From 3d0386f27ca66379acf50199e1d1298386eeeeb8 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 02:55:53 +0200 Subject: Adding upstream version 3.2.1. Signed-off-by: Daniel Baumann --- distro/arch/PKGBUILD | 56 +++ distro/arch/install | 15 + distro/common/kresd.conf | 19 + distro/common/kresd.no_ta.conf | 19 + distro/common/root.keys | 2 + distro/common/systemd/README.md | 31 ++ distro/common/systemd/drop-in/listen-tls.conf | 7 + distro/common/systemd/drop-in/listen-udp-tcp.conf | 8 + distro/common/systemd/drop-in/systemd-compat.conf | 17 + distro/common/systemd/kresd-control@.socket | 16 + distro/common/systemd/kresd-tls.socket | 16 + distro/common/systemd/kresd.socket | 17 + distro/common/systemd/kresd.systemd.7 | 230 +++++++++++ distro/common/systemd/kresd.target | 8 + distro/common/systemd/kresd@.service | 17 + distro/common/tmpfiles/knot-resolver.conf | 4 + distro/deb/NEWS | 23 ++ distro/deb/README.source | 70 ++++ distro/deb/changelog | 6 + distro/deb/clean | 4 + distro/deb/compat | 1 + distro/deb/control | 137 +++++++ distro/deb/copyright | 448 +++++++++++++++++++++ distro/deb/docs | 1 + distro/deb/init-d-script | 239 +++++++++++ distro/deb/knot-resolver-doc.doc-base | 11 + distro/deb/knot-resolver-doc.docs | 1 + distro/deb/knot-resolver-doc.links | 2 + distro/deb/knot-resolver-module-http.install | 6 + distro/deb/knot-resolver-module-http.links | 5 + distro/deb/knot-resolver-module-tinyweb.install | 1 + distro/deb/knot-resolver.dirs | 3 + distro/deb/knot-resolver.install | 38 ++ distro/deb/knot-resolver.kresd.default | 13 + distro/deb/knot-resolver.kresd.init | 59 +++ distro/deb/knot-resolver.links | 2 + distro/deb/knot-resolver.manpages | 2 + distro/deb/knot-resolver.postinst | 30 ++ distro/deb/knot-resolver.postrm | 8 + distro/deb/knot-resolver.triggers | 1 + distro/deb/kresd.conf | 19 + distro/deb/libkres-dev.install | 3 + distro/deb/libkres9.install | 1 + distro/deb/libkres9.symbols | 144 +++++++ distro/deb/not-installed | 1 + .../0001-Update-documentation-of-keyfile-ro.patch | 41 ++ distro/deb/patches/series | 1 + distro/deb/rules | 68 ++++ distro/deb/source/format | 1 + distro/deb/tests/control | 2 + distro/rpm/knot-resolver.spec | 235 +++++++++++ distro/tests/README.md | 42 ++ distro/tests/arch/Vagrantfile | 16 + distro/tests/centos7/Vagrantfile | 19 + distro/tests/debian9/Vagrantfile | 16 + distro/tests/fedora28/Vagrantfile | 19 + distro/tests/fedora29/Vagrantfile | 19 + distro/tests/knot-resolver-test.yaml | 148 +++++++ distro/tests/leap15/Vagrantfile | 16 + distro/tests/repos.yaml | 3 + distro/tests/test-distro.sh | 32 ++ distro/tests/tumbleweed/Vagrantfile | 16 + distro/tests/ubuntu1604/Vagrantfile | 19 + distro/tests/ubuntu1804/Vagrantfile | 19 + distro/tests/ubuntu1810/Vagrantfile | 19 + 65 files changed, 2512 insertions(+) create mode 100644 distro/arch/PKGBUILD create mode 100644 distro/arch/install create mode 100644 distro/common/kresd.conf create mode 100644 distro/common/kresd.no_ta.conf create mode 100644 distro/common/root.keys create mode 100644 distro/common/systemd/README.md create mode 100644 distro/common/systemd/drop-in/listen-tls.conf create mode 100644 distro/common/systemd/drop-in/listen-udp-tcp.conf create mode 100644 distro/common/systemd/drop-in/systemd-compat.conf create mode 100644 distro/common/systemd/kresd-control@.socket create mode 100644 distro/common/systemd/kresd-tls.socket create mode 100644 distro/common/systemd/kresd.socket create mode 100644 distro/common/systemd/kresd.systemd.7 create mode 100644 distro/common/systemd/kresd.target create mode 100644 distro/common/systemd/kresd@.service create mode 100644 distro/common/tmpfiles/knot-resolver.conf create mode 100644 distro/deb/NEWS create mode 100644 distro/deb/README.source create mode 100644 distro/deb/changelog create mode 100644 distro/deb/clean create mode 100644 distro/deb/compat create mode 100644 distro/deb/control create mode 100644 distro/deb/copyright create mode 100644 distro/deb/docs create mode 100755 distro/deb/init-d-script create mode 100644 distro/deb/knot-resolver-doc.doc-base create mode 100644 distro/deb/knot-resolver-doc.docs create mode 100644 distro/deb/knot-resolver-doc.links create mode 100644 distro/deb/knot-resolver-module-http.install create mode 100644 distro/deb/knot-resolver-module-http.links create mode 100644 distro/deb/knot-resolver-module-tinyweb.install create mode 100644 distro/deb/knot-resolver.dirs create mode 100644 distro/deb/knot-resolver.install create mode 100644 distro/deb/knot-resolver.kresd.default create mode 100644 distro/deb/knot-resolver.kresd.init create mode 100644 distro/deb/knot-resolver.links create mode 100644 distro/deb/knot-resolver.manpages create mode 100644 distro/deb/knot-resolver.postinst create mode 100644 distro/deb/knot-resolver.postrm create mode 100644 distro/deb/knot-resolver.triggers create mode 100644 distro/deb/kresd.conf create mode 100644 distro/deb/libkres-dev.install create mode 100644 distro/deb/libkres9.install create mode 100644 distro/deb/libkres9.symbols create mode 100644 distro/deb/not-installed create mode 100644 distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch create mode 100644 distro/deb/patches/series create mode 100755 distro/deb/rules create mode 100644 distro/deb/source/format create mode 100644 distro/deb/tests/control create mode 100644 distro/rpm/knot-resolver.spec create mode 100644 distro/tests/README.md create mode 100644 distro/tests/arch/Vagrantfile create mode 100644 distro/tests/centos7/Vagrantfile create mode 100644 distro/tests/debian9/Vagrantfile create mode 100644 distro/tests/fedora28/Vagrantfile create mode 100644 distro/tests/fedora29/Vagrantfile create mode 100644 distro/tests/knot-resolver-test.yaml create mode 100644 distro/tests/leap15/Vagrantfile