rpms/unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity
8eb43fc467
unbound/unbound.spec
Petr Menšík 8eb43fc467 Generate configuration file from upstream example.conf 
To reduce rebase burden, just modify upstream example with our Fedora
specific changes. The result should be the same, but without the need to
manually add new features into separate config file.
2023-11-10 16:25:39 +01:00

507 lines
15 KiB
RPMSpec
Raw Blame History

%{?!with_python2: %global with_python2 0}
%{?!with_python3: %global with_python3 1}
%{?!with_munin: %global with_munin 1}
%bcond_without dnstap
%bcond_with systemd
%bcond_without doh
%bcond_with redis
%global _hardened_build 1
#global extra_version rc1
%if 0%{with_python2}
%global python_primary %{__python2}
%endif
%if 0%{with_python3}
%global python_primary %{__python3}
%endif
%if 0%{?rhel}
%global with_munin 0
%if 0%{?rhel} <= 7
%global with_python3 0
%else
%global with_python2 0
%endif
%endif
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.19.0
Release: 1%{?extra_version:.%{extra_version}}%{?dist}
License: BSD-3-Clause
Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
Source1: unbound.service
Source3: unbound.munin
Source4: unbound_munin_
Source5: root.key
Source7: unbound-keygen.service
Source8: tmpfiles-unbound.conf
Source9: example.com.key
Source10: example.com.conf
Source11: block-example.com.conf
Source12: https://data.iana.org/root-anchors/icannbundle.pem
Source13: root.anchor
Source14: unbound.sysconfig
Source15: unbound-anchor.timer
Source16: unbound-munin.README
Source17: unbound-anchor.service
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
# source: https://nlnetlabs.nl/people/
Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
Source20: unbound.sysusers
# Downstream configuration changes
Patch1: unbound-fedora-config.patch
BuildRequires: gcc, make
BuildRequires: flex, openssl-devel
BuildRequires: libevent-devel expat-devel
BuildRequires: pkgconfig
%if 0%{?fedora}
BuildRequires: gnupg2
%endif
%if 0%{with_python2}
BuildRequires: python2-devel swig
%endif
%if 0%{with_python3}
BuildRequires: python3-devel swig
%endif
%if %{with dnstap}
BuildRequires: fstrm-devel protobuf-c-devel
%endif
%if %{with systemd}
BuildRequires: systemd-devel
%endif
%if %{with doh}
BuildRequires: libnghttp2-devel
%endif
%if %{with redis}
BuildRequires: hiredis-devel
%endif
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
BuildRequires: systemd-rpm-macros
%else
BuildRequires: systemd
%endif
# Required for SVN versions
# BuildRequires: bison
# BuildRequires: automake autoconf libtool
# Needed because /usr/sbin/unbound links unbound libs staticly
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-anchor%{?_isa} = %{version}-%{release}
Recommends: %{name}-utils%{?_isa} = %{version}-%{release}
# unbound-keygen.service requires it, bug #2116790
Requires: openssl
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.
%if %{with_munin}
%package munin
Summary: Plugin for the munin / munin-node monitoring package
Requires: munin-node
Requires: %{name} = %{version}-%{release}, bc
BuildArch: noarch
%description munin
Plugin for the munin / munin-node monitoring package
%endif
%package devel
Summary: Development package that includes the unbound header files
Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
Requires: pkgconfig
%description devel
The devel package contains the unbound library and the include files
%package libs
Summary: Libraries used by the unbound server and client applications
Recommends: %{name}-anchor
%{?sysusers_requires_compat}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Obsoletes: python2-unbound < 1.9.3
%endif
%description libs
Contains libraries used by the unbound server and client applications.
%package anchor
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Summary: DNSSEC trust anchor maintaining tool
%description anchor
Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm.
%package utils
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Summary: Unbound DNS lookup utilities
%description utils
Contains tools for making DNS queries. Can make queries to DNS servers
also over TLS connection or validate DNSSEC signatures. Similar to
bind-utils.
%if 0%{with_python2}
%package -n python2-unbound
%{?python_provide:%python_provide python2-unbound}
Summary: Python 2 modules and extensions for unbound
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: unbound-python = %{version}-%{release}
Obsoletes: unbound-python < %{version}-%{release}
%description -n python2-unbound
Python 2 modules and extensions for unbound
%endif
%if 0%{with_python3}
%package -n python3-unbound
Summary: Python 3 modules and extensions for unbound
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Conflicts: python2-unbound < 1.9.3
