From 7eb562bbab26218331bc2cc99a405e6730992dbb Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Tue, 17 Dec 2013 17:08:42 +0100 Subject: [PATCH] Rework the chroot setup/destruction workflow - Split chroot package for named and named-sdb - Extract setting-up/destroying of chroot to a separate systemd service (#997030) Signed-off-by: Tomas Hozza --- bind.spec | 129 +++++++++++++++++++++++++++++++-- named-chroot-setup.service | 12 +++ named-chroot.service | 5 +- named-sdb-chroot-setup.service | 12 +++ named-sdb-chroot.service | 13 ++-- named-sdb.service | 3 +- named-setup-rndc.service | 7 ++ named.service | 3 +- setup-named-chroot.sh | 2 +- 9 files changed, 168 insertions(+), 18 deletions(-) create mode 100644 named-chroot-setup.service create mode 100644 named-sdb-chroot-setup.service create mode 100644 named-setup-rndc.service diff --git a/bind.spec b/bind.spec index 576f320..000e817 100644 --- a/bind.spec +++ b/bind.spec @@ -22,12 +22,15 @@ %{?!developer: %global developer 0} %global bind_dir /var/named %global chroot_prefix %{bind_dir}/chroot +%if %{SDB} +%global chroot_sdb_prefix %{bind_dir}/chroot_sdb +%endif # Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: ISC Version: 9.9.4 -Release: 9%{?PATCHVER}%{?PREVER}%{?dist} +Release: 10%{?PATCHVER}%{?PREVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -56,6 +59,9 @@ Source40: named-sdb-chroot.service Source41: setup-named-chroot.sh Source42: generate-rndc-key.sh Source43: named.rwtab +Source44: named-chroot-setup.service +Source45: named-sdb-chroot-setup.service +Source46: named-setup-rndc.service # Common patches Patch5: bind-nonexec.patch @@ -251,6 +257,21 @@ This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak +%if %{SDB} +%package sdb-chroot +Summary: A chroot runtime environment for the ISC BIND DNS server, named-sdb(8) +Group: System Environment/Daemons +Prefix: %{chroot_prefix} +Requires: bind-sdb +Requires: systemd-units + +%description sdb-chroot +This package contains a tree of files which can be used as a +chroot(2) jail for the named-sdb(8) program from the BIND package. +Based on the code from Jan "Yenya" Kasprzak +%endif + + %prep %setup -q -n %{name}-%{VERSION} @@ -444,6 +465,29 @@ touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/localtime touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf #end chroot +#sdb-chroot +%if %{SDB} +mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/{dev,etc,var,run/named} +mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var/{log,named,tmp} + +# create symlink as it is on real filesystem +pushd ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var +ln -s ../run run +popd + +mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/{pki/dnssec-keys,named} +mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/%{_libdir}/bind +# these are required to prevent them being erased during upgrade of previous +# versions that included them (bug #130121): +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/null +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/random +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/zero +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/localtime + +touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/named.conf +%endif +#end sdb-chroot + make DESTDIR=${RPM_BUILD_ROOT} install # Remove unwanted files @@ -453,10 +497,14 @@ rm -f ${RPM_BUILD_ROOT}/etc/bind.keys mkdir -p ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir} + %if %{SDB} install -m 644 %{SOURCE39} ${RPM_BUILD_ROOT}%{_unitdir} -%endif install -m 644 %{SOURCE40} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE45} ${RPM_BUILD_ROOT}%{_unitdir} +%endif mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh @@ -593,7 +641,6 @@ fi %post chroot %systemd_post named-chroot.service -%systemd_post named-sdb-chroot.service if [ "$1" -gt 0 ]; then [ -e %{chroot_prefix}/dev/random ] || \ /bin/mknod %{chroot_prefix}/dev/random c 1 8 @@ -614,7 +661,6 @@ fi; %preun chroot %systemd_preun named-chroot.service -%systemd_preun named-sdb-chroot.service if [ "$1" -eq 0 ]; then # Package