create mode 100644 distro/tests/repos.yaml create mode 100755 distro/tests/test-distro.sh create mode 100644 distro/tests/tumbleweed/Vagrantfile create mode 100644 distro/tests/ubuntu1604/Vagrantfile create mode 100644 distro/tests/ubuntu1804/Vagrantfile create mode 100644 distro/tests/ubuntu1810/Vagrantfile (limited to 'distro') diff --git a/distro/arch/PKGBUILD b/distro/arch/PKGBUILD new file mode 100644 index 0000000..87f8aa7 --- /dev/null +++ b/distro/arch/PKGBUILD @@ -0,0 +1,56 @@ +# Maintainer: Tomas Krizek +# Contributor: Ondřej Surý + +pkgname=knot-resolver +pkgver=__VERSION__ +pkgrel=1 +pkgdesc='full caching DNS resolver implementation' +url='https://www.knot-resolver.cz/' +arch=('x86_64' 'armv7h') +license=('GPL3') +backup=('etc/knot-resolver/kresd.conf') +options=(debug strip) +install=install +depends=('cmocka' + 'dnssec-anchors' + 'gnutls' + 'knot>=2.7.2' + 'libedit' + 'libsystemd' + 'libuv' + 'lmdb' + 'lua51-sec' + 'lua51-socket' + 'luajit') +source=("knot-resolver_${pkgver}.orig.tar.xz") + +_makevars="PREFIX=/usr SBINDIR=/usr/bin LIBDIR=/usr/lib INCLUDEDIR=/usr/include ETCDIR=/etc/knot-resolver KEYFILE_DEFAULT=/etc/trusted-key.key V=1" + +sha256sums=('SKIP') + +build() { + cd "${srcdir}/${pkgname}-${pkgver}" + make ${_makevars} +} + +check() { + cd "${srcdir}/${pkgname}-${pkgver}" + make check-unit ${_makevars} +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + + make ${_makevars} DESTDIR="${pkgdir}" install + install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd.socket" "${pkgdir}/usr/lib/systemd/system/kresd.socket" + install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd-control@.socket" "${pkgdir}/usr/lib/systemd/system/kresd-control@.socket" + install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd-tls.socket" "${pkgdir}/usr/lib/systemd/system/kresd-tls.socket" + install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd@.service" "${pkgdir}/usr/lib/systemd/system/kresd@.service" + install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd.target" "${pkgdir}/usr/lib/systemd/system/kresd.target" + install -dm 0755 "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants" + ln -s ../kresd.target "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants/kresd.target" + install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/systemd/kresd.systemd.7" "${pkgdir}/usr/share/man/man7/kresd.systemd.7" + install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/tmpfiles/knot-resolver.conf" "${pkgdir}/usr/lib/tmpfiles.d/knot-resolver.conf" + install -dm 0775 "${pkgdir}/etc/knot-resolver" + install -Dm 0644 "${srcdir}/${pkgname}-${pkgver}/distro/common/kresd.no_ta.conf" "${pkgdir}/etc/knot-resolver/kresd.conf" +} diff --git a/distro/arch/install b/distro/arch/install new file mode 100644 index 0000000..de23d59 --- /dev/null +++ b/distro/arch/install @@ -0,0 +1,15 @@ +post_install() { + getent group knot-resolver &>/dev/null || groupadd -r knot-resolver >/dev/null + getent passwd knot-resolver &>/dev/null || useradd -r -g knot-resolver -d /dev/null -s /bin/false -c knot-resolver knot-resolver >/dev/null + chown -R root:knot-resolver /etc/knot-resolver +} + +post_upgrade() { + chown -R root:knot-resolver /etc/knot-resolver +} + +post_remove() { + getent passwd knot-resolver &>/dev/null && userdel knot-resolver >/dev/null + getent group knot-resolver &>/dev/null && groupdel knot-resolver >/dev/null + true +} diff --git a/distro/common/kresd.conf b/distro/common/kresd.conf new file mode 100644 index 0000000..a82a893 --- /dev/null +++ b/distro/common/kresd.conf @@ -0,0 +1,19 @@ +-- vim:syntax=lua: +-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration + +-- Load useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records +} + +-- See kresd.systemd(7) about configuring network interfaces when using systemd +-- Listen on localhost (default) +-- net = { '127.0.0.1', '::1' } + +-- Enable DNSSEC validation +trust_anchors.file = '/etc/knot-resolver/root.keys' + +-- Cache size +cache.size = 100 * MB diff --git a/distro/common/kresd.no_ta.conf b/distro/common/kresd.no_ta.conf new file mode 100644 index 0000000..e452f0e --- /dev/null +++ b/distro/common/kresd.no_ta.conf @@ -0,0 +1,19 @@ +-- vim:syntax=lua: +-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration + +-- Load useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records +} + +-- See kresd.systemd(7) about configuring network interfaces when using systemd +-- Listen on localhost (default) +-- net = { '127.0.0.1', '::1' } + +-- To disable DNSSEC validation, uncomment the following line (not recommended) +-- trust_anchors.keyfile_default = nil + +-- Cache size +cache.size = 100 * MB diff --git a/distro/common/root.keys b/distro/common/root.keys new file mode 100644 index 0000000..7578e04 --- /dev/null +++ b/distro/common/root.keys @@ -0,0 +1,2 @@ +. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D diff --git a/distro/common/systemd/README.md b/distro/common/systemd/README.md new file mode 100644 index 0000000..433f92f --- /dev/null +++ b/distro/common/systemd/README.md @@ -0,0 +1,31 @@ +Running Knot Resolver under systemd (or equivalent) socket activation +===================================================================== + +You can use the files in this directory to run kresd under supervision +by systemd (or any supervisor that provides equivalent file descriptor +initialization via the interface supported by +sd_listen_fds_with_names(3)). + +Usage and Configuration +----------------------- + +See kresd.systemd(7) for details. + +Compatibility with older systemd +-------------------------------- + +If you're using systemd prior to version 227, use the systemd-compat.conf +drop-in file to use manual activation. In this case, socket files shouldn't +be