diff options
| author | fhajny <fhajny@pkgsrc.org> | 2017-02-20 15:19:54 +0000 |
|---|---|---|
| committer | fhajny <fhajny@pkgsrc.org> | 2017-02-20 15:19:54 +0000 |
| commit | f96b5c0733e382459cced868d13c6a51adc98cb6 (patch) | |
| tree | 5d2ecac1aef81eefeada3cfe1e212578a462fdb7 /net/bind99 | |
| parent | 1345269331b106d82890d58e6b0581fb85dfefc7 (diff) | |
| download | pkgsrc-f96b5c0733e382459cced868d13c6a51adc98cb6.tar.gz | |
Change bind99 and bind910 package to use the standard PKG_SYSCONFDIR
for config files instead of the hardcoded /etc path. Sync SMF support
across the two packages. Bump PKGREVISION.
Diffstat (limited to 'net/bind99')
| -rw-r--r-- | net/bind99/Makefile | 5 | ||||
| -rw-r--r-- | net/bind99/files/smf/manifest.xml | 28 | ||||
| -rw-r--r-- | net/bind99/files/smf/named.sh | 260 |
3 files changed, 217 insertions, 76 deletions
diff --git a/net/bind99/Makefile b/net/bind99/Makefile index d81fac50d4b..be9e6953238 100644 --- a/net/bind99/Makefile +++ b/net/bind99/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.63 2017/02/09 00:50:15 taca Exp $ +# $NetBSD: Makefile,v 1.64 2017/02/20 15:19:54 fhajny Exp $ DISTNAME= bind-${BIND_VERSION} PKGNAME= ${DISTNAME:S/-P/pl/} +PKGREVISION= 1 CATEGORIES= net MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ @@ -27,7 +28,7 @@ GNU_CONFIGURE= yes #CONFIG_SHELL= sh -x CONFIGURE_ARGS+= --with-libtool -CONFIGURE_ARGS+= --sysconfdir=/etc +CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} CONFIGURE_ARGS+= --localstatedir=${VARBASE:Q} CONFIGURE_ARGS+= --disable-openssl-version-check CONFIGURE_ARGS+= --with-openssl=${SSLBASE:Q} diff --git a/net/bind99/files/smf/manifest.xml b/net/bind99/files/smf/manifest.xml index 9f24dbc155e..3b9c5965533 100644 --- a/net/bind99/files/smf/manifest.xml +++ b/net/bind99/files/smf/manifest.xml @@ -41,7 +41,6 @@ CDDL HEADER END <dependency name='config-files' grouping='require_any' restart_on='refresh' type='path'> <service_fmri value='file://localhost@PKG_SYSCONFDIR@/named.conf' /> </dependency> - <exec_method type='method' name='stop' exec=':kill' timeout_seconds='60' /> <!-- In order to run multiple named(1M) processes with their own configuration file or properties each must have a unique @@ -50,22 +49,15 @@ CDDL HEADER END <instance name='default' enabled='false'> <exec_method type='method' name='start' exec='@PREFIX@/@SMF_METHOD_FILE.named@ %m %i' timeout_seconds='60'> <method_context> - <!-- - privileges: (see privileges(5) and /etc/security/priv_names) - file_dac_read, file_dac_search: - Necessary for reading the configuration file - even it is restricted by the file permission. - net_privaddr: - Bind to a privileged port number. - sys_resource: - Permit the setting of resource limits (eg. stack - size). - proc_chroot: - Permit use of chroot(2). - --> - <method_credential user='root' group='root' privileges='basic,!proc_session,!proc_info,!file_link_any,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot' /> + <method_credential user='root' group='root' /> </method_context> </exec_method> + <exec_method type='method' name='stop' exec='@PREFIX@/@SMF_METHOD_FILE.named@ %m %i %{restarter/contract}' timeout_seconds='60'> + <method_context> + <method_credential user='root' group='root' /> + </method_context> + + </exec_method> <!-- SIGHUP causes named to reread its configuration file, but not any of the properties below. @@ -126,6 +118,12 @@ CDDL HEADER END Equivalent command line option '-t <pathname>'. --> <propval name='chroot_dir' type='astring' value='' /> + <!