removal, not upgrade rm -f %{chroot_prefix}/dev/{random,zero,null} @@ -625,8 +671,45 @@ fi %postun chroot # Package upgrade, not uninstall %systemd_postun_with_restart named-chroot.service + + +%if %{SDB} + +%post sdb-chroot +%systemd_post named-sdb-chroot.service +if [ "$1" -gt 0 ]; then + [ -e %{chroot_sdb_prefix}/dev/random ] || \ + /bin/mknod %{chroot_sdb_prefix}/dev/random c 1 8 + [ -e %{chroot_sdb_prefix}/dev/zero ] || \ + /bin/mknod %{chroot_sdb_prefix}/dev/zero c 1 5 + [ -e %{chroot_sdb_prefix}/dev/null ] || \ + /bin/mknod %{chroot_sdb_prefix}/dev/null c 1 3 + rm -f %{chroot_sdb_prefix}/etc/localtime + cp /etc/localtime %{chroot_sdb_prefix}/etc/localtime +fi; +:; + +%posttrans sdb-chroot +if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then + [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_sdb_prefix}/dev/* > /dev/null 2>&1; +fi; +:; + +%preun sdb-chroot +%systemd_preun named-sdb-chroot.service +if [ "$1" -eq 0 ]; then + # Package removal, not upgrade + rm -f %{chroot_sdb_prefix}/dev/{random,zero,null} + rm -f %{chroot_sdb_prefix}/etc/localtime +fi +:; + +%postun sdb-chroot +# Package upgrade, not uninstall %systemd_postun_with_restart named-sdb-chroot.service +%endif + %clean rm -rf ${RPM_BUILD_ROOT} :; @@ -640,6 +723,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_sysconfdir}/tmpfiles.d/named.conf %{_sysconfdir}/rwtab.d/named %{_unitdir}/named.service +%{_unitdir}/named-setup-rndc.service %{_sysconfdir}/NetworkManager/dispatcher.d/13-named %{_sbindir}/named-journalprint %{_sbindir}/named-checkconf @@ -770,7 +854,7 @@ rm -rf ${RPM_BUILD_ROOT} %files chroot %defattr(-,root,root,-) %{_unitdir}/named-chroot.service -%{_unitdir}/named-sdb-chroot.service +%{_unitdir}/named-chroot-setup.service %{_libexecdir}/setup-named-chroot.sh %ghost %{chroot_prefix}/dev/null %ghost %{chroot_prefix}/dev/random @@ -796,6 +880,37 @@ rm -rf ${RPM_BUILD_ROOT} %dir %{chroot_prefix}/usr %dir %{chroot_prefix}/%{_libdir} +%if %{SDB} +%files sdb-chroot +%defattr(-,root,root,-) +%{_unitdir}/named-sdb-chroot.service +%{_unitdir}/named-sdb-chroot-setup.service +%{_libexecdir}/setup-named-chroot.sh +%ghost %{chroot_sdb_prefix}/dev/null +%ghost %{chroot_sdb_prefix}/dev/random +%ghost %{chroot_sdb_prefix}/dev/zero +%ghost %{chroot_sdb_prefix}/etc/localtime +%defattr(0640,root,named,0750) +%dir %{chroot_sdb_prefix} +%dir %{chroot_sdb_prefix}/dev +%dir %{chroot_sdb_prefix}/etc +%dir %{chroot_sdb_prefix}/etc/named +%dir %{chroot_sdb_prefix}/etc/pki +%dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys +%dir %{chroot_sdb_prefix}/var +%dir %{chroot_sdb_prefix}/run +%dir %{chroot_sdb_prefix}/var/named +%dir %{chroot_sdb_prefix}/%{_libdir}/bind +%ghost %config(noreplace) %{chroot_sdb_prefix}/etc/named.conf +%defattr(0660,named,named,0770) +%dir %{chroot_sdb_prefix}/run/named +%dir %{chroot_sdb_prefix}/var/tmp +%dir %{chroot_sdb_prefix}/var/log +%{chroot_sdb_prefix}/var/run +%dir %{chroot_sdb_prefix}/usr +%dir %{chroot_sdb_prefix}/%{_libdir} +%endif + %if %{PKCS11} %files pkcs11 %defattr(-,root,root,-) @@ -807,6 +922,10 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Tue Dec 17 2013 Tomas Hozza 32:9.9.4-10 +- Split chroot package for named and named-sdb +- Extract setting-up/destroying of chroot to a separate systemd service (#997030) + * Thu Nov 28 2013 Tomas Hozza 32:9.9.4-9 - Fixed memory leak in nsupdate if 'realm' was used multiple times (#984687) diff --git a/named-chroot-setup.service b/named-chroot-setup.service new file mode 100644 index 0000000..9870a88 --- /dev/null +++ b/named-chroot-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Set-up/destroy chroot environment for named (DNS) +BindsTo=named-chroot.service +Wants=named-setup-rndc.service +After=named-setup-rndc.service + + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on +ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off diff --git a/named-chroot.service b/named-chroot.service index f11533c..39d3700 100644 --- a/named-chroot.service +++ b/named-chroot.service @@ -5,8 +5,10 @@ [Unit] Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target +Requires=named-chroot-setup.service Before=nss-lookup.target After=network.target +After=named-chroot-setup.service [Service] Type=forking @@ -14,15 +16,12 @@ EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/var/named/chroot/run/named/named.pid -ExecStartPre=/usr/libexec/generate-rndc-key.sh -ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' -ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off PrivateTmp=false diff --git a/named-sdb-chroot-setup.service b/named-sdb-chroot-setup.service new file mode 100644 index 0000000..0967a60 --- /dev/null +++ b/named-sdb-chroot-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Set-up/destroy chroot environment for named-sdb +BindsTo=named-sdb-chroot.service +Wants=named-setup-rndc.service +After=named-setup-rndc.service + + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on +ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off diff --git a/named-sdb-chroot.service b/named-sdb-chroot.service index 23b632b..09b7974 100644 --- a/named-sdb-chroot.service +++ b/named-sdb-chroot.service @@ -1,28 +1,27 @@ -# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log" +# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log" # line to your /etc/rsyslog.conf file. Otherwise your logging becomes # broken when rsyslogd daemon is restarted (due update, for example). [Unit] Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target +Requires=named-sdb-chroot-setup.service Before=nss-lookup.target After=network.target +After=named-sdb-chroot-setup.service [Service] Type=forking EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab -PIDFile=/var/named/chroot/run/named/named.pid +PIDFile=/var/named/chroot_sdb/run/named/named.pid -ExecStartPre=/usr/libexec/generate-rndc-key.sh -ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on -ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf -ExecStart=/usr/sbin/named-sdb -u named -t /var/named/chroot $OPTIONS +ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot_sdb -z /etc/named.conf +ExecStart=/usr/sbin/named-sdb -u named -t /var/named/chroot_sdb $OPTIONS ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' -ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off PrivateTmp=false diff --git a/named-sdb.service b/named-sdb.service index ef3f6ab..e0cd31c 100644 --- a/named-sdb.service +++ b/named-sdb.service @@ -1,8 +1,10 @@ [Unit] Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target +Wants=named-setup-rndc.service Before=nss-lookup.target After=network.target +After=named-setup-rndc.service [Service] Type=forking @@ -10,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/run/named/named.pid -ExecStartPre=/usr/libexec/generate-rndc-key.sh ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf ExecStart=/usr/sbin/named-sdb -u named $OPTIONS diff --git a/named-setup-rndc.service b/named-setup-rndc.service new file mode 100644 index 0000000..ff85e3c --- /dev/null +++ b/named-setup-rndc.service @@ -0,0 +1,7 @@ +[Unit] +Description=Generate rndc key for BIND (DNS) + +[Service] +Type=oneshot + +ExecStart=/usr/libexec/generate-rndc-key.sh diff --git a/named.service b/named.service index f04403b..7e48c89 100644 --- a/named.service +++ b/named.service @@ -1,8 +1,10 @@ [Unit] Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target +Wants=named-setup-rndc.service Before=nss-lookup.target After=network.target +After=named-setup-rndc.service [Service] Type=forking @@ -10,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/run/named/named.pid -ExecStartPre=/usr/libexec/generate-rndc-key.sh ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf ExecStart=/usr/sbin/named -u named $OPTIONS diff --git a/setup-named-chroot.sh b/setup-named-chroot.sh index 9f96278..8de494b 100755 --- a/setup-named-chroot.sh +++ b/setup-named-chroot.sh @@ -44,7 +44,7 @@ mount_chroot_conf() # Mount source is a directory. Mount it only if directory in chroot is # empty. if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then - mount --rbind "$all" "$ROOTDIR$all" + mount --bind --make-private "$all" "$ROOTDIR$all" fi fi done