packaged, because they won't be used. + +Notes +----- + +* If you're using the upstream systemd unit files, don't forget to also include + kresd.systemd.7 manual page in the package. +* Distributions using systemd-sysv-generator should mask kresd.service to + be consistent with other distributions. Any use of kresd.service instead of + kresd@N.service is discouraged to avoid confusing the users. +* kresd.target should be enabled by default by linking it to systemd lib/ + directory. Instances of kresd@.service are then added manually to + kresd.target when the user enables them. diff --git a/distro/common/systemd/drop-in/listen-tls.conf b/distro/common/systemd/drop-in/listen-tls.conf new file mode 100644 index 0000000..6c798f0 --- /dev/null +++ b/distro/common/systemd/drop-in/listen-tls.conf @@ -0,0 +1,7 @@ +# /etc/systemd/system/kresd-tls.socket.d/override.conf + +# Configure which interfaces should kresd listen on. +# ListenStream can be added multiple times. + +[Socket] +ListenStream=192.0.2.115:853 diff --git a/distro/common/systemd/drop-in/listen-udp-tcp.conf b/distro/common/systemd/drop-in/listen-udp-tcp.conf new file mode 100644 index 0000000..480767a --- /dev/null +++ b/distro/common/systemd/drop-in/listen-udp-tcp.conf @@ -0,0 +1,8 @@ +# /etc/systemd/system/kresd.socket.d/override.conf + +# Configure which interfaces should kresd listen on. +# ListenDatagram and ListenStream can be added multiple times. + +[Socket] +ListenDatagram=192.0.2.115:53 +ListenStream=192.0.2.115:53 diff --git a/distro/common/systemd/drop-in/systemd-compat.conf b/distro/common/systemd/drop-in/systemd-compat.conf new file mode 100644 index 0000000..d251c41 --- /dev/null +++ b/distro/common/systemd/drop-in/systemd-compat.conf @@ -0,0 +1,17 @@ +# /usr/lib/systemd/system/kresd@.service.d/override.conf + +# If systemd.227+ isn't available (e.g. CentOS 7), socket activation can't be used +# and the following modifications are required to use the service with +# manual activation. + +# CAP_NET_BIND_SERVICE is necessary to be able to bind to a well-known port +# as an unprivilidged user. + +# Explicit --forks=1 turns off interactive mode. + +[Service] +Type=simple +AmbientCapabilities=CAP_NET_BIND_SERVICE +ExecStart= +ExecStart=/usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf --forks=1 +Sockets= diff --git a/distro/common/systemd/kresd-control@.socket b/distro/common/systemd/kresd-control@.socket new file mode 100644 index 0000000..6937436 --- /dev/null +++ b/distro/common/systemd/kresd-control@.socket @@ -0,0 +1,16 @@ +[Unit] +Description=Knot Resolver control socket +Documentation=man:kresd.systemd(7) +Documentation=man:kresd(8) +Before=sockets.target +PartOf=kresd@%i.service + +[Socket] +Service=kresd@%i.service +ListenStream=/run/knot-resolver/control@%i +FileDescriptorName=control +SocketMode=0660 +Slice=system-kresd.slice + +[Install] +WantedBy=sockets.target diff --git a/distro/common/systemd/kresd-tls.socket b/distro/common/systemd/kresd-tls.socket new file mode 100644 index 0000000..ab16c81 --- /dev/null +++ b/distro/common/systemd/kresd-tls.socket @@ -0,0 +1,16 @@ +[Unit] +Description=Knot Resolver TLS network listener +Documentation=man:kresd.systemd(7) +Documentation=man:kresd(8) +Before=sockets.target + +[Socket] +FreeBind=true +FileDescriptorName=tls +ListenStream=[::1]:853 +ListenStream=127.0.0.1:853 +Service=kresd@1.service +Slice=system-kresd.slice + +[Install] +WantedBy=sockets.target diff --git a/distro/common/systemd/kresd.socket b/distro/common/systemd/kresd.socket new file mode 100644 index 0000000..9dd9424 --- /dev/null +++ b/distro/common/systemd/kresd.socket @@ -0,0 +1,17 @@ +[Unit] +Description=Knot Resolver network listeners +Documentation=man:kresd.systemd(7) +Documentation=man:kresd(8) +Before=sockets.target + +[Socket] +FreeBind=true +ListenDatagram=[::1]:53 +ListenStream=[::1]:53 +ListenDatagram=127.0.0.1:53 +ListenStream=127.0.0.1:53 +Service=kresd@1.service +Slice=system-kresd.slice + +[Install] +WantedBy=sockets.target diff --git a/distro/common/systemd/kresd.systemd.7 b/distro/common/systemd/kresd.systemd.7 new file mode 100644 index 0000000..420b110 --- /dev/null +++ b/distro/common/systemd/kresd.systemd.7 @@ -0,0 +1,230 @@ +.TH "kresd.systemd" "7" "2018-06-04" "CZ.NIC" "Knot Resolver Systemd Units" +.\" +.\" kresd.systemd.7 -- man page for systemd units for kresd +.\" +.\" Copyright (c) 2018, CZ.NIC. All rights reserved. +.\" +.\" See COPYING for the license. +.\" +.\" +.SH "NAME" +kresd.systemd +\- managing Knot Resolver through systemd. + +.SH "SYNOPSIS" +.nf +kresd@.service +kresd.socket +kresd-tls.socket +kresd-control@.socket +kresd.target +system-kresd.slice +.fi + +.SH "DESCRIPTION" +.P +This manual page describes how to manage \fBkresd\fR using \fBsystemd\fR +units. Depending on your distribution, this can be either be done with +socket-based activation or without it. The following assumes socket-based activation. +For differences see \fINOTES\fR below. + +\fBkresd\fR daemon can be executed in multiple independent processes, which can be +managed with \fBsystemd\fR via systemd templates (see \fBsystemd.unit\fR(5)). +Each \fBsystemd\fR service instance of \fBkresd\fR (\fIkresd@.service\fR) represents a +single, independent kresd process. + +The systemd-managed \fBkresd\fR service set is grouped in the +\fIsystem-kresd.slice\fR slice. The slice includes one or more +running daemons (instances of \fIkresd@.service\fR), public listening +sockets (the same listening sockets are shared by all daemons) and a +dedicated control socket for each running daemon. + +Each instance of \fIkresd@.service\fR has three systemd sockets (see +\fBsystemd.socket(5)\fR) associated with it: + +.nf +.RS +\fIkresd.socket\fR - UDP/TCP network socket (default: localhost:53), shared