From b1d537a11d2a680fc34947d3883280e75b3d6b71 Mon Sep 17 00:00:00 2001 From: des Date: Mon, 23 Sep 2013 04:36:51 +0000 Subject: Add a setup script for unbound(8) called local-unbound-setup. It generates a configuration suitable for running unbound as a caching forwarding resolver, and configures resolvconf(8) to update unbound's list of forwarders in addition to /etc/resolv.conf. The initial list is taken from the existing resolv.conf, which is rewritten to point to localhost. Alternatively, a list of forwarders can be provided on the command line. To assist this script, add an rc.subr command called "enabled" which does nothing except return 0 if the service is enabled and 1 if it is not, without going through the usual checks. We should consider doing the same for "status", which is currently pointless. Add an rc script for unbound, called local_unbound. If there is no configuration file, the rc script runs local-unbound-setup to generate one. Note that these scripts place the unbound configuration files in /var/unbound rather than /etc/unbound. This is necessary so that unbound can reload its configuration while chrooted. We should probably provide symlinks in /etc. Approved by: re (blanket) --- etc/rc.d/Makefile | 5 +++ etc/rc.d/local_unbound | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100755 etc/rc.d/local_unbound (limited to 'etc/rc.d') diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 153918d..82775f9 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -150,6 +150,7 @@ FILES= DAEMON \ tmp \ ${_ubthidhci} \ ugidfw \ + ${_unbound} \ ${_utx} \ var \ virecover \ @@ -184,6 +185,10 @@ _nscd= nscd _ubthidhci= ubthidhci .endif +.if ${MK_UNBOUND} != "no" +_unbound= local_unbound +.endif + .if ${MK_UTMPX} != "no" _utx= utx .endif diff --git a/etc/rc.d/local_unbound b/etc/rc.d/local_unbound new file mode 100755 index 0000000..899e356 --- /dev/null +++ b/etc/rc.d/local_unbound @@ -0,0 +1,91 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: local_unbound +# REQUIRE: SERVERS cleanvar +# KEYWORD: shutdown + +. /etc/rc.subr + +name="local_unbound" +desc="local caching forwarding resolver" +rcvar="local_unbound_enable" + +command="/usr/sbin/unbound" +extra_commands="anchor configtest reload setup" +start_precmd="local_unbound_prestart" +reload_precmd="local_unbound_configtest" +anchor_cmd="local_unbound_anchor" +configtest_cmd="local_unbound_configtest" +setup_cmd="local_unbound_setup" +pidfile="/var/run/${name}.pid" + +: ${local_unbound_workdir:=/var/unbound} +: ${local_unbound_config:=${local_unbound_workdir}/unbound.conf} +: ${local_unbound_flags:=-c${local_unbound_config}} +: ${local_unbound_forwardconf:=${local_unbound_workdir}/forward.conf} +: ${local_unbound_anchor:=${local_unbound_workdir}/root.key} +: ${local_unbound_forwarders:=} + +load_rc_config $name + +do_as_unbound() +{ + echo "$@" | su -m unbound +} + +# +# Retrieve or update the DNSSEC root anchor +# +local_unbound_anchor() +{ + do_as_unbound /usr/sbin/unbound-anchor -a ${local_unbound_anchor} + # we can't trust the exit code - check if the file exists + [ -f ${local_unbound_anchor} ] +} + +# +# Check the unbound configuration file +# +local_unbound_configtest() +{ + do_as_unbound /usr/sbin/unbound-checkconf ${local_unbound_config} +} + +# +# Create the unbound configuration file and update resolv.conf to +# point to unbound. +# +local_unbound_setup() +{ + echo "Performing initial setup." + /usr/sbin/local-unbound-setup -n \ + -u unbound \ + -w ${local_unbound_workdir} \ + -c ${local_unbound_config} \ + -f ${local_unbound_forwardconf} \ + -a ${local_unbound_anchor} \ + ${local_unbound_forwarders} +} + +# +# Before starting, check that the configuration file and root anchor +# exist. If not, attempt to generate them. +# +local_unbound_prestart() +{ + # Create configuration file + if [ ! -f ${local_unbound_config} ] ; then + run_rc_command setup + fi + + # Retrieve DNSSEC root key + if [ ! -f ${local_unbound_anchor} ] ; then + run_rc_command anchor + fi +} + +load_rc_config $name +run_rc_command "$1" -- cgit v1.1