Hello Robert, On 2016-01-30 10:26 PM, Robert Edmonds wrote: > Simon Deziel wrote: >> What do you think of the 2nd version of the proposed fixed >> (unbound-fresh-chroot-2.patch)? > > This version of the patch will read from any *.conf file in > /etc/unbound, which could easily not be part of the active config, > e.g.: > > /etc/unbound/unbound-bad.conf > > /etc/unbound/unbound.conf.d.bak/chroot.conf > > Or the admin could simply delete the 'include' directive in the > default /etc/unbound/unbound.conf file, in which case we shouldn't be > looking at any /etc/unbound/unbound.conf.d/*.conf files at all. > > The awk/find/sed/etc. code that you use to try to find the chroot > directory makes me uncomfortable. It seems that if we need to find > the configured chroot directory, we should be fixing > unbound-checkconf so that we can use the Unbound config parser itself > to tell us where the chroot directory is, rather than trying to > implement an ad hoc config parser in shell.
Turns out that unbound-checkconf has been fixed somewhere between 1.4.22 and 1.5.7. "unbound-checkconf -o chroot" just works now. Please see the updated patch attached. >> If we could resolve this chroot'ing problem, Ubuntu, that turns >> off chroot by default, would be more comfortable to drop part of >> their delta with Debian. > > What delta is there in Ubuntu? I'm looking at the unbound > 1.5.7-1ubuntu1 source package and the only change I see is to > disable dnstap support. After I sent this patch, Ubuntu pulled 1.5.7-1 in and dropped most of the delta. Best regards, Simon
--- /etc/init.d/unbound.orig 2015-12-12 15:08:27.000000000 -0500 +++ /etc/init.d/unbound 2016-02-15 17:45:11.838356275 -0500 @@ -21,7 +21,7 @@ UNBOUND_ENABLE=true UNBOUND_CONF=/etc/unbound/unbound.conf UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF) -CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g") +CHROOT_DIR="$(unbound-checkconf -o chroot)" ROOT_TRUST_ANCHOR_UPDATE=false ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key RESOLVCONF=false @@ -93,8 +93,9 @@ do_chroot_setup() { if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then + rm -rf $CHROOT_DIR/$UNBOUND_BASE_DIR && mkdir -p $CHROOT_DIR/$UNBOUND_BASE_DIR cd / - tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR | sed 's#^/##') | (cd $CHROOT_DIR && tar -xf -) + tar -cf - $(echo $UNBOUND_BASE_DIR | sed 's/^\///') | (cd $CHROOT_DIR && tar -xf -) fi }
signature.asc
Description: OpenPGP digital signature