with other instances +\fIkresd-tls.socket\fR - network socket for DNS-over-TLS (default: localhost:853), shared with other instances +\fIkresd-control@.socket\fR - UNIX socket with control terminal, dedicated +.RE +.fi + +.B Configuring network interfaces + +When using socket-based activation, the daemon requires neither root privileges +nor any special capabilities, because the sockets are created by \fBsystemd\fR and +passed to \fBkresd\fR. This means \fBkresd\fR can't bind to ports below 1024 when +configured in \fI/etc/knot-resolver/kresd.conf\fR. + +To configure \fBkresd\fR to listen on public interfaces, drop-in files (see +\fBsystemd.unit\fR(5)) should be used. These can be created with: + +.nf +.RS 4n +.B systemctl edit kresd.socket +.B systemctl edit kresd-tls.socket +.RE +.fi + +For example, to configure \fBkresd\fR to listen on 192.0.2.115 on ports 53 and +853, the drop-in files would look like: + +.nf +.RS 4n +# /etc/systemd/system/kresd.socket.d/override.conf +[Socket] +ListenDatagram=192.0.2.115:53 +ListenStream=192.0.2.115:53 + +# /etc/systemd/system/kresd-tls.socket.d/override.conf +[Socket] +ListenStream=192.0.2.115:853 +.RE +.fi + +For more detailed socket configuration, see \fBsystemd.socket\fR(5). + +.B Concurrent daemons + +If you have more than one CPU core available, a single running +\fBkresd\fR daemon will only be able to make use of one core at a +time, leaving the other cores idle. If you want \fBkresd\fR to take +advantage of all available cores, while sharing both cache and public +listening ports, you should enable and start as many instances of the +\fBkresd@.service\fR as you have cores. Typically, each instance is +just named \fIkresd@\fBN\fI.service\fR, where \fIN\fR is a decimal +number. To enable 3 concurrent daemons: + +.nf +.RS 4n +.B systemctl enable --now kresd@1.service kresd@2.service kresd@3.service +.RE +.fi + +.B Using system-kresd.slice and kresd.target + +The following commands may not work with older systemd (e.g. on CentOS 7). +See notes for more info. + +The easiest way to view the status of systemd-supervised \fBkresd\fR +instances is to use the \fIsystem-kresd.slice\fR: + +.nf +.RS 4n +.B systemctl status system-kresd.slice +.RE +.fi + +You can also use the slice to restart all sockets as well as daemons: + +.nf +.RS 4n +.B systemctl restart system-kresd.slice +.RE +.fi + +Or you can use it to stop kresd altogether (e.g. during package removal): + +.nf +.RS 4n +.B systemctl stop system-kresd.slice +.RE +.fi + +To start all enabled kresd daemons, use the provided \fIkresd.target\fR: + +.nf +.RS 4n +.B systemctl start kresd.target +.RE +.fi + +.SH "NOTES" + +.IP * 2 +When an instance of \fIkresd@.service\fR is started, stopped or +restarted, its associated control socket is also automatically +started, stopped or restarted, but the public listening sockets remain +open. As long as either of the public sockets are listening, at least +\fIkresd@1.service\fR will be automatically activated when a request arrives. + +.IP * 2 +If your distribution doesn't use socket-based activation, you can configure the +network interfaces for \fBkresd\fR in \fI/etc/knot-resolver/kresd.conf\fR. The +service can be started or enabled in the same way as in the examples below, but +it doesn't have any sockets associated with it. + +.IP * 2 +Controlling the service with \fIsystem-kresd.slice\fR requires newer systemd. +It may not work in some distributions, notably CentOS 7. To control multiple +kresd instances, use \fIkresd@*.service\fR or \fIBrace Expansion\fR mentioned +below. + +.SH "EXAMPLES" + +.B Single instance +.RS 4n + +To start the service: +.nf +.RS 4n +.B systemctl start kresd@1.service +.RE +.fi + +To start the service at boot: +.nf +.RS 4n +.B systemctl enable kresd@1.service +.RE +.fi + +To delay the service startup until some traffic arrives, start (or enable) just +the sockets: +.nf +.RS 4n +.B systemctl start kresd.socket +.B systemctl start kresd-tls.socket +.RE +.fi + +To disable the TLS socket, you can mask it: + +.RS 4n +.B systemctl mask kresd-tls.socket +.RE + +.RE + +.B Multiple instances +.RS 4n + +Multiple instances can be handled with the use of \fIBrace Expansion\fR (see +\fBbash\fR(1)). + +To enable multiple concurrent daemons, for example 16: +.nf +.RS +.B systemctl enable kresd@{1..16}.service +.RE +.fi + +To start all enabled daemons: +.nf +.RS +.B systemctl start kresd.target +.RE +.fi + +.RE + +.SH "SEE ALSO" +\fIkresd(8)\fR, +\fIsystemd.unit(5)\fR, +\fIsystemd.socket(5)\fR, +\fIhttps://knot-resolver.readthedocs.io\fR + +.SH "AUTHORS" +.B kresd +developers are mentioned in the AUTHORS file in the distribution. diff --git a/distro/common/systemd/kresd.target b/distro/common/systemd/kresd.target new file mode 100644 index 0000000..9b524da --- /dev/null +++ b/distro/common/systemd/kresd.target @@ -0,0 +1,8 @@ +[Unit] +Description=Knot Resolver daemons +Documentation=man:kresd.systemd(7) +Documentation=man:kresd(8) +After=network-online.target + +[Install] +WantedBy=multi-user.target diff --git a/distro/common/systemd/kresd@.service b/distro/common/systemd/kresd@.service new file mode 100644 index 0000000..048aee0 --- /dev/null +++ b/distro/common/systemd/kresd@.service @@ -0,0 +1,17 @@ +[Unit] +Description=Knot Resolver daemon +Documentation=man:kresd.systemd(7) +Documentation=man:kresd(8) + +[Service] +Type=notify +WorkingDirectory=/var/cache/knot-resolver +ExecStart=/usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf +User=knot-resolver +Restart=on-failure +Sockets=kresd.socket +Sockets=kresd-tls.socket +Sockets=kresd-control@%i.socket + +[Install] +WantedBy=kresd.target diff --git a/distro/common/tmpfiles/knot-resolver.conf b/distro/common/tmpfiles/knot-resolver.conf new file mode 100644 index 0000000..9ac5952 --- /dev/null +++ b/distro/common/tmpfiles/knot-resolver.conf @@ -0,0 +1,4 @@ +# tmpfiles.d(5) runtime directory for knot-resolver (kresd) +#Type Path Mode UID GID Age Argument + d /run/knot-resolver 0750 root root - - + d /var/cache/knot-resolver 0750 knot-resolver knot-resolver - - diff --git a/distro/deb/NEWS b/distro/deb/NEWS new file mode 100644 index 0000000..e81403c --- /dev/null +++ b/distro/deb/NEWS @@ -0,0 +1,23 @@ +knot-resolver (2.0.0-1) unstable; urgency=medium + + Knot Resolver systemd service units are now templated, so that multiple + processes can run concurrently on multi-core systems. For a full + overview of the status of all the running daemons, use: + + systemctl status system-kresd.slice + + For more information about this setup, please see kresd.systemd(7). + + -- Daniel Kahn Gillmor Sat, 03 Feb 2018 22:51:02 -0500 + +knot-resolver (1.1.0~git2016072900-1) unstable; urgency=medium + + Knot Resolver now starts and runs under unprivileged user and uses a + socket activations to bind on the privileged ports. That means that if + you use anything more complicated than that you need to either override + the default service file with `systemd edit kresd.service` and + `systemd edit kresd.socket` to add more IP addresses, or just disable + it with `systemd mask kresd*.socket kresd.service` and provide your + own custom system service file tailored to your needs. + + -- Ondřej Surý Thu, 04 Aug 2016 09:04:53 +0200 diff --git a/distro/deb/README.source b/distro/deb/README.source new file mode 100644 index 0000000..657fc28 --- /dev/null +++ b/distro/deb/README.source @@ -0,0 +1,70 @@ +Tracking upstream sources in git +-------------------------------- + +This debian package is tracked in the git "debian/master" branch at +https://salsa.debian.org/dns-team/knot-resolver, which +includes the commits from the upstream git repository at +https://gitlab.labs.nic.cz/knot/knot-resolver.git. When importing +upstream tarballs, make sure you've fetched from the upstream repo +before using "gbp import-orig" the tarball. We rely on +upstream-vcs-tag from debian/gbp.conf to link upstream git history +with new package history. + +See Joey Hess's thoughts about why tracking upstream git history is +useful: https://joeyh.name/blog/entry/upstream_git_repositories/, as +well as DEP-14 for the branch-naming scheme: +http://dep.debian.net/deps/dep14/ + +Rebuilding epoch.js and epoch.css +--------------------------------- + + If you need to rebuild epoch.js and epoch.css using only tools + available in Debian, read gulpfile.js in d/missing-sources/epoch/ and + adjust following script if any files has been changed. You also need + to install ruby-sass, coffeescript and node-uglify + +cat > build.sh << EOF +#!/bin/sh + +coffee -b -c \ + src/epoch.coffee \ + src/core/context.coffee \ + src/core/util.coffee \ + src/core/d3.coffee \ + src/core/format.coffee \ + src/core/chart.coffee \ + src/core/css.coffee \ + src/data.coffee \ + src/model.coffee \ + src/basic.coffee \ + src/basic/*.coffee \ + src/time.coffee \ + src/time/*.coffee \ + src/adapters.coffee \ + src/adapters/*.coffee + +cat \ + src/epoch.js \ + src/core/context.js \ + src/core/util.js \ + src/core/d3.js \ + src/core/format.js \ + src/core/chart.js \ + src/core/css.js \ + src/data.js \ + src/model.js \ + src/basic.js \ + src/basic/*.js \ + src/time.js \ + src/time/*.js \ + src/adapters.js \ + src/adapters/*.js \ + > dist/js/epoch.js + +uglifyjs dist/js/epoch.js > dist/js/epoch.min.js + +sass -t compact sass/epoch.scss > dist/css/epoch.css +sass -t compressed sass/epoch.scss > dist/css/epoch.min.css +EOF + + -- Daniel Kahn Gillmor , Thu, 22 Feb 2018 13:25:27 -0800 diff --git a/distro/deb/changelog b/distro/deb/changelog new file mode 100644 index 0000000..b0a6a3f --- /dev/null +++ b/distro/deb/changelog @@ -0,0 +1,6 @@ +knot-resolver (__VERSION__-1) unstable; urgency=medium + + * move changelog to OBS + * see NEWS or https://knot-resolver.cz + + -- Tomas Krizek Tue, 20 Feb 2018 19:36:45 +0100 diff --git a/distro/deb/clean b/distro/deb/clean new file mode 100644 index 0000000..2ef7cbc --- /dev/null +++ b/distro/deb/clean @@ -0,0 +1,4 @@ +doc/kresd.8 +libkres.pc +lib/libkres.a +lib/libkres.so.9 diff --git a/distro/deb/compat b/distro/deb/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/distro/deb/compat @@ -0,0 +1 @@ +9 diff --git a/distro/deb/control b/distro/deb/control new file mode 100644 index 0000000..012ff2b --- /dev/null +++ b/distro/deb/control @@ -0,0 +1,137 @@ +Source: knot-resolver +Section: net +Priority: optional +Maintainer: Knot Resolver +Uploaders: + Tomas Krizek +Build-Depends-Indep: + doxygen, + python3-breathe, + python3-sphinx, + python3-sphinx-rtd-theme, +Build-Depends: + debhelper (>= 9~), + dns-root-data, + libcmocka-dev (>= 1.0.0), + libedit-dev, + libgeoip-dev, + libgnutls28-dev, + libknot-dev (>= 2.7.2), + liblmdb-dev, + libluajit-5.1-dev, + libsystemd-dev (>= 227) [linux-any], + libuv1-dev, + luajit, + pkg-config, +Homepage: https://www.knot-resolver.cz/ +Rules-Requires-Root: no + +Package: knot-resolver +Architecture: any +Depends: + adduser, + dns-root-data, + libkres9 (= ${binary:Version}), + lua-sec, + lua-socket, + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + knot-resolver-module-http, +Description: caching, DNSSEC-validating DNS resolver + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. There are three built-in modules - iterator, cache, + validator, and many external. + . + The Lua modules, switchable and shareable cache, and fast FFI + bindings makes it great to tap into resolution process, or be used + for your recursive DNS service. It's the OpenResty of DNS. + . + The server adopts a different scaling strategy than the rest of the + DNS recursors - no threading, shared-nothing