# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
# $Header: $
+ 20 Nov 2008; Tom Hendrikx (whyscream) <tom@whyscream.net>
+ -unbound-1.0.2.ebuild, +unbound-1.1.1.ebuild, files/chroot_howto.txt,
+ files/unbound.initd:
+ Version bump, minor changes to initd
+
02 Sep 2008; Tom Hendrikx (whyscream) <tom@whyscream.net>
+unbound-1.0.2.ebuild, +files/chroot_howto.txt, +files/unbound.confd,
+files/unbound.initd, +metadata.xml:
-AUX chroot_howto.txt 1692 RMD160 e4939da926078f3982f6b5391e5c900f7008e93e SHA1 f911f11f214125d994e338573c8710dfe6f43674 SHA256 9824f29c59b869820e4bd28906d01aaba451af05dd83bcb9f961eac63155a491
+AUX chroot_howto.txt 1780 RMD160 39c115816f87cf4ec1a17fbfd313fee771a64226 SHA1 3522189d64e92fb64251587db1559e5d0110e540 SHA256 650b4d838ba09d1c94b34ae712102d3b29b84744c4980c5bafe8eaa552a657a5
AUX unbound.confd 284 RMD160 01960d51a873ed30beac29ce20e3dde43dca20aa SHA1 195c31dd2edf4a887f667520ddf70a1bed8a3d65 SHA256 27d73752ae2a0f6c7ae4a3d894357bba1a2fdaf9f3cd0415be03bed2c0211537
-AUX unbound.initd 1028 RMD160 b7c4ad74dbd3ed255c2b4575ca528199731ff655 SHA1 40c55f0a62ed531a34dfa5b3a28d2fa789a305ce SHA256 f491b07b0adc60a56a907283782ed86d073d397a98f40a5413444522d5eaf215
-DIST unbound-1.0.2.tar.gz 3597275 RMD160 1e942505468f6ae4061b208914e9b7feed6ecff1 SHA1 93faa7b76cf7681b8c7b0c5187aaf84c36b6670b SHA256 e6bbc4bb850c211e97ee7b5bc1827f59eb5222d295b715bda4551775766240ac
-EBUILD unbound-1.0.2.ebuild 1695 RMD160 15bc34360da92e9fd331d99d2b573f04703a6a00 SHA1 2159228064f06802e724b714c4250c3f999d3b39 SHA256 4ebb57c6c26ad76015c73a19b1f57e672085e170a25381a8308a10a958c2ba9f
-MISC ChangeLog 330 RMD160 3904b8c5c15947922ba54ba008ff25ce29fa63a3 SHA1 61b79fdfa5dd447510899d714a4531f1af0cdcb8 SHA256 7c72c3bc84f339ad55e8a472cc3d1afb57ca07fba9d989afddd1a95293a797d5
+AUX unbound.initd 985 RMD160 1cd1fe6a195def58fda8be0e3067b2751773be21 SHA1 569ad8abab363e10f03cc9e2d4fb11395fc9b18b SHA256 d8752a4f8ba549ef2822368b86c1a0931284b4e057e236d19f88857a2c43be67
+DIST unbound-1.1.1.tar.gz 3754958 RMD160 08299a2f31a2a01c2d5819f63abc231015074af3 SHA1 8c80e892232a05459923826f266afb770d3f7d73 SHA256 ab6c701f44aeef11a1a8370495749b9b630004597af38dc04094ad5687e73981
+EBUILD unbound-1.1.1.ebuild 1705 RMD160 2d4b395635cac14970674eed20899f7fb1f7ba59 SHA1 4faa6cde22e7842be7db02fd367572948ae2a1b8 SHA256 8d738586bccbf0604cab35c0ddd9186e6b89664a1b5707e0a101009d9a354863
+MISC ChangeLog 525 RMD160 f708f52402909002af68a79a0d6561eed7880bb5 SHA1 fac1a5b9053aff9ff637ecb9d1e4d85b27f9616d SHA256 510dfbfe825de2d33dcfaa144ef8f601ae9424baa749a70eceb63c3cb2178c72
MISC metadata.xml 245 RMD160 d8ace88cdc93cb9ddd4a28cb445e7b8d61cc5127 SHA1 6fe67339cb588812f2973ef6f5eee3d0c1d79b1c SHA256 136f25009219cb8b085d8885f5d68ccdc2836705577688e7587755e9736aba9d
I had no experience whatsoever with chroot jails for daemons, and when making an
ebuild for unbound, someone suggested that I should just check it out.
