Move unbound-anchor to separate package

It has the service and requires unbound user created. Make it separate,
because some users of unbound-libs might not want or need anchor
maintenance. Make it also easier to add custom options to unbound-anchor
running from the service.

Do not start timer from unbound.service, start instead unbound-anchor
service before starting unbound. It would ensure root anchor is in the
place. Run it from single place from both timer and unbound service.

unbound-anchor.service

@@ -5,5 +5,6 @@ Documentation=man:unbound-anchor(8)
 [Service]
 Type=oneshot
 User=unbound
-ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
+EnvironmentFile=-/etc/sysconfig/unbound
+ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
 SuccessExitStatus=1

unbound.service

@@ -3,7 +3,8 @@ Description=Unbound recursive Domain Name Server
 After=network-online.target
 After=unbound-keygen.service
 Wants=unbound-keygen.service
-Wants=unbound-anchor.timer
+After=unbound-anchor.service
+Wants=unbound-anchor.service
 Before=nss-lookup.target
 Wants=nss-lookup.target
 
@@ -11,7 +12,6 @@ Wants=nss-lookup.target
 Type=simple
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
 ExecReload=/usr/sbin/unbound-control reload
 

unbound.spec

@@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.0
-Release: 5%{?extra_version:.%{extra_version}}%{?dist}
+Release: 6%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@@ -88,6 +88,7 @@ BuildRequires: systemd
 
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-anchor%{?_isa} = %{version}-%{release}
 
 %description
 Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@@ -121,14 +122,22 @@ The devel package contains the unbound library and the include files
 
 %package libs
 Summary: Libraries used by the unbound server and client applications
-Requires(pre): shadow-utils
+Recommends: %{name}-anchor
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
 %endif
 
 %description libs
-Contains libraries used by the unbound server and client applications
+Contains libraries used by the unbound server and client applications.
+
+%package anchor
+Requires(pre): shadow-utils
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Summary: DNSSEC trust anchor maintaining tool
+
+%description anchor
+Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm.
 
 %if 0%{with_python2}
 %package -n python2-unbound
@@ -317,7 +326,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
 
 
-%pre libs
+%pre anchor
 getent group unbound >/dev/null || groupadd -r unbound
 getent passwd unbound >/dev/null || \
 useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
@@ -327,7 +336,7 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
 %systemd_post unbound.service
 %systemd_post unbound-keygen.service
 
-%post libs
+%post anchor
 %systemd_post unbound-anchor.timer
 # start the timer only if installing the package to prevent starting it, if it was stopped on purpose
 if [ "$1" -eq 1 ]; then
@@ -339,7 +348,7 @@ fi
 %systemd_preun unbound.service
 %systemd_preun unbound-keygen.service
 
-%preun libs
+%preun anchor
 %systemd_preun unbound-anchor.timer
 
 %postun
@@ -376,7 +385,6 @@ popd
 %attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
@@ -432,20 +440,26 @@ popd
 %doc doc/README
 %license doc/LICENSE
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
-%{_sbindir}/unbound-anchor
 %{_libdir}/libunbound.so.*
+%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
+%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
+# just left for backwards compat with user changed unbound.conf files - format is different!
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
+
+%files anchor
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
+%{_sbindir}/unbound-anchor
 %{_mandir}/man8/unbound-anchor*
 # icannbundle and root.key(s) should be replaced from package
 # intentionally not using noreplace
 %config %{_sysconfdir}/%{name}/icannbundle.pem
 %{_unitdir}/unbound-anchor.timer
 %{_unitdir}/unbound-anchor.service
-%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
-%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
-# just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Mon Jun 27 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-6
+- Move unbound-anchor to separate package
+
 * Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1.16.0-5
 - Rebuilt for Python 3.11
 

unbound.sysconfig

@@ -1,3 +1,7 @@
-# for extra debug, add "-v -v" or change verbosity: in unbound.conf
+# uncomment following line to skip anchor refresh before unbound start
+#DISABLE_UNBOUND_ANCHOR=yes
+# Better way is systemctl mask unbound-anchor.service
+UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R"
 
+# for extra debug, add "-v -v" or change verbosity: in unbound.conf
 UNBOUND_OPTIONS=""