architecture (except + MVCC cache that may be shared). You can start and stop additional + nodes depending on the contention without downtime. + +Package: knot-resolver-module-http +Architecture: all +Depends: + libjs-bootstrap, + libjs-d3, + libjs-jquery, + lua-http, + lua-mmdb, + ${misc:Depends}, + ${shlibs:Depends}, +Breaks: + knot-resolver-module-tinyweb (<< 1.1.0~git20160713-1~), +Description: HTTP/2 module for Knot Resolver + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. There are three built-in modules - iterator, cache, + validator, and many external. + . + This package contains HTTP/2 module for local visualization of the + resolver cache and queries. + +Package: knot-resolver-doc +Architecture: all +Section: doc +Depends: + libjs-jquery, + libjs-underscore, + ${misc:Depends}, +Description: Documentation for Knot Resolver + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. There are three built-in modules - iterator, cache, + validator, and many external. + . + This package contains Knot Resolver Documentation. + +Package: libkres9 +Architecture: any +Section: libs +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Breaks: + knot-resolver (<< 3.2.0-1), +Replaces: + knot-resolver (<< 3.2.0-1), +Description: caching, DNSSEC-validating DNS resolver (shared library) + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. + . + This package contains the libkres shared library used by Knot + Resolver. + +Package: libkres-dev +Architecture: any +Section: libdevel +Depends: + libkres9 (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Breaks: + knot-resolver (<< 3.2.0-1), +Replaces: + knot-resolver (<< 3.2.0-1), +Description: caching, DNSSEC-validating DNS resolver (shared library development files) + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. + . + This package provides development files for use when building against + the libkres shared library. diff --git a/distro/deb/copyright b/distro/deb/copyright new file mode 100644 index 0000000..10ecbf3 --- /dev/null +++ b/distro/deb/copyright @@ -0,0 +1,448 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: knot-resolver +Source: https://www.knot-resolver.cz/ + +Files: * +Copyright: 2015-2018 CZ.NIC +License: GPL-3.0+ + +Files: contrib/ccan/asprintf/* +Copyright: Rusty Russell +License: Expat + +Files: contrib/ccan/compiler/* + contrib/ccan/ilog/* +Copyright: Rusty Russell +License: CC0 + +Files: tests/config/tapered/* +Copyright: 2012-2017, Peter Aronoff +License: BSD-3-clause + +Files: contrib/lmdb/* +Copyright: 1999-2003 The OpenLDAP Foundation +License: OpenLDAP + +Files: tests/deckard/contrib/libfaketime/* +Copyright: 2003-2017 Wolfgang Hommel +License: GPL-2 + +Files: tests/deckard/contrib/libswrap/* +Copyright: 2005,2008 Jelmer Vernooij + 2006-2009 Stefan Metzmacher + 2013 Andreas Schneider +License: BSD-3-clause + +Files: contrib/murmurhash3/* +Copyright: Austin Appleby +License: CC0-1.0 + +Files: debian/missing-sources/dygraph-combined.js + modules/http/static/dygraph-combined.js +Copyright: 2006-2014 Dan Vanderkam + 2016 Paul Miller + 2011 Robert Konigsberg + 2013 David Eberlein +License: MIT + +Files: contrib/ucw/* +Copyright: 1997-2015 Martin Mares + 2005-2014 Tomas Valla + 2006 Robert Spalek + 2007-2015 Pavel Charvat +License: LGPL-2.1 + +Files: contrib/ccan/json/* +Copyright: 2011 Joey Adams +License: Expat + +Files: lib/generic/map.c lib/generic/map.h +Copyright: Dan Bernstein + Jonas Gehring + Adam Langley + Marek Vavrusa +License: public-domain + +Files: modules/policy/lua-aho-corasick/* +Copyright: 2013 CloudFlare, Inc. +License: BSD-3-CloudFlare + +Files: modules/http/static/jquery.js +Copyright: 2005-2011 John Resig, Brandon Aaron & Jörn Zaefferer +License: GPL-2 or Expat + +Files: modules/http/static/d3.js + modules/http/static/topojson.js +Copyright: 2010-2015 Michael Bostock +License: BSD-3-clause + +Files: modules/http/static/epoch.* + debian/missing-sources/epoch/* + debian/missing-sources/epoch.* +Copyright: 2014 Fastly, Inc. +License: Expat + +Files: modules/http/static/datamaps.world.min.js +Copyright: 2012 Mark DiMarco +License: Expat + +Files: modules/http/static/bootstrap.min.css + modules/http/static/bootstrap.min.js + modules/http/static/bootstrap-theme.min.css + modules/http/static/glyphicons-halflings-regular.woff2 +Copyright: 2012-2016 Thomas Park + 2011-2015 Twitter, Inc. +License: Expat + +Files: modules/http/static/selectize.bootstrap3.min.css + modules/http/static/selectize.min.css + modules/http/static/selectize.min.js +Copyright: 2013–2015 Brian Reavis & contributors +License: Apache-2.0 + +Files: debian/* +Copyright: 2015 Ondřej Surý +License: GPL-3.0+ + +License: LGPL-2.1 + This library is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of the + License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this library. If not, see . + . + On Debian systems, the complete text of the GNU General + Public License version 3 can be found in "/usr/share/common-licenses/LGPL-2.1". + +License: GPL-3.0+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the complete text of the GNU General + Public License version 3 can be found in "/usr/share/common-licenses/GPL-3". + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +License: CC0 + Statement of Purpose + . + The laws of most jurisdictions throughout the world automatically + confer exclusive Copyright and Related Rights (defined below) upon + the creator and subsequent owner(s) (each and all, an "owner") of an + original work of authorship and/or a database (each, a "Work"). + . + Certain owners wish to permanently relinquish those rights to a Work + for the purpose of contributing to a commons of creative, cultural + and scientific works ("Commons") that the public can reliably and + without fear of later claims