Change bind99 and bind910 package to use the standard PKG_SYSCONFDIR

for config files instead of the hardcoded /etc path. Sync SMF support across the two packages. Bump PKGREVISION.
2017-02-20 15:19:54 +00:00 · 2017-02-20 15:19:54 +00:00 · d06cf3598e
commit d06cf3598e
parent e737f05feb
6 changed files with 224 additions and 82 deletions
--- a/net/bind910/Makefile
+++ b/net/bind910/Makefile
@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.29 2017/02/09 00:48:59 taca Exp $
+# $NetBSD: Makefile,v 1.30 2017/02/20 15:19:54 fhajny Exp $

 DISTNAME=	bind-${BIND_VERSION}
 PKGNAME=	${DISTNAME:S/-P/pl/}
+PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/

@ -27,7 +28,7 @@ GNU_CONFIGURE=		yes
 #CONFIG_SHELL=		sh -x

 CONFIGURE_ARGS+=	--with-libtool
-CONFIGURE_ARGS+=	--sysconfdir=/etc
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=	--localstatedir=${VARBASE}
 CONFIGURE_ARGS+=	--disable-openssl-version-check
 CONFIGURE_ARGS+=	--with-openssl=${SSLBASE:Q}
--- a/net/bind910/files/smf/manifest.xml
+++ b/net/bind910/files/smf/manifest.xml
@ -39,7 +39,7 @@ CDDL HEADER END
      <service_fmri value='svc:/milestone/network' />
    </dependency>
    <dependency name='config-files' grouping='require_any' restart_on='refresh' type='path'>
-      <service_fmri value='file://localhost/etc/named.conf' />
+      <service_fmri value='file://localhost@PKG_SYSCONFDIR@/named.conf' />
    </dependency>
    <!--
        In order to run multiple named(1M) processes with their own
--- a/net/bind910/files/smf/named.sh
+++ b/net/bind910/files/smf/named.sh
@ -56,9 +56,9 @@ umount_chroot ()

 get_config ()
 {   
-    configuration_file=/etc/named.conf
-    rndc_config_file=/etc/rndc.conf
-    rndc_key_file=/etc/rndc.key
+    configuration_file=@PKG_SYSCONFDIR@/named.conf
+    rndc_config_file=@PKG_SYSCONFDIR@/rndc.conf
+    rndc_key_file=@PKG_SYSCONFDIR@/rndc.key
    rndc_cmd_opts="-a"
    libraries="/usr/pkg/lib/engines/libgost.so"
    cmdopts=""
@ -127,7 +127,7 @@ get_config ()

    configuration_dir=$(sed -n -e 's,^[[:space:]]*directory.*"\(.*\)";,\1,p' \
        ${configuration_file})
-    [ "${configuration_dir}" == "" ] && configuration_dir=/etc/namedb
+    [ "${configuration_dir}" == "" ] && configuration_dir=@PKG_SYSCONFDIR@/namedb

    configuration_files=$(sed -n -e \
        "s,^[[:space:]]*file.*\"\(.*\)\";,${configuration_dir}/\1,p" \
--- a/net/bind99/Makefile
+++ b/net/bind99/Makefile
@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.63 2017/02/09 00:50:15 taca Exp $
+# $NetBSD: Makefile,v 1.64 2017/02/20 15:19:54 fhajny Exp $

 DISTNAME=	bind-${BIND_VERSION}
 PKGNAME=	${DISTNAME:S/-P/pl/}
+PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/

