summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authordes <des@FreeBSD.org>2013-09-23 04:36:51 +0000
committerdes <des@FreeBSD.org>2013-09-23 04:36:51 +0000
commitb1d537a11d2a680fc34947d3883280e75b3d6b71 (patch)
tree0df6588b3449352aea0a807080b17b534bc0595f /etc
parent5acce3cc7f418da48d069006b327265877aa87d8 (diff)
downloadFreeBSD-src-b1d537a11d2a680fc34947d3883280e75b3d6b71.zip
FreeBSD-src-b1d537a11d2a680fc34947d3883280e75b3d6b71.tar.gz
Add a setup script for unbound(8) called local-unbound-setup. It
generates a configuration suitable for running unbound as a caching forwarding resolver, and configures resolvconf(8) to update unbound's list of forwarders in addition to /etc/resolv.conf. The initial list is taken from the existing resolv.conf, which is rewritten to point to localhost. Alternatively, a list of forwarders can be provided on the command line. To assist this script, add an rc.subr command called "enabled" which does nothing except return 0 if the service is enabled and 1 if it is not, without going through the usual checks. We should consider doing the same for "status", which is currently pointless. Add an rc script for unbound, called local_unbound. If there is no configuration file, the rc script runs local-unbound-setup to generate one. Note that these scripts place the unbound configuration files in /var/unbound rather than /etc/unbound. This is necessary so that unbound can reload its configuration while chrooted. We should probably provide symlinks in /etc. Approved by: re (blanket)
Diffstat (limited to 'etc')
-rw-r--r--etc/defaults/rc.conf1
-rw-r--r--etc/rc.d/Makefile5
-rwxr-xr-xetc/rc.d/local_unbound91
-rw-r--r--etc/rc.subr9
4 files changed, 105 insertions, 1 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 39957278..80f279d 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -270,6 +270,7 @@ hastd_enable="NO" # Run the HAST daemon (YES/NO).
hastd_program="/sbin/hastd" # path to hastd, if you want a different one.
hastd_flags="" # Optional flags to hastd.
ctld_enable="NO" # CAM Target Layer / iSCSI target daemon.
+local_unbound_enable="NO" # local caching resolver
#
# named. It may be possible to run named in a sandbox, man security for
# details.
diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile
index 153918d..82775f9 100644
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@@ -150,6 +150,7 @@ FILES= DAEMON \
tmp \
${_ubthidhci} \
ugidfw \
+ ${_unbound} \
${_utx} \
var \
virecover \
@@ -184,6 +185,10 @@ _nscd= nscd
_ubthidhci= ubthidhci
.endif
+.if ${MK_UNBOUND} != "no"
+_unbound= local_unbound
+.endif
+
.if ${MK_UTMPX} != "no"
_utx= utx
.endif
diff --git a/etc/rc.d/local_unbound b/etc/rc.d/local_unbound
new file mode 100755
index 0000000..899e356
--- /dev/null
+++ b/etc/rc.d/local_unbound
@@ -0,0 +1,91 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: local_unbound
+# REQUIRE: SERVERS cleanvar
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="local_unbound"
+desc="local caching forwarding resolver"
+rcvar="local_unbound_enable"
+
+command="/usr/sbin/unbound"
+extra_commands="anchor configtest reload setup"
+start_precmd="local_unbound_prestart"
+reload_precmd="local_unbound_configtest"
+anchor_cmd="local_unbound_anchor"
+configtest_cmd="local_unbound_configtest"
+setup_cmd="local_unbound_setup"
+pidfile="/var/run/${name}.pid"
+
+: ${local_unbound_workdir:=/var/unbound}
+: ${local_unbound_config:=${local_unbound_workdir}/unbound.conf}
+: ${local_unbound_flags:=-c${local_unbound_config}}
+: ${local_unbound_forwardconf:=${local_unbound_workdir}/forward.conf}
+: ${local_unbound_anchor:=${local_unbound_workdir}/root.key}
+: ${local_unbound_forwarders:=}
+
+load_rc_config $name
+
+do_as_unbound()
+{
+ echo "$@" | su -m unbound
+}
+
+#
+# Retrieve or update the DNSSEC root anchor
+#
+local_unbound_anchor()
+{
+ do_as_unbound /usr/sbin/unbound-anchor -a ${local_unbound_anchor}
+ # we can't trust the exit code - check if the file exists
+ [ -f ${local_unbound_anchor} ]
+}
+
+#
+# Check the unbound configuration file
+#
+local_unbound_configtest()
+{
+ do_as_unbound /usr/sbin/unbound-checkconf ${local_unbound_config}
+}
+
+#
+# Create the unbound configuration file and update resolv.conf to
+# point to unbound.
+#
+local_unbound_setup()
+{
+ echo "Performing initial setup."
+ /usr/sbin/local-unbound-setup -n \
+ -u unbound \
+ -w ${local_unbound_workdir} \
+ -c ${local_unbound_config} \
+ -f ${local_unbound_forwardconf} \
+ -a ${local_unbound_anchor} \
+ ${local_unbound_forwarders}
+}
+
+#
+# Before starting, check that the configuration file and root anchor
+# exist. If not, attempt to generate them.
+#
+local_unbound_prestart()
+{
+ # Create configuration file
+ if [ ! -f ${local_unbound_config} ] ; then
+ run_rc_command setup
+ fi
+
+ # Retrieve DNSSEC root key
+ if [ ! -f ${local_unbound_anchor} ] ; then
+ run_rc_command anchor
+ fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/etc/rc.subr b/etc/rc.subr
index bce2257..aee0c95 100644
--- a/etc/rc.subr
+++ b/etc/rc.subr
@@ -546,6 +546,8 @@ check_startmsgs()
#
# rcvar Display what rc.conf variable is used (if any).
#
+# enabled Return true if the service is enabled.
+#
# Variables available to methods, and after run_rc_command() has
# completed:
#
@@ -614,7 +616,7 @@ run_rc_command()
eval _override_command=\$${name}_program
command=${_override_command:-$command}
- _keywords="start stop restart rcvar $extra_commands"
+ _keywords="start stop restart rcvar enabled $extra_commands"
rc_pid=
_pidcmd=
_procname=${procname:-${command}}
@@ -635,6 +637,11 @@ run_rc_command()
rc_usage $_keywords
fi
+ if [ "$rc_arg" = "enabled" ] ; then
+ checkyesno ${rcvar}
+ return $?
+ fi
+
if [ -n "$flags" ]; then # allow override from environment
rc_flags=$flags
else
OpenPOWER on IntegriCloud