-Unfortunately, my ebuild skills are not that great, so making the ebuild handle
-the rootjail support transparantly was out of my league. Getting unbound
-running within a rootjail was no problem however. Below are my experiences.
+After lots of playing around with automating a chroot jail setup from within
+the ebuild, everything got way too unstable and far from fool-proof.
+
+Getting unbound running within a rootjail by hand was no problem however.
+Below are my experiences.
* Assumptions
2. Decide where you want your rootjail. I choose /var/lib/unbound
throughout this manual. Then create the directory:
- # mkdir /var/lib/unbound
+ # mkdir /var/lib/unbound
# chown unbound:unbound /var/lib/unbound
# chmod 700 /var/lib/unbound
3. Inside the chroot you'll need access to /dev/random, and possibly /dev/log
- (when using syslog, the default). Simplest way is to bind-mount /dev:
+ (when using syslog, the default). Simplest way is to bind-mount /dev:
# mkdir /var/lib/unbound/dev
# mount -o bind /dev /var/lib/unbound/dev
- Hint: add a line to /etc/fstab to keep this persistent between reboots.
+ Hint: add a line to /etc/fstab to keep this persistent between reboots, f.i.:
+ /dev /var/lib/unbound/dev auto defauls,bind 0 0
4. Move the config file into the chroot and change some settings:
# mv /etc/unbound/unbound.conf /var/lib/unbound
the config and the pid file.
config_file="/var/lib/unbound/unbound.conf"
- pid_file="/var/lib/unbound/unbound.conf"
+ pid_file="/var/lib/unbound/unbound.pid"
configtest || return 1
ebegin "Starting unbound"
- touch "${pid_file}"
- chown unbound:unbound "${pid_file}"
unbound -c "${config_file}"
eend $?
}
}
configtest() {
- ebegin "Checking config"
+ ebegin "Checking config (${config_file})"
unbound-checkconf "${config_file}" > /dev/null 2>&1
local RESULT=$?
if test "$RESULT" != 0; then
KEYWORDS="~amd64 ~x86"
IUSE="debug libevent static threads"
-RDEPEND="dev-libs/openssl
- net-libs/ldns
- libevent? ( dev-libs/libevent )"
-DEPEND="${RDEPEND}"
+DEPEND="dev-libs/openssl
+ >=net-libs/ldns-1.4.0
+ libevent? ( dev-libs/libevent )"
pkg_setup() {
enewgroup unbound
dodoc "${FILESDIR}/chroot_howto.txt" || die "dodoc failed"
# adapt config file to disable the chroot
- sed -i '/^\t# chroot:/a\\tchroot: ""' "$D/etc/unbound/unbound.conf" || die "sed failed"
+ sed -i '/^\t# chroot:/a\\tchroot: ""' "${D}/etc/unbound/unbound.conf" || die "sed failed"
}
pkg_postinst() {
elog "The gentoo configuration does not enable a chroot environment,"
elog "this differs from the default upstream configuration."
- elog "To use a chroot enviroment, please read:"
- elog "/usr/share/doc/${PF}/chroot_howto.txt.bz2"
+ elog "To use a chroot enviroment which is recommended, please read"
+ elog "the chroot_howto.txt in /usr/share/doc/${PF}"
}
projects / ~andy / sunrise / commitdiff