@ -27,7 +28,7 @@ GNU_CONFIGURE=		yes
 #CONFIG_SHELL=		sh -x

 CONFIGURE_ARGS+=	--with-libtool
-CONFIGURE_ARGS+=	--sysconfdir=/etc
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=	--localstatedir=${VARBASE:Q}
 CONFIGURE_ARGS+=	--disable-openssl-version-check
 CONFIGURE_ARGS+=	--with-openssl=${SSLBASE:Q}
--- a/net/bind99/files/smf/manifest.xml
+++ b/net/bind99/files/smf/manifest.xml
@ -41,7 +41,6 @@ CDDL HEADER END
    <dependency name='config-files' grouping='require_any' restart_on='refresh' type='path'>
      <service_fmri value='file://localhost@PKG_SYSCONFDIR@/named.conf' />
    </dependency>
-    <exec_method type='method' name='stop' exec=':kill' timeout_seconds='60' />
    <!--
        In order to run multiple named(1M) processes with their own
        configuration file or properties each must have a unique
@ -50,22 +49,15 @@ CDDL HEADER END
    <instance name='default' enabled='false'>
      <exec_method type='method' name='start' exec='@PREFIX@/@SMF_METHOD_FILE.named@ %m %i' timeout_seconds='60'>
        <method_context>
-          <!--
-                privileges: (see privileges(5) and /etc/security/priv_names)
-                file_dac_read, file_dac_search:
-                        Necessary for reading the configuration file
-                        even it is restricted by the file permission.
-                net_privaddr:
-                        Bind to a privileged port number.
-                sys_resource:
-                        Permit the setting of resource limits (eg. stack
-                        size).
-                proc_chroot:
-                        Permit use of chroot(2).
-          -->
-          <method_credential user='root' group='root' privileges='basic,!proc_session,!proc_info,!file_link_any,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot' />
+          <method_credential user='root' group='root' />
        </method_context>
      </exec_method>
+      <exec_method type='method' name='stop' exec='@PREFIX@/@SMF_METHOD_FILE.named@ %m %i %{restarter/contract}' timeout_seconds='60'>
+        <method_context>
+          <method_credential user='root' group='root' />
+        </method_context>
+
+      </exec_method>
      <!--
              SIGHUP causes named to reread its configuration file, but not any
              of the properties below.
@ -126,6 +118,12 @@ CDDL HEADER END
                Equivalent command line option '-t <pathname>'.
        -->
        <propval name='chroot_dir' type='astring' value='' />
+	<!--
+		user: Change the user id after processing command line
+		arguments, but before reading the configuration file.
+		Equivalent command line option '-u <user>'.
+	-->
+        <propval name='user' type='astring' value='named' />
      </property_group>
    </instance>
    <template>
--- a/net/bind99/files/smf/named.sh
+++ b/net/bind99/files/smf/named.sh
@ -28,90 +28,232 @@

 . /lib/svc/share/smf_include.sh

+mount_chroot ()
+{
+    c=$1
+    shift
+    for f in $*; do
+        if [ -z "${f}" -o ! -f "${f}" -o \
+             -z "${c}" -o ! -d "${c}" ]; then
+             exit ${SMF_EXIT_ERR_CONFIG}
+        fi
+
+        umount ${c}/${f} >/dev/null 2>&1
+        mkdir -p `dirname ${c}/${f}`
+        touch ${c}/${f}
+        mount -Flofs ${f} ${c}/${f}
+    done
+}
+
+umount_chroot ()
+{
+    c=$1
+    shift
+    for f in $*; do
+        umount ${c}/${f} >/dev/null 2>&1
+    done
+}
+
+get_config ()
+{   
+    configuration_file=@PKG_SYSCONFDIR@/named.conf
+    rndc_config_file=@PKG_SYSCONFDIR@/rndc.conf
+    rndc_key_file=@PKG_SYSCONFDIR@/rndc.key
+    rndc_cmd_opts="-a"
+    libraries="/usr/pkg/lib/engines/libgost.so"
+    cmdopts=""
+    checkopts=""
+    properties="debug_level ip_interfaces listen_on_port
+        threads chroot_dir configuration_file server user"
+
+    for prop in $properties
+    do
+        value=`/usr/bin/svcprop -p options/${prop} ${SMF_FMRI}`
+        if [ -z "${value}" -o "${value}" = '""' ]; then
+            continue;
+        fi
+
+        case $prop in
+        'debug_level')
+            if [ ${value} -gt 0 ]; then
+                cmdopts="${cmdopts} -d ${value}"
+            fi
+            ;;
+        'ip_interfaces')
+            case ${value} in
+                'IPv4')
+                    cmdopts="${cmdopts} -4";;
+                'IPv6')
+                    cmdopts="${cmdopts} -6";;
+                'all')
+                    :   # Default is all, therefore ignore.
+                    ;;
+                *)  
+                    echo "$I: Unrecognised value in service instance property" >&2
+                    echo "$I: options/${prop} : ${value}" >&2
+                    ;;
+            esac
+            ;;
+        'listen_on_port')
+            if [ ${value} -gt 0 ]; then
+                cmdopts="${cmdopts} -p ${value}"
+            fi
+            ;;
+        'threads')
+            if [ ${value} -gt 0 ]; then
+                cmdopts="${cmdopts} -n ${value}"
+            fi
+            ;;
+        'chroot_dir')
+            cmdopts="${cmdopts} -t ${value}"
+            checkopts="${checkopts} -t ${value}"
+            chroot_dir=${value};
+            ;;
+        'configuration_file')
+            cmdopts="${cmdopts} -c ${value}"
+            checkopts="${checkopts} -t ${value}"
+            configuration_file=${value};
+            ;;
+        'server')
+            set -- `echo ${value} | /usr/bin/sed -e  's/\\\\//g'`
+            server=$@
+            ;;
+        'user')
+            cmdopts="${cmdopts} -u ${value}"
+            cmduser=${value};
+            ;;
+        esac
+    done
+
+    configuration_dir=$(sed -n -e 's,^[[:space:]]*directory.*"\(.*\)";,\1,p' \
+        ${configuration_file})
+    [ "${configuration_dir}" == "" ] && configuration_dir=@PKG_SYSCONFDIR@/namedb
+
+    configuration_files=$(sed -n -e \
+        "s,^[[:space:]]*file.*\"\(.*\)\";,${configuration_dir}/\1,p" \
+        ${configuration_file} | sort -u)
+    configuration_files="${configuration_files} ${configuration_file}"    
+}
+
 result=${SMF_EXIT_OK}

