diff --git a/module-setup.sh b/module-setup.sh new file mode 100644 index 0000000..439bc6d --- /dev/null +++ b/module-setup.sh @@ -0,0 +1,44 @@ +#!/usr/bin/bash + +check() { + require_binaries unbound unbound-checkconf unbound-control || return 1 + # the module will be only included if explicitly required either + # by configuration or another module + return 255 +} + +depends() { + # because of pid file we need sysusers to create unbound user + echo systemd systemd-sysusers + return 0 +} + +install() { + # We have to make unbound wanted by network-online target to make sure + # there is a synchronization point when other services are able + # to make queries + inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf + + # /etc and /var/lib do not have its variables + inst_multiple -o \ + "$systemdsystemunitdir"/unbound.service \ + /etc/unbound/conf.d/remote-control.conf \ + /etc/unbound/openssl-sha1.conf \ + /usr/share/unbound/fedora-defaults.conf \ + /usr/share/unbound/conf.d/*.conf \ + /etc/unbound/local.d/*.conf \ + /etc/unbound/keys.d/*.key \ + /etc/unbound/unbound.conf \ + /etc/unbound/unbound_control.key \ + /etc/unbound/unbound_control.pem \ + /etc/unbound/unbound_server.key \ + /etc/unbound/unbound_server.pem \ + "$sysusers"/unbound.conf \ + "$tmpfilesdir"/unbound.conf \ + /var/lib/unbound/root.key \ + unbound \ + unbound-checkconf \ + unbound-control + + $SYSTEMCTL -q --root "$initdir" enable unbound.service +} diff --git a/unbound-initrd.conf b/unbound-initrd.conf new file mode 100644 index 0000000..7838b3d --- /dev/null +++ b/unbound-initrd.conf @@ -0,0 +1,5 @@ +[Unit] +Before=network-online.target + +[Install] +WantedBy=network-online.target diff --git a/unbound.spec b/unbound.spec index f36b27a..5aef89c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 9%{?extra_version:.%{extra_version}}%{?dist} +Release: 10%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -54,6 +54,8 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key Source21: remote-control.conf Source22: unbound-local-root.conf +Source23: module-setup.sh +Source24: unbound-initrd.conf # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554 Patch1: unbound-1.16-CVE-2022-3204.patch @@ -162,6 +164,14 @@ Conflicts: python2-unbound < 1.9.3 Python 3 modules and extensions for unbound %endif +%package dracut +Summary: Unbound dracut module +Requires: dracut%{?_isa} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description dracut +Unbound dracut module allowing use of Unbound for name resolution +in initramfs. %prep %if 0%{?fedora} @@ -328,6 +338,11 @@ ln -s ../unbound-local-root.conf %{buildroot}%{_sysconfdir}/unbound/conf.d/unbou # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# install dracut module +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound + +install -p -m 0755 %{SOURCE23} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound +install -p -m 0644 %{SOURCE24} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound %pre libs getent group unbound >/dev/null || groupadd -r unbound @@ -460,7 +475,14 @@ popd # just left for backwards compat with user changed unbound.conf files - format is different! %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key +%files dracut +%{_prefix}/lib/dracut/modules.d/99unbound + %changelog +* Tue Feb 04 2025 Tomas Korbar - 1.16.2-10 +- Add dracut module +- Resolves: RHEL-77789 + * Tue Feb 04 2025 Tomas Korbar - 1.16.2-9 - Move automatic root zone fetching to drop-in - Resolves: RHEL-77788