " private-address: $ifaddr"
echo " local-zone: $ifarpa static"
echo " local-data: \"$ifarpa. $UB_XSOA\""
echo " local-data: \"$ifarpa. $UB_XNS\""
echo " local-data: '$ifarpa. $UB_MTXT'"
echo
} >> $UB_HOST_CONF
elif [ "$zonetype" -gt 0 ] ; then
{
echo " local-zone: $ifarpa transparent"
echo
} >> $UB_HOST_CONF
fi
elif [ "$zonetype" -gt 0 ] ; then
{
echo " local-zone: $ifarpa transparent"
echo
} >> $UB_HOST_CONF
fi
done
fi
fi
done
fi
if [ -n "$UB_LIST_NETW_LAN" ] ; then
for ifsubnet in $UB_LIST_NETW_LAN ; do
ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
if [ -n "$UB_LIST_NETW_LAN" ] ; then
for ifsubnet in $UB_LIST_NETW_LAN ; do
ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
if [ -n "$ifarpa" ] ; then
if [ "$zonetype" -eq 2 ] ; then
{
# Do NOT forward queries with your ip6.arpa or in-addr.arpa
echo " domain-insecure: $ifarpa"
echo " local-zone: $ifarpa static"
echo " local-data: \"$ifarpa. $UB_XSOA\""
echo " local-data: \"$ifarpa. $UB_XNS\""
echo " local-data: '$ifarpa. $UB_XTXT'"
echo
} >> $UB_HOST_CONF
if [ -n "$ifarpa" ] ; then
if [ "$zonetype" -eq 2 ] ; then
{
# Do NOT forward queries with your ip6.arpa or in-addr.arpa
echo " domain-insecure: $ifarpa"
echo " local-zone: $ifarpa static"
echo " local-data: \"$ifarpa. $UB_XSOA\""
echo " local-data: \"$ifarpa. $UB_XNS\""
echo " local-data: '$ifarpa. $UB_XTXT'"
echo
} >> $UB_HOST_CONF
elif [ "$zonetype" -eq 1 -a "$UB_D_PRIV_BLCK" -eq 0 ] ; then
{
echo " local-zone: $ifarpa transparent"
echo
} >> $UB_HOST_CONF
fi
elif [ "$zonetype" -eq 1 -a "$UB_D_PRIV_BLCK" -eq 0 ] ; then
{
echo " local-zone: $ifarpa transparent"
echo
} >> $UB_HOST_CONF
fi
done
fi
fi
done
fi
ulaprefix=$( uci_get network.@globals[0].ula_prefix )
ulaprefix=${ulaprefix%%:/*}
hostfqdn="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
ulaprefix=$( uci_get network.@globals[0].ula_prefix )
ulaprefix=${ulaprefix%%:/*}
hostfqdn="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
if [ -z "$ulaprefix" ] ; then
# Nonsense so this option isn't globbed below
ulaprefix="fdno:such:addr::"
fi
if [ -z "$ulaprefix" ] ; then
# Nonsense so this option isn't globbed below
ulaprefix="fdno:such:addr::"
fi
if [ "$UB_LIST_NETW_LAN" -a "$UB_D_LAN_FQDN" -gt 0 ] ; then
for ifsubnet in $UB_LIST_NETW_LAN ; do
ifaddr=${ifsubnet#*@}
ifaddr=${ifaddr%/*}
ifname=${ifsubnet%@*}
iffqdn="$ifname.$hostfqdn"
if [ "$UB_LIST_NETW_LAN" -a "$UB_D_LAN_FQDN" -gt 0 ] ; then
for ifsubnet in $UB_LIST_NETW_LAN ; do
ifaddr=${ifsubnet#*@}
ifaddr=${ifaddr%/*}
ifname=${ifsubnet%@*}
iffqdn="$ifname.$hostfqdn"
if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then
names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then
names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then
names="$hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then
names="$hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
else
names="$UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
echo "$ptrrec" >> $UB_HOST_CONF
fi
else
names="$UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
echo "$ptrrec" >> $UB_HOST_CONF
fi
for name in $names ; do
case $ifaddr in
"${ulaprefix}"*)
# IP6 ULA only is assigned for OPTION 1
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
;;
[1-9]*.*[0-9])
namerec=" local-data: \"$name. 300 IN A $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
;;
*)
if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then
# IP6 GLA is assigned for higher options
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
fi
;;
esac
done
echo >> $UB_HOST_CONF
done
fi
if [ -n "$UB_LIST_NETW_WAN" -a "$UB_D_WAN_FQDN" -gt 0 ] ; then
for ifsubnet in $UB_LIST_NETW_WAN ; do
ifaddr=${ifsubnet#*@}
ifaddr=${ifaddr%/*}
ifname=${ifsubnet%@*}
iffqdn="$ifname.$hostfqdn"
