Create root key if missing automatically

Prepare tmpfiles.d script for creating /var/lib/unbound in case it is missing. Prepare link to root.key also. Resolves: RHEL-127540
2025-10-02 18:02:42 +02:00 · 2025-10-02 18:02:42 +02:00 · c82c4d3e9c
commit c82c4d3e9c
parent 01586c861b
2 changed files with 14 additions and 6 deletions
--- a/tmpfiles-unbound-libs.conf
+++ b/tmpfiles-unbound-libs.conf
@ -0,0 +1,2 @@
+d /var/lib/unbound          0755  unbound unbound -
+L /var/lib/unbound/root.key -     -       -       -   ../../../etc/unbound/dnssec-root.key
--- a/unbound.spec
+++ b/unbound.spec
@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 21%{?extra_version:.%{extra_version}}%{?dist}
+Release: 22%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -58,6 +58,7 @@ Source23: module-setup.sh
 Source24: unbound-initrd.conf
 Source25: unbound.sysusers
 Source26: unbound-as112-networks.conf
+Source27: tmpfiles-unbound-libs.conf

 # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
 Patch1: unbound-1.16-CVE-2022-3204.patch
@ -314,18 +315,19 @@ done

 pushd %{dir_primary}
 # install streamtcp man page
-install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
-install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
+install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
+install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
 popd

 # Install tmpfiles.d config
 install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
-install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
+install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
+install -p -m 0644 %{SOURCE27} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf

 # install root - we keep a copy of the root key in old location,
 # in case user has changed the configuration and we wouldn't update it there
-install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
-install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
+install -p -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
+install -p -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key

 # local root zone fetch to separated configuration file
 install -p -m 0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/unbound/
@ -492,6 +494,7 @@ popd
 %license doc/LICENSE
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
 %{_sysusersdir}/%{name}.conf
+%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf
 %{_sbindir}/unbound-anchor
 %{_libdir}/libunbound.so.*
 %{_mandir}/man8/unbound-anchor*
@ -509,6 +512,9 @@ popd
 %{_prefix}/lib/dracut/modules.d/99unbound

 %changelog
+* Tue Nov 11 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-22
+- Create root key if missing automatically (RHEL-127540)
+
 * Mon Jul 28 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-21
 - Fix RebirthDay Attack (CVE-2025-5994)
 - Resolves: RHEL-104129