rpms/unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity
a8b2f2adc2
unbound/unbound.spec
Petr Menšík c89e088ab8 Update address of b.root-servers.net (#2253461) 
Modification of a config file differs from upstream version, we have it
uncommented in Fedora.

Resolves: rhbz#2253461
2024-01-29 12:32:41 +01:00

509 lines
15 KiB
RPMSpec
Raw Blame History

%{?!with_python2: %global with_python2 0}
%{?!with_python3: %global with_python3 1}
%{?!with_munin: %global with_munin 1}
%bcond_without dnstap
%bcond_with systemd
%bcond_without doh
%bcond_with redis
%global _hardened_build 1
#global extra_version rc1
%if 0%{with_python2}
%global python_primary %{__python2}
%endif
%if 0%{with_python3}
%global python_primary %{__python3}
%endif
%if 0%{?rhel}
%global with_munin 0
%if 0%{?rhel} <= 7
%global with_python3 0
%else
%global with_python2 0
%endif
%endif
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.19.0
Release: %autorelease %{?extra_version:-e %{extra_version}}
License: BSD-3-Clause
Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
Source1: unbound.service
Source3: unbound.munin
Source4: unbound_munin_
Source5: root.key
Source7: unbound-keygen.service
Source8: tmpfiles-unbound.conf
Source9: example.com.key
Source10: example.com.conf
Source11: block-example.com.conf
Source12: https://data.iana.org/root-anchors/icannbundle.pem
Source13: root.anchor
Source14: unbound.sysconfig
Source15: unbound-anchor.timer
Source16: unbound-munin.README
Source17: unbound-anchor.service
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
# source: https://nlnetlabs.nl/people/
Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
Source20: unbound.sysusers
# Downstream configuration changes
Patch1: unbound-fedora-config.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2253461
# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6
Patch2: unbound-1.19-b.root-servers.net.patch
# https://github.com/NLnetLabs/unbound/pull/993
Patch3: unbound-1.19-b.root-servers.net-conf.patch
BuildRequires: gcc, make
BuildRequires: flex, openssl-devel
BuildRequires: libevent-devel expat-devel
BuildRequires: pkgconfig
%if 0%{?fedora}
BuildRequires: gnupg2
%endif
%if 0%{with_python2}
BuildRequires: python2-devel swig
%endif
%if 0%{with_python3}
BuildRequires: python3-devel swig
%endif
%if %{with dnstap}
BuildRequires: fstrm-devel protobuf-c-devel
%endif
%if %{with systemd}
BuildRequires: systemd-devel
%endif
%if %{with doh}
BuildRequires: libnghttp2-devel
%endif
%if %{with redis}
BuildRequires: hiredis-devel
%endif
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
BuildRequires: systemd-rpm-macros
%else
BuildRequires: systemd
%endif
# Required for SVN versions
# BuildRequires: bison
# BuildRequires: automake autoconf libtool
# Needed because /usr/sbin/unbound links unbound libs staticly
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-anchor%{?_isa} = %{version}-%{release}
Recommends: %{name}-utils%{?_isa} = %{version}-%{release}
# unbound-keygen.service requires it, bug #2116790
Requires: openssl
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.
%if %{with_munin}
%package munin
Summary: Plugin for the munin / munin-node monitoring package
Requires: munin-node
Requires: %{name} = %{version}-%{release}, bc
BuildArch: noarch
%description munin
Plugin for the munin / munin-node monitoring package
%endif
%package devel
Summary: Development package that includes the unbound header files
Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
Requires: pkgconfig
%description devel
The devel package contains the unbound library and the include files
%package libs
Summary: Libraries used by the unbound server and client applications
Recommends: %{name}-anchor
%{?sysusers_requires_compat}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Obsoletes: python2-unbound < 1.9.3
%endif
%description libs
Contains libraries used by the unbound server and client applications.
%package anchor
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Summary: DNSSEC trust anchor maintaining tool
%description anchor
Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm.
%package utils
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Summary: Unbound DNS lookup utilities
%description utils
Contains tools for making DNS queries. Can make queries to DNS servers
also over TLS connection or validate DNSSEC signatures. Similar to
bind-utils.
%if 0%{with_python2}
%package -n python2-unbound
%{?python_provide:%python_provide python2-unbound}
Summary: Python 2 modules and extensions for unbound
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: unbound-python = %{version}-%{release}
Obsoletes: unbound-python < %{version}-%{release}
%description -n python2-unbound
Python 2 modules and extensions for unbound
%endif
%if 0%{with_python3}
%package -n python3-unbound
Summary: Python 3 modules and extensions for unbound
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Conflicts: python2-unbound < 1.9.3
%endif
%description -n python3-unbound
Python 3 modules and extensions for unbound
%endif
%prep
%if 0%{?fedora}
%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
%endif
%global pkgname %{name}-%{version}%{?extra_version}
%if 0%{with_python2} && 0%{with_python3}
%global dir_primary %{pkgname}_python3
%global python_primary %{__python3}
%global dir_secondary %{pkgname}_python2
%global python_secondary %{__python2}
%else
%global dir_primary %{pkgname}
%endif
%autosetup -c -N -n %{pkgname}
pushd %{pkgname}
# patches go here
%autopatch -p2
# only for snapshots
# autoreconf -iv
# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../
%if 0%{?rhel} > 8
# SHA-1 breaks some tests. Disable just some tests because of that.
# This got broken in ELN
ls testdata/*.rpl
for TEST in autotrust_init_fail autotrust_init_failsig; do
mv testdata/${TEST}.rpl{,-disabled}
done
%endif
popd