 # Read command line arguments
 method="$1"		# %m
 instance="$2" 		# %i
+contract="$3"		# %{restarter/contract}

 # Set defaults; SMF_FMRI should have been set, but just in case.
 if [ -z "$SMF_FMRI" ]; then
    SMF_FMRI="svc:/@SMF_PREFIX@/@SMF_NAME@:${instance}"
 fi
 server="@PREFIX@/sbin/named"
+checkconf="@PREFIX@/sbin/named-checkconf"
 I=`/usr/bin/basename $0`

 case "$method" in
 'start')
-    cmdopts=""
-    properties="debug_level ip_interfaces listen_on_port
-	threads chroot_dir configuration_file server"
+    get_config

-    for prop in $properties
-    do
-	value=`/usr/bin/svcprop -p options/${prop} ${SMF_FMRI}`
-	if [ -z "${value}" -o "${value}" = '""' ]; then
-	    continue;
-	fi
+    # If chroot option is set, note zones(5) are preferred, then
+    # configuration file lives under chroot directory.
+    if [ "${chroot_dir}" != "" ]; then
+        if [ "${chroot_dir}" = "/" ]; then
+            msg="$I: chroot_dir must not be /"
+            echo ${msg} >&2
+            /usr/bin/logger -p daemon.error ${msg}
+            # dns-server should be placed in maintenance state.
+            exit ${SMF_EXIT_ERR_CONFIG}
+        fi

