diff options
author | des <des@FreeBSD.org> | 2013-09-23 04:36:51 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2013-09-23 04:36:51 +0000 |
commit | b1d537a11d2a680fc34947d3883280e75b3d6b71 (patch) | |
tree | 0df6588b3449352aea0a807080b17b534bc0595f /etc | |
parent | 5acce3cc7f418da48d069006b327265877aa87d8 (diff) | |
download | FreeBSD-src-b1d537a11d2a680fc34947d3883280e75b3d6b71.zip FreeBSD-src-b1d537a11d2a680fc34947d3883280e75b3d6b71.tar.gz |
Add a setup script for unbound(8) called local-unbound-setup. It
generates a configuration suitable for running unbound as a caching
forwarding resolver, and configures resolvconf(8) to update unbound's
list of forwarders in addition to /etc/resolv.conf. The initial list
is taken from the existing resolv.conf, which is rewritten to point to
localhost. Alternatively, a list of forwarders can be provided on the
command line.
To assist this script, add an rc.subr command called "enabled" which
does nothing except return 0 if the service is enabled and 1 if it is
not, without going through the usual checks. We should consider doing
the same for "status", which is currently pointless.
Add an rc script for unbound, called local_unbound. If there is no
configuration file, the rc script runs local-unbound-setup to generate
one.
Note that these scripts place the unbound configuration files in
/var/unbound rather than /etc/unbound. This is necessary so that
unbound can reload its configuration while chrooted. We should
probably provide symlinks in /etc.
Approved by: re (blanket)
Diffstat (limited to 'etc')
-rw-r--r-- | etc/defaults/rc.conf | 1 | ||||
-rw-r--r-- | etc/rc.d/Makefile | 5 | ||||
-rwxr-xr-x | etc/rc.d/local_unbound | 91 | ||||
-rw-r--r-- | etc/rc.subr | 9 |
4 files changed, 105 insertions, 1 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 39957278..80f279d 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -270,6 +270,7 @@ hastd_enable="NO" # Run the HAST daemon (YES/NO). hastd_program="/sbin/hastd" # path to hastd, if you want a different one. hastd_flags="" # Optional flags to hastd. ctld_enable="NO" # CAM Target Layer / iSCSI target daemon. +local_unbound_enable="NO" # local caching resolver # # named. It may be possible to run named in a sandbox, man security for # details. diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 153918d..82775f9 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -150,6 +150,7 @@ FILES= DAEMON \ tmp \ ${_ubthidhci} \ ugidfw \ + ${_unbound} \ ${_utx} \ var \ virecover \ @@ -184,6 +185,10 @@ _nscd= nscd _ubthidhci= ubthidhci .endif +.if ${MK_UNBOUND} != "no" +_unbound= local_unbound +.endif + .if ${MK_UTMPX} != "no" _utx= utx .endif diff --git a/etc/rc.d/local_unbound b/etc/rc.d/local_unbound new file mode 100755 index 0000000..899e356 --- /dev/null +++ b/etc/rc.d/local_unbound @@ -0,0 +1,91 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: local_unbound +# REQUIRE: SERVERS cleanvar +# KEYWORD: shutdown + +. /etc/rc.subr + +name="local_unbound" +desc="local caching forwarding resolver" +rcvar="local_unbound_enable" + +command="/usr/sbin/unbound" +extra_commands="anchor configtest reload setup" +start_precmd="local_unbound_prestart" +reload_precmd="local_unbound_configtest" +anchor_cmd="local_unbound_anchor" +configtest_cmd="local_unbound_configtest" +setup_cmd="local_unbound_setup" +pidfile="/var/run/${name}.pid" + +: ${local_unbound_workdir:=/var/unbound} +: ${local_unbound_config:=${local_unbound_workdir}/unbound.conf} +: ${local_unbound_flags:=-c${local_unbound_config}} +: ${local_unbound_forwardconf:=${local_unbound_workdir}/forward.conf} +: ${local_unbound_anchor:=${local_unbound_workdir}/root.key} +: ${local_unbound_forwarders:=} + +load_rc_config $name + +do_as_unbound() +{ + echo "$@" | su -m unbound +} + +# +# Retrieve or update the DNSSEC root anchor +# +local_unbound_anchor() +{ + do_as_unbound /usr/sbin/unbound-anchor -a ${local_unbound_anchor} + # we can't trust the exit code - check if the file exists + [ -f ${local_unbound_anchor} ] +} + +# +# Check the unbound configuration file +# +local_unbound_configtest() +{ + do_as_unbound /usr/sbin/unbound-checkconf ${local_unbound_config} +} + +# +# Create the unbound configuration file and update resolv.conf to +# point to unbound. +# +local_unbound_setup() +{ + echo "Performing initial setup." + /usr/sbin/local-unbound-setup -n \ + -u unbound \ + -w ${local_unbound_workdir} \ + -c ${local_unbound_config} \ + -f ${local_unbound_forwardconf} \ + -a ${local_unbound_anchor} \ + ${local_unbound_forwarders} +} + +# +# Before starting, check that the configuration file and root anchor +# exist. If not, attempt to generate them. +# +local_unbound_prestart() +{ + # Create configuration file + if [ ! -f ${local_unbound_config} ] ; then + run_rc_command setup + fi + + # Retrieve DNSSEC root key + if [ ! -f ${local_unbound_anchor} ] ; then + run_rc_command anchor + fi +} + +load_rc_config $name +run_rc_command "$1" diff --git a/etc/rc.subr b/etc/rc.subr index bce2257..aee0c95 100644 --- a/etc/rc.subr +++ b/etc/rc.subr @@ -546,6 +546,8 @@ check_startmsgs() # # rcvar Display what rc.conf variable is used (if any). # +# enabled Return true if the service is enabled. +# # Variables available to methods, and after run_rc_command() has # completed: # @@ -614,7 +616,7 @@ run_rc_command() eval _override_command=\$${name}_program command=${_override_command:-$command} - _keywords="start stop restart rcvar $extra_commands" + _keywords="start stop restart rcvar enabled $extra_commands" rc_pid= _pidcmd= _procname=${procname:-${command}} @@ -635,6 +637,11 @@ run_rc_command() rc_usage $_keywords fi + if [ "$rc_arg" = "enabled" ] ; then + checkyesno ${rcvar} + return $? + fi + if [ -n "$flags" ]; then # allow override from environment rc_flags=$flags else |