Use new config named-chroot.files for chroot setup files (#1429656)

bind.spec

@@ -45,7 +45,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.3
-Release:  14%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  15%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 #
@@ -77,6 +77,7 @@ Source45: named-sdb-chroot-setup.service
 Source46: named-setup-rndc.service
 Source47: named-pkcs11.service
 Source48: setup-named-softhsm.sh
+Source49: named-chroot.files
 
 # Common patches
 Patch10: bind-9.5-PIE.patch
@@ -835,6 +836,7 @@ install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.s
 install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
 install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named
+install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files
 %if %{with SDB}
 mkdir -p ${RPM_BUILD_ROOT}/etc/openldap/schema
 install -m 644 %{SOURCE8} ${RPM_BUILD_ROOT}/etc/openldap/schema/dnszone.schema
@@ -1248,6 +1250,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_includedir}/bind9/isccfg
 
 %files chroot
+%config(noreplace) %{_sysconfdir}/named-chroot.files
 %{_unitdir}/named-chroot.service
 %{_unitdir}/named-chroot-setup.service
 %{_libexecdir}/setup-named-chroot.sh
@@ -1281,6 +1284,7 @@ rm -rf ${RPM_BUILD_ROOT}
 
 %if %{with SDB}
 %files sdb-chroot
+%config(noreplace) %{_sysconfdir}/named-chroot.files
 %{_unitdir}/named-sdb-chroot.service
 %{_unitdir}/named-sdb-chroot-setup.service
 %{_libexecdir}/setup-named-chroot.sh
@@ -1407,6 +1411,9 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Thu Jul 12 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-15
+- Use new config file named-chroot.files for chroot setup (#1429656)
+
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.3-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 

named-chroot-setup.service

@@ -8,5 +8,5 @@ After=named-setup-rndc.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
-ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files

named-chroot.files

@@ -0,0 +1,23 @@
+# Configuration of files used in chroot
+# Following files are made available after named-chroot.service start
+# if they are missing or empty in target directory.
+/etc/localtime
+/etc/named.root.key
+/etc/named.conf
+/etc/named.rfc1912.zones
+/etc/rndc.conf
+/etc/rndc.key
+/etc/named.iscdlv.key
+/etc/crypto-policies/back-ends/bind.config
+/etc/protocols
+/etc/services
+/etc/named.dnssec.keys
+/etc/pki/dnssec-keys
+/etc/named
+/usr/lib64/bind
+/usr/lib/bind
+/run/named
+# Warning: the order is important
+# If a directory containing $ROOTDIR is listed here,
+# it MUST be listed last. (/var/named contains /var/named/chroot)
+/var/named

named-sdb-chroot-setup.service

@@ -8,5 +8,5 @@ After=named-setup-rndc.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on
-ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on /etc/named-chroot.files
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off /etc/named-chroot.files

setup-named-chroot.sh

@@ -1,29 +1,21 @@
 #!/bin/bash
 
-# Warning: the order is important
-# If a directory containing $ROOTDIR is listed here,
-# it MUST be listed last. (/var/named contains /var/named/chroot)
-ROOTDIR_MOUNT='/etc/localtime /etc/named.root.key /etc/named.conf
-/etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key /etc/named.iscdlv.key
-/etc/crypto-policies/back-ends/bind.config /etc/protocols /etc/services
-/etc/named.dnssec.keys /etc/pki/dnssec-keys
-/etc/named /usr/lib64/bind /usr/lib/bind /run/named
-/var/named'
 
 usage()
 {
   echo
   echo 'This script setups chroot environment for BIND'
-  echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
+  echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> <config.files>'
 }
 
-if ! [ "$#" -eq 2 ]; then
+if ! [ "$#" -eq 3 ]; then
   echo 'Wrong number of arguments'
   usage
   exit 1
 fi
 
 ROOTDIR="$1"
+CONFIG_FILES="$3"
 
 # Exit if ROOTDIR doesn't exist
 if ! [ -d "$ROOTDIR" ]; then
@@ -32,10 +24,40 @@ if ! [ -d "$ROOTDIR" ]; then
   exit 1
 fi
 
+dev_create()
+{
+  DEVNAME="$ROOTDIR/dev/$1"
+  MINOR="$2"
+  if ! [ -e "$DEVNAME" ]; then
+    /bin/mknod "$DEVNAME" c 1 $MINOR
+  fi
+  if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
+    /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null
+  fi
+}
+
+dev_chroot_prep()
+{
+  dev_create random 8
+  dev_create zero   5
+  dev_create null   3
+}
+
+files_comment_filter()
+{
+  if [ -d "$1" ]; then
+    grep -v '^[[:space:]]*#' "$1"/*.files
+  else
+    grep -v '^[[:space:]]*#' "$1"
+  fi
+}
+
 mount_chroot_conf()
 {
   if [ -n "$ROOTDIR" ]; then
-    for all in $ROOTDIR_MOUNT; do
+    # Check devices are prepared
+    dev_chroot_prep
+    files_comment_filter "$CONFIG_FILES" | while read -r all; do
       # Skip nonexistant files
       [ -e "$all" ] || continue
 
@@ -60,7 +82,7 @@ mount_chroot_conf()
 umount_chroot_conf()
 {
   if [ -n "$ROOTDIR" ]; then
-    for all in $ROOTDIR_MOUNT; do
+    files_comment_filter "$CONFIG_FILES" | while read -r all; do
       # Check if file is mount target. Do not use /proc/mounts because detecting
       # of modified mounted files can fail.
       if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then