-	case $prop in
-	'debug_level')
-	    if [ ${value} -gt 0 ]; then
-		cmdopts="${cmdopts} -d ${value}"
+        server="env LD_NOLAZYLOAD=1 ${server}"
+        checkconf="env LD_NOLAZYLOAD=1 ${checkconf}"
+
+        mkdir -p ${chroot_dir}
+
+        if [ "${SMF_ZONENAME}" = "global" ]; then
+            for dev in crypto log null poll random urandom; do
+                rm -f ${chroot_dir}/dev/${dev}
+                pax -rw -H -pe /dev/${dev} ${chroot_dir}
+            done
+        fi
+
+	missing=""
+        for dev in crypto null poll random urandom; do
+	    if [ ! -e "${chroot_dir}/dev/${dev}" ]; then
+		missing="${missing} ${dev}"
 	    fi
-	    ;;
-	'ip_interfaces')
-	    case ${value} in
-		'IPv4')
-		    cmdopts="${cmdopts} -4";;
-		'IPv6')
-		    cmdopts="${cmdopts} -6";;
-		'all')
-		    :	# Default is all, therefore ignore.
-		    ;;
-		*)
-		    echo "$I: Unrecognised value in service instance property" >&2
-		    echo "$I: options/${prop} : ${value}" >&2
-		    ;;
-	    esac
-	    ;;
-	'listen_on_port')
-	    if [ ${value} -gt 0 ]; then
-		cmdopts="${cmdopts} -p ${value}"
-	    fi
-	    ;;
-	'threads')
-	    if [ ${value} -gt 0 ]; then
-		cmdopts="${cmdopts} -n ${value}"
-	    fi
-	    ;;
-	'chroot_dir')
-	    cmdopts="${cmdopts} -t ${value}"
-	    ;;
-	'configuration_file')
-	    cmdopts="${cmdopts} -c ${value}"
-	    ;;
-	'server')
-	    set -- `echo ${value} | /usr/bin/sed -e  's/\\\\//g'`
-	    server=$@
-	    ;;
-	esac
-    done
+        done
+
+        if [ ! -z "${missing}" ]; then
+            msg="$I: missing device nodes in ${chroot_dir}: ${missing}"
+            echo ${msg} >&2
+            /usr/bin/logger -p daemon.err ${msg}
+            # dns-server should be placed in maintenance state.
+            exit ${SMF_EXIT_ERR_CONFIG}
+        fi
+
+        mount_chroot ${chroot_dir} ${configuration_files} ${libraries}
+
+        mkdir -p ${chroot_dir}/var/run/named
+        chown ${cmduser}:${cmduser} ${chroot_dir}/var/run/named
+
+        configuration_file=${chroot_dir}${configuration_file}
+        rndc_config_file=${chroot_dir}${rndc_config_file}
+        rndc_key_file=${chroot_dir}${rndc_key_file}
+        rndc_cmd_opts="${rndc_cmd_opts} -t ${chroot_dir}"
+    fi
+
+    # Check if the rndc config file exists.
+    if [ ! -f ${rndc_config_file} ]; then
+        # If not, check if the default rndc key file exists.
+        if [ ! -f ${rndc_key_file} ]; then
+            echo "$I: Creating default rndc key file: ${rndc_key_file}." >&2
+            /usr/sbin/rndc-confgen ${rndc_cmd_opts}
+            if [ $? -ne 0 ]; then
+                echo "$I : Warning: rndc configuration failed! Use of 'rndc' to" \
+                    "control 'named' may fail and 'named' may report further error" \
+                    "messages to the system log. This is not fatal. For more" \
+                    "information see rndc(1M) and rndc-confgen(1M)." >&2
+            fi
+        fi
+    fi
+
+    if [ ${result} = ${SMF_EXIT_OK} ]; then
+        ${checkconf} -z ${checkopts}
+        result=$?
+        if [ $result -ne 0 ]; then
+            msg="$I: named-checkconf failed to verify configuration"
+            echo ${msg} >&2
+            /usr/bin/logger -p daemon.error ${msg}
+            if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
+                umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
+            fi
+            # dns-server should be placed in maintenance state.
+            exit ${SMF_EXIT_ERR_CONFIG}
+        fi
+    fi

    if [ ${result} = ${SMF_EXIT_OK} ]; then
 	echo "$I: Executing: ${server} ${cmdopts}"
 	# Execute named(1M) with relevant command line options.
-	${server} ${cmdopts}
+	ppriv -s A-all -s A+basic,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot,proc_setid -e ${server} ${cmdopts}
 	result=$?
    fi
    ;;
 'stop')
-	smf_kill_contract ${contract} TERM 1
-	[ $? -ne 0 ] && exit 1
-	;;
+    get_config
+
+    smf_kill_contract ${contract} TERM 1
+    [ $? -ne 0 ] && exit 1
+
+    if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
+        umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
+    fi
+
+    ;;
 *)
-	echo "Usage: $I [stop|start] <instance>" >&2
-	exit 1
-	;;
+    echo "Usage: $I [stop|start] <instance>" >&2
+    exit 1
+    ;;
 esac
 exit ${result}