if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then
names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then
names="$hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
else
names="$UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
echo "$ptrrec" >> $UB_HOST_CONF
fi
for name in $names ; do
case $ifaddr in
"${ulaprefix}"*)
# IP6 ULA only is assigned for OPTION 1
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
;;
[1-9]*.*[0-9])
namerec=" local-data: \"$name. 300 IN A $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
;;
*)
if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then
# IP6 GLA is assigned for higher options
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
fi
for name in $names ; do
case $ifaddr in
"${ulaprefix}"*)
# IP6 ULA only is assigned for OPTION 1
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
;;
esac
done
echo >> $UB_HOST_CONF
[1-9]*.*[0-9])
namerec=" local-data: \"$name. 300 IN A $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
;;
*)
if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then
# IP6 GLA is assigned for higher options
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
fi
;;
esac
done
fi
fi # end if time file
echo >> $UB_HOST_CONF
done
fi
if [ -n "$UB_LIST_NETW_WAN" -a "$UB_D_WAN_FQDN" -gt 0 ] ; then
for ifsubnet in $UB_LIST_NETW_WAN ; do
ifaddr=${ifsubnet#*@}
ifaddr=${ifaddr%/*}
ifname=${ifsubnet%@*}
iffqdn="$ifname.$hostfqdn"
if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then
names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then
names="$hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
else
names="$UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
echo "$ptrrec" >> $UB_HOST_CONF
fi
for name in $names ; do
case $ifaddr in
"${ulaprefix}"*)
# IP6 ULA only is assigned for OPTION 1
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
;;
[1-9]*.*[0-9])
namerec=" local-data: \"$name. 300 IN A $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
;;
*)
if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then
# IP6 GLA is assigned for higher options
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
fi
;;
esac
done
echo >> $UB_HOST_CONF
done
fi
fi # end if uci valid
}
@@ -1178,7 +1191,7 @@ unbound_uci() {
UB_D_DHCP_LINK=dnsmasq
if [ ! -f "$UB_TIME_FILE" ] ; then
if [ "$UB_B_READY" -eq 0 ] ; then
logger -t unbound -s "Please use 'dhcp_link' selector instead"
fi
fi
@@ -1193,7 +1206,7 @@ unbound_uci() {
fi
if [ ! -f "$UB_TIME_FILE" -a "$UB_D_DHCP_LINK" = "none" ] ; then
if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
logger -t unbound -s "cannot forward to dnsmasq"
fi
fi
@@ -1207,7 +1220,7 @@ unbound_uci() {
fi
if [ ! -f "$UB_TIME_FILE" -a "$UB_D_DHCP_LINK" = "none" ] ; then
if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
logger -t unbound -s "cannot receive records from odhcpd"
fi
fi
@@ -1220,8 +1233,8 @@ unbound_uci() {
fi
if [ "$UB_N_RX_PORT" -ne 53 ] \
&& [ "$UB_N_RX_PORT" -lt 1024 -o 10240 -lt "$UB_N_RX_PORT" ] ; then
if [ "$UB_N_RX_PORT" -ne 53 \
-a \( "$UB_N_RX_PORT" -lt 1024 -o 10240 -lt "$UB_N_RX_PORT" \) ] ; then
logger -t unbound -s "privileged port or in 5 digits, using default"
UB_N_RX_PORT=53
fi
@@ -1264,7 +1277,7 @@ unbound_include() {
fi
if [ -f "$UB_TIME_FILE" -a -f "$UB_DHCP_CONF" ] ; then
if [ -f "$UB_DHCP_CONF" ] ; then
{
# Seed DHCP records because dhcp scripts trigger externally
# Incremental Unbound restarts may drop unbound-control records
@@ -1274,8 +1287,8 @@ unbound_include() {
fi
if [ ! -f "$UB_TIME_FILE" -o -z "$adb_files" \
-o ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
if [ -z "$adb_files" \
-o ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
adb_enabled=0
elif /etc/init.d/adblock enabled ; then