-- + user: Change the user id after processing command line + arguments, but before reading the configuration file. + Equivalent command line option '-u <user>'. + --> + <propval name='user' type='astring' value='named' /> </property_group> </instance> <template> diff --git a/net/bind99/files/smf/named.sh b/net/bind99/files/smf/named.sh index 49a2da36913..fb3e2638d28 100644 --- a/net/bind99/files/smf/named.sh +++ b/net/bind99/files/smf/named.sh @@ -28,90 +28,232 @@ . /lib/svc/share/smf_include.sh +mount_chroot () +{ + c=$1 + shift + for f in $*; do + if [ -z "${f}" -o ! -f "${f}" -o \ + -z "${c}" -o ! -d "${c}" ]; then + exit ${SMF_EXIT_ERR_CONFIG} + fi + + umount ${c}/${f} >/dev/null 2>&1 + mkdir -p `dirname ${c}/${f}` + touch ${c}/${f} + mount -Flofs ${f} ${c}/${f} + done +} + +umount_chroot () +{ + c=$1 + shift + for f in $*; do + umount ${c}/${f} >/dev/null 2>&1 + done +} + +get_config () +{ + configuration_file=@PKG_SYSCONFDIR@/named.conf + rndc_config_file=@PKG_SYSCONFDIR@/rndc.conf + rndc_key_file=@PKG_SYSCONFDIR@/rndc.key + rndc_cmd_opts="-a" + libraries="/usr/pkg/lib/engines/libgost.so" + cmdopts="" + checkopts="" + properties="debug_level ip_interfaces listen_on_port + threads chroot_dir configuration_file server user" + + for prop in $properties + do + value=`/usr/bin/svcprop -p options/${prop} ${SMF_FMRI}` + if [ -z "${value}" -o "${value}" = '""' ]; then + continue; + fi + + case $prop in + 'debug_level') + if [ ${value} -gt 0 ]; then + cmdopts="${cmdopts} -d ${value}" + fi + ;; + 'ip_interfaces') + case ${value} in + 'IPv4') + cmdopts="${cmdopts} -4";; + 'IPv6') + cmdopts="${cmdopts} -6";; + 'all') + : # Default is all, therefore ignore. + ;; + *) + echo "$I: Unrecognised value in service instance property" >&2 + echo "$I: options/${prop} : ${value}" >&2 + ;; + esac + ;; + 'listen_on_port') + if [ ${value} -gt 0 ]; then + cmdopts="${cmdopts} -p ${value}" + fi + ;; + 'threads') + if [ ${value} -gt 0 ]; then + cmdopts="${cmdopts} -n ${value}" + fi + ;; + 'chroot_dir') + cmdopts="${cmdopts} -t ${value}" + checkopts="${checkopts} -t ${value}" + chroot_dir=${value}; + ;; + 'configuration_file') + cmdopts="${cmdopts} -c ${value}" + checkopts="${checkopts} -t ${value}" + configuration_file=${value}; + ;; + 'server') + set -- `echo ${value} | /usr/bin/sed -e 's/\\\\//g'` + server=$@ + ;; + 'user') + cmdopts="${cmdopts} -u ${value}" + cmduser=${value}; + ;; + esac + done + + configuration_dir=$(sed -n -e 's,^[[:space:]]*directory.*"\(.*\)";,\1,p' \ + ${configuration_file}) + [ "${configuration_dir}" == "" ] && configuration_dir=@PKG_SYSCONFDIR@/namedb + + configuration_files=$(sed -n -e \ + "s,^[[:space:]]*file.*\"\(.*\)\";,${configuration_dir}/\1,p" \ + ${configuration_file} | sort -u) + configuration_files="${configuration_files} ${configuration_file}" +} + result=${SMF_EXIT_OK} # Read command line arguments method="$1" # %m instance="$2" # %i +contract="$3" # %{restarter/contract} # Set defaults; SMF_FMRI should have been set, but just in case. if [ -z "$SMF_FMRI" ]; then SMF_FMRI="svc:/@SMF_PREFIX@/@SMF_NAME@:${instance}" fi server="@PREFIX@/sbin/named" +checkconf="@PREFIX@/sbin/named-checkconf" I=`/usr/bin/basename $0` case "$method" in 'start') - cmdopts="" - properties="debug_level ip_interfaces listen_on_port - threads chroot_dir configuration_file server" + get_config - for prop in $properties - do - value=`/usr/bin/svcprop -p options/${prop} ${SMF_FMRI}` - if [ -z "${value}" -o "${value}" = '""' ]; then - continue; - fi - - case $prop in - 'debug_level') - if [ ${value} -gt 0 ]; then - cmdopts="${cmdopts} -d ${value}" - fi - ;; - 'ip_interfaces') - case ${value} in - 'IPv4') - cmdopts="${cmdopts} -4";; - 'IPv6') - cmdopts="${cmdopts} -6";; - 'all') - : # Default is all, therefore ignore. - ;; - *) - echo "$I: Unrecognised value in service instance property" >&2 - echo "$I: options/${prop} : ${value}" >&2 - ;; - esac - ;; - 'listen_on_port') - if [ ${value} -gt 0 ]; then - cmdopts="${cmdopts} -p ${value}" - fi - ;; - 'threads') - if [ ${value} -gt 0 ]; then - cmdopts="${cmdopts} -n ${value}" + # If chroot option is set, note zones(5) are preferred, then + # configuration file lives under chroot directory. + if [ "${chroot_dir}" != "" ]; then + if [ "${chroot_dir}" = "/" ]; then + msg="$I: chroot_dir must not be /" + echo ${msg} >&2 + /usr/bin/logger -p daemon.error ${msg} + # dns-server should be placed in maintenance state. + exit ${SMF_EXIT_ERR_CONFIG} + fi + + server="env LD_NOLAZYLOAD=1 ${server}" + checkconf="env LD_NOLAZYLOAD=1 ${checkconf}" + + mkdir -p ${chroot_dir} + + if [ "${SMF_ZONENAME}" = "global" ]; then + for dev in crypto log null poll random urandom; do + rm -f ${chroot_dir}/dev/${dev} + pax -rw -H -pe /dev/${dev} ${chroot_dir} + done + fi + + missing="" + for dev in crypto null poll random urandom; do + if [ ! -e "${chroot_dir}/dev/${dev}" ]; then + missing="${missing} ${dev}" fi - ;; - 'chroot_dir') - cmdopts="${cmdopts} -t ${value}" - ;; - 'configuration_file') - cmdopts="${cmdopts} -c ${value}" - ;; - 'server') - set -- `echo ${value} | /usr/bin/sed -e 's/\\\\//g'` - server=$@ - ;; - esac - done + done + + if [ ! -z "${missing}" ]; then + msg="$I: missing device nodes in ${chroot_dir}: ${missing}" + echo ${msg} >&2 + /usr/bin/logger -p daemon.err ${msg} + # dns-server should be placed in maintenance state. + exit ${SMF_EXIT_ERR_CONFIG} + fi + + mount_chroot ${chroot_dir} ${configuration_files} ${libraries} + + mkdir -p ${chroot_dir}/var/run/named + chown ${cmduser}:${cmduser} ${chroot_dir}/var/run/named + + configuration_file=${chroot_dir}${configuration_file} + rndc_config_file=${chroot_dir}${rndc_config_file} + rndc_key_file=${chroot_dir}${rndc_key_file} + rndc_cmd_opts="${rndc_cmd_opts} -t ${chroot_dir}" + fi + + # Check if the rndc config file exists. + if [ ! -f ${rndc_config_file} ]; then + # If not, check if the default rndc key file exists. + if [ ! -f ${rndc_key_file} ]; then + echo "$I: Creating default rndc key file: ${rndc_key_file}." >&2 + /usr/sbin/rndc-confgen ${rndc_cmd_opts} + if [ $? -ne 0 ]; then + echo "$I : Warning: rndc configuration failed! Use of 'rndc' to" \ + "control 'named' may fail and 'named' may report further error" \ + "messages to the system log. This is not fatal. For more" \ + "information see rndc(1M) and rndc-confgen(1M)." >&2 + fi + fi + fi + + if [ ${result} = ${SMF_EXIT_OK} ]; then + ${checkconf} -z ${checkopts} + result=$? + if [ $result -ne 0 ]; then + msg="$I: named-checkconf failed to verify configuration" + echo ${msg} >&2 + /usr/bin/logger -p daemon.error ${msg} + if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then + umount_chroot ${chroot_dir} ${configuration_files} ${libraries} + fi + # dns-server should be placed in maintenance state. + exit ${SMF_EXIT_ERR_CONFIG} + fi + fi if [ ${result} = ${SMF_EXIT_OK} ]; then echo "$I: Executing: ${server} ${cmdopts}" # Execute named(1M) with relevant command line options. - ${server} ${cmdopts} + ppriv -s A-all -s A+basic,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot,proc_setid -e ${server} ${cmdopts} result=$? fi ;; 'stop') - smf_kill_contract ${contract} TERM 1 - [ $? -ne 0 ] && exit 1 - ;; + get_config + + smf_kill_contract ${contract} TERM 1 + [ $? -ne 0 ] && exit 1 + + if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then + umount_chroot ${chroot_dir} ${configuration_files} ${libraries} + fi + + ;; *) - echo "Usage: $I [stop|start] <instance>" >&2 - exit 1 - ;; + echo "Usage: $I [stop|start] <instance>" >&2 + exit 1 + ;; esac exit ${result} |