%endif
%description -n python3-unbound
Python 3 modules and extensions for unbound
%endif
%prep
%if 0%{?fedora}
%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
%endif
%global pkgname %{name}-%{version}%{?extra_version}
%if 0%{with_python2} && 0%{with_python3}
%global dir_primary %{pkgname}_python3
%global python_primary %{__python3}
%global dir_secondary %{pkgname}_python2
%global python_secondary %{__python2}
%else
%global dir_primary %{pkgname}
%endif
%autosetup -c -N -n %{pkgname}
pushd %{pkgname}
# patches go here
%autopatch -p2
# only for snapshots
# autoreconf -iv
# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../
%if 0%{?rhel} > 8
# SHA-1 breaks some tests. Disable just some tests because of that.
# This got broken in ELN
ls testdata/*.rpl
for TEST in autotrust_init_fail autotrust_init_failsig; do
mv testdata/${TEST}.rpl{,-disabled}
done
%endif
popd
%if 0%{with_python2} && 0%{with_python3}
mv %{pkgname} %{dir_primary}
cp -a %{dir_primary} %{dir_secondary}
%endif
%build
# This is needed to rebuild the configure script to support Python 3.x
# autoreconf -iv
# ./configure script common arguments
%global configure_args --with-libevent --with-pthreads --with-ssl \\\
--disable-rpath --disable-static \\\
--enable-relro-now --enable-pie \\\
--enable-subnet --enable-ipsecmod \\\
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
--with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
--enable-sha2 --disable-gost --enable-ecdsa \\\
--with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
--with-username=unbound \\\
--enable-linux-ip-local-port-range \\\
pushd %{dir_primary}
%configure \
%if 0%{?python_primary:1}
--with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
%endif
%if %{with dnstap}
--enable-dnstap \
%endif
%if %{with systemd}
--enable-systemd \
%endif
%if %{with doh}
--with-libnghttp2 \
%endif
%if 0%{?rhel}
--disable-sha1 \
%endif
%if %{with redis}
--with-libhiredis \
--enable-cachedb \
%endif
%{configure_args}
%make_build
%make_build streamtcp
popd
%if 0%{?python_secondary:1}
pushd %{dir_secondary}
%configure \
--with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \
%if %{with dnstap}
--enable-dnstap \
%endif
%if %{with systemd}
--enable-systemd \
%endif
%{configure_args}
%make_build
popd
%endif
%install
install -p -m 0644 %{SOURCE16} .
%if 0%{?python_secondary:1}
# install first secondary build. It will be overwritten by primary
pushd %{dir_secondary}
%make_install unbound-event-install
popd
%endif
pushd %{dir_primary}
%make_install unbound-event-install
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
popd
install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer
install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.sysusers
%if %{with_munin}
# Install munin plugin and its softlinks
install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
install -d -m 0755 %{buildroot}%{_datadir}/munin/plugins/
install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
done
%endif
pushd %{dir_primary}
# install streamtcp man page
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
popd
# Install tmpfiles.d config
install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
# install root - we keep a copy of the root key in old location,
# in case user has changed the configuration and we wouldn't update it there
install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
# make initial key static
pushd %{buildroot}%{_sharedstatedir}/unbound
KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
ln -s "$KEYPATH" root.key
popd
# remove static library from install (fedora packaging guidelines)
rm %{buildroot}%{_libdir}/*.la
%if 0%{with_python2}
rm %{buildroot}%{python2_sitearch}/*.la
%endif
%if 0%{with_python3}
rm %{buildroot}%{python3_sitearch}/*.la
%endif
mkdir -p %{buildroot}%{_rundir}/unbound
# Install directories for easier config file drop in
mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
# Link unbound-control-setup.8 manpage to unbound-control.8
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
%pre libs
%sysusers_create_compat %{SOURCE20}
%post
%systemd_post unbound.service
%systemd_post unbound-keygen.service
%post anchor
%systemd_post unbound-anchor.service unbound-anchor.timer
# start the timer only if installing the package to prevent starting it, if it was stopped on purpose
if [ "$1" -eq 1 ]; then
# the Unit is in presets, but would be started after reboot
/bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || :
fi
%preun
%systemd_preun unbound.service
%systemd_preun unbound-keygen.service
%preun anchor
%systemd_preun unbound-anchor.service unbound-anchor.timer
%postun
%systemd_postun_with_restart unbound.service
%systemd_postun unbound-keygen.service
%postun anchor
%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
%check
pushd %{dir_primary}
#pushd pythonmod
#make test
#popd
make check
popd
%if 0%{?python_secondary:1}
pushd %{dir_secondary}
#pushd pythonmod
#make test
#popd
make check
popd
%endif
%files
%doc doc/CREDITS doc/FEATURES
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}-keygen.service
%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
%{_sbindir}/unbound
%{_sbindir}/unbound-checkconf
%{_sbindir}/unbound-control
%{_sbindir}/unbound-control-setup
%{_mandir}/man5/*
%exclude %{_mandir}/man8/unbound-anchor*
%{_mandir}/man8/*
%if 0%{with_python2}
%files -n python2-unbound
%license pythonmod/LICENSE
%{python2_sitearch}/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif
%if 0%{with_python3}
%files -n python3-unbound
%license pythonmod/LICENSE
%{python3_sitearch}/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif
%if 0%{with_munin}
%files munin
%doc unbound-munin.README
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
%{_datadir}/munin/plugins/unbound*
%endif
%files devel
%{_libdir}/libunbound.so
%{_includedir}/unbound.h
%{_includedir}/unbound-event.h
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*.pc
%files libs
%doc doc/README
%license doc/LICENSE
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%{_sysusersdir}/%{name}.sysusers
%{_libdir}/libunbound.so.8*
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
%verify(not size mtime filedigest link mode user group) %{_sharedstatedir}/%{name}/root.key
# just left for backwards compat with user changed unbound.conf files - format is different!
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key
%files anchor
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_sbindir}/unbound-anchor
%{_mandir}/man8/unbound-anchor*
# icannbundle and root.key(s) should be replaced from package
# intentionally not using noreplace
%config %{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%files utils
%{_sbindir}/unbound-host
%{_sbindir}/unbound-streamtcp
%{_mandir}/man1/unbound-*
%changelog
* Thu Nov 02 2023 Petr Menšík <pemensik@redhat.com> - 1.19.0-1
- Update to 1.19.0 (#2248686)
%autochangelog
Reference in New Issue View Git Blame Copy Permalink