%if 0%{with_python2} && 0%{with_python3}
mv %{pkgname} %{dir_primary}
cp -a %{dir_primary} %{dir_secondary}
%endif
%build
# This is needed to rebuild the configure script to support Python 3.x
# autoreconf -iv
# ./configure script common arguments
%global configure_args --with-libevent --with-pthreads --with-ssl \\\
--disable-rpath --disable-static \\\
--enable-relro-now --enable-pie \\\
--enable-subnet --enable-ipsecmod \\\
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
--with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
--enable-sha2 --disable-gost --enable-ecdsa \\\
--with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
--with-username=unbound \\\
--enable-linux-ip-local-port-range \\\
pushd %{dir_primary}
%configure \
%if 0%{?python_primary:1}
--with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
%endif
%if %{with dnstap}
--enable-dnstap \
%endif
%if %{with systemd}
--enable-systemd \
%endif
%if %{with doh}
--with-libnghttp2 \
%endif
%if 0%{?rhel}
--disable-sha1 \
%endif
%if %{with redis}
--with-libhiredis \
--enable-cachedb \
%endif
%{configure_args}
%make_build
%make_build streamtcp
popd
%if 0%{?python_secondary:1}
pushd %{dir_secondary}
%configure \
--with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \
%if %{with dnstap}
--enable-dnstap \
%endif
%if %{with systemd}
--enable-systemd \
%endif
%{configure_args}
%make_build
popd
%endif
%install
install -p -m 0644 %{SOURCE16} .
%if 0%{?python_secondary:1}
# install first secondary build. It will be overwritten by primary
pushd %{dir_secondary}
%make_install unbound-event-install
popd
%endif
pushd %{dir_primary}
%make_install unbound-event-install
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
popd
install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer
install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.conf
%if %{with_munin}
# Install munin plugin and its softlinks
install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
install -d -m 0755 %{buildroot}%{_datadir}/munin/plugins/
install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
done
%endif
pushd %{dir_primary}
# install streamtcp man page
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
popd
# Install tmpfiles.d config
install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
# install root - we keep a copy of the root key in old location,
# in case user has changed the configuration and we wouldn't update it there
install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
# make initial key static
pushd %{buildroot}%{_sharedstatedir}/unbound
KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
ln -s "$KEYPATH" root.key
popd
# remove static library from install (fedora packaging guidelines)
rm %{buildroot}%{_libdir}/*.la
%if 0%{with_python2}
rm %{buildroot}%{python2_sitearch}/*.la
%endif
%if 0%{with_python3}
rm %{buildroot}%{python3_sitearch}/*.la
%endif
mkdir -p %{buildroot}%{_rundir}/unbound
# Install directories for easier config file drop in
mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
# Link unbound-control-setup.8 manpage to unbound-control.8
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
%pre libs
%sysusers_create_compat %{SOURCE20}
%post
%systemd_post unbound.service
%systemd_post unbound-keygen.service
%post anchor
%systemd_post unbound-anchor.service unbound-anchor.timer
# start the timer only if installing the package to prevent starting it, if it was stopped on purpose
if [ "$1" -eq 1 ]; then
# the Unit is in presets, but would be started after reboot
/bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || :
fi
%preun
%systemd_preun unbound.service
%systemd_preun unbound-keygen.service
%preun anchor
%systemd_preun unbound-anchor.service unbound-anchor.timer
%postun
%systemd_postun_with_restart unbound.service
%systemd_postun unbound-keygen.service
%postun anchor
%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
%check
pushd %{dir_primary}
#pushd pythonmod
#make test
#popd
make check
popd
%if 0%{?python_secondary:1}
pushd %{dir_secondary}
#pushd pythonmod
#make test
#popd
make check
popd
%endif
%files
%doc doc/CREDITS doc/FEATURES
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}-keygen.service
%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
%{_sbindir}/unbound
%{_sbindir}/unbound-checkconf
%{_sbindir}/unbound-control
%{_sbindir}/unbound-control-setup
%{_mandir}/man5/*
%exclude %{_mandir}/man8/unbound-anchor*
%{_mandir}/man8/*
%if 0%{with_python2}
%files -n python2-unbound
%license pythonmod/LICENSE
%{python2_sitearch}/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif
%if 0%{with_python3}
%files -n python3-unbound
%license pythonmod/LICENSE
%{python3_sitearch}/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif
%if 0%{with_munin}
%files munin
%doc unbound-munin.README
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
%{_datadir}/munin/plugins/unbound*
%endif
%files devel
%{_libdir}/libunbound.so
%{_includedir}/unbound.h
%{_includedir}/unbound-event.h
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*.pc
%files libs
%doc doc/README
%license doc/LICENSE
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%{_sysusersdir}/%{name}.conf
%{_libdir}/libunbound.so.8*
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
# just left for backwards compat with user changed unbound.conf files - format is different!
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key
%files anchor
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_sbindir}/unbound-anchor
%{_mandir}/man8/unbound-anchor*
# icannbundle and root.key(s) should be replaced from package
# intentionally not using noreplace
%config %{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%files utils
%{_sbindir}/unbound-host
%{_sbindir}/unbound-streamtcp
%{_mandir}/man1/unbound-*
%changelog
%autochangelog
Reference in New Issue View Git Blame Copy Permalink