of infringement build upon, modify, + incorporate in other works, reuse and redistribute as freely as + possible in any form whatsoever and for any purposes, including + without limitation commercial purposes. These owners may contribute + to the Commons to promote the ideal of a free culture and the further + production of creative, cultural and scientific works, or to gain + reputation or greater distribution for their Work in part through the + use and efforts of others. + . + For these and/or other purposes and motivations, and without any + expectation of additional consideration or compensation, the person + associating CC0 with a Work (the "Affirmer"), to the extent that he + or she is an owner of Copyright and Related Rights in the Work, + voluntarily elects to apply CC0 to the Work and publicly distribute + the Work under its terms, with knowledge of his or her Copyright and + Related Rights in the Work and the meaning and intended legal effect + of CC0 on those rights. + . + 1. Copyright and Related Rights. A Work made available under CC0 may + be protected by copyright and related or neighboring rights + ("Copyright and Related Rights"). Copyright and Related Rights + include, but are not limited to, the following: + . + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or + performer(s); + iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a + Work, subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse + of data in a Work; + vi. database rights (such as those arising under Directive 96/9/EC + of the European Parliament and of the Council of 11 March 1996 + on the legal protection of databases, and under any national + implementation thereof, including any amended or successor + version of such directive); and + vii. other similar, equivalent or corresponding rights throughout + the world based on applicable law or treaty, and any national + implementations thereof. + . + 2. Waiver. To the greatest extent permitted by, but not in + contravention of, applicable law, Affirmer hereby overtly, fully, + permanently, irrevocably and unconditionally waives, abandons, and + surrenders all of Affirmer's Copyright and Related Rights and + associated claims and causes of action, whether now known or + unknown (including existing as well as future claims and causes of + action), in the Work (i) in all territories worldwide, (ii) for + the maximum duration provided by applicable law or treaty + (including future time extensions), (iii) in any current or future + medium and for any number of copies, and (iv) for any purpose + whatsoever, including without limitation commercial, advertising + or promotional purposes (the "Waiver"). Affirmer makes the Waiver + for the benefit of each member of the public at large and to the + detriment of Affirmer's heirs and successors, fully intending that + such Waiver shall not be subject to revocation, rescission, + cancellation, termination, or any other legal or equitable action + to disrupt the quiet enjoyment of the Work by the public as + contemplated by Affirmer's express Statement of Purpose. + . + 3. Public License Fallback. Should any part of the Waiver for any + reason be judged legally invalid or ineffective under applicable + law, then the Waiver shall be preserved to the maximum extent + permitted taking into account Affirmer's express Statement of + Purpose. In addition, to the extent the Waiver is so judged + Affirmer hereby grants to each affected person a royalty-free, non + transferable, non sublicensable, non exclusive, irrevocable and + unconditional license to exercise Affirmer's Copyright and Related + Rights in the Work (i) in all territories worldwide, (ii) for the + maximum duration provided by applicable law or treaty (including + future time extensions), (iii) in any current or future medium and + for any number of copies, and (iv) for any purpose whatsoever, + including without limitation commercial, advertising or + promotional purposes (the "License"). The License shall be deemed + effective as of the date CC0 was applied by Affirmer to the + Work. Should any part of the License for any reason be judged + legally invalid or ineffective under applicable law, such partial + invalidity or ineffectiveness shall not invalidate the remainder + of the License, and in such case Affirmer hereby affirms that he + or she will not (i) exercise any of his or her remaining Copyright + and Related Rights in the Work or (ii) assert any associated + claims and causes of action with respect to the Work, in either + case contrary to Affirmer's express Statement of Purpose. + . + 4. Limitations and Disclaimers. + . + a. No trademark or patent rights held by Affirmer are waived, + abandoned, surrendered, licensed or otherwise affected by this + document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties + of title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, + accuracy, or the present or absence of errors, whether or not + discoverable, all to the greatest extent permissible under + applicable law. + c. Affirmer disclaims responsibility for clearing rights of other + persons that may apply to the Work or any use thereof, including + without limitation any person's Copyright and Related Rights in + the Work. Further, Affirmer disclaims responsibility for + obtaining any necessary consents, permissions or other rights + required for any use of the Work. + d. Affirmer understands and acknowledges that Creative Commons is + not a party to this document and has no duty or obligation with + respect to this CC0 or use of the Work. + +License: BSD-3-CloudFlare + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + . + 3. Neither the name of CloudFlare, Inc. nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the author nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + . + On Debian systems, the complete text of the GNU General Public + License version 2 can be found in "/usr/share/common-licenses/GPL-2". + +License: Apache-2.0 + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + . + https://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the full text of the Apache Software License version 2 can + be found in the file `/usr/share/common-licenses/Apache-2.0'. + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +License: OpenLDAP + Redistribution and use of this software and associated documentation + ("Software"), with or without modification, are permitted provided + that the following conditions are met: + . + 1. Redistributions in source form must retain copyright statements + and notices, + . + 2. Redistributions in binary form must reproduce applicable copyright + statements and notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution, and + . + 3. Redistributions must contain a verbatim copy of this document. + . + The OpenLDAP Foundation may revise this license from time to time. + Each revision is distinguished by a version number. You may use + this Software under terms of this license revision or under the + terms of any subsequent revision of the license. + . + THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS + CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT + SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) + OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + . + The names of the authors and copyright holders must not be used in + advertising or otherwise to promote the sale, use or other dealing + in this Software without specific, written prior permission. Title + to copyright in this Software shall at all times remain with copyright + holders. + . + OpenLDAP is a registered trademark of the OpenLDAP Foundation. + +License: CC0-1.0 + This work is licensed under the "Creative Commons Zero" license. + . + On debian systems, a copy of the Creative Commons Zero license may be + found at /usr/share/common-licenses/CC0-1.0. + +License: public-domain + This work has been released into the public domain. The map + implementation builds off of prior public domain work from Dan + Bernstein (qhasm) and Adam Langley (critbit). diff --git a/distro/deb/docs b/distro/deb/docs new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/distro/deb/docs @@ -0,0 +1 @@ +README.md diff --git a/distro/deb/init-d-script b/distro/deb/init-d-script new file mode 100755 index 0000000..334dc32 --- /dev/null +++ b/distro/deb/init-d-script @@ -0,0 +1,239 @@ +#!/bin/sh +# See init-d-script(5) for instructions on how to use this library. +#============================================================================= +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# PATH should only include /usr/* if it runs after the mountnfs.sh +# script. Scripts running before mountnfs.sh should remove the /usr/* +# entries. +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +is_call_implemented() { + command -V $1 > /dev/null 2>&1 +} + +do_usage() { + if is_call_implemented do_reload ; then + echo "Usage: $SCRIPTNAME {start|stop|status|reload|restart|try-restart|force-reload}" >&2 + else + echo "Usage: $SCRIPTNAME {start|stop|status|restart|try-restart|force-reload}" >&2 + fi +} + +call() { + cmd="$1" + shift + if is_call_implemented ${cmd}_override ; then + ${cmd}_override "$@" + else + ${cmd} "$@" + fi +} + +# +# Function that starts the daemon/service +# + +# Return +# 0 if daemon has been started +# 1 if daemon was already running +# 2 if daemon could not be started +do_start_cmd() { + start-stop-daemon --start --quiet ${PIDFILE:+--pidfile ${PIDFILE}} \ + $START_ARGS \ + --startas $DAEMON --name $NAME --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet ${PIDFILE:+--pidfile ${PIDFILE}} \ + $START_ARGS \ + --startas $DAEMON --name $NAME --exec $DAEMON -- $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +do_start() +{ + if is_call_implemented do_start_prepare ; then + call do_start_prepare + fi + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + call do_start_cmd + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + if is_call_implemented do_start_cleanup ; then + call do_start_cleanup + fi +} + +# +# Function that stops the daemon/service +# + +# Return +# 0 if daemon has been stopped +# 1 if daemon was already stopped +# 2 if daemon could not be stopped +# other if a failure occurred +do_stop_cmd() { + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \ + $STOP_ARGS \ + ${PIDFILE:+--pidfile ${PIDFILE}} --name $NAME --exec $DAEMON + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 \ + $STOP_ARGS \ + --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return $RETVAL +} + +do_stop() +{ + if is_call_implemented do_stop_prepare ; then + call do_stop_prepare + fi + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + call do_stop_cmd + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + if is_call_implemented do_stop_cleanup ; then + call do_stop_cleanup + fi +} + +do_restart() { + [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME" + call do_stop_cmd + call do_start_cmd + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac +} + +do_force_reload() { + if is_call_implemented do_reload ; then + call do_reload + else + call do_restart + fi +} + +# Enable this using +# alias do_reload=do_reload_sigusr1 +do_reload_sigusr1() { + log_daemon_msg "Reloading $DESC configuration files" "$NAME" + start-stop-daemon --oknodo --stop --signal 1 --quiet \ + --pidfile "$PIDFILE" --exec "$DAEMON" + log_end_msg $? +} + +do_status() { + status_of_proc "$DAEMON" "$NAME" && return 0 || return $? +} + +if [ "$DEBUG" = "true" ] ; then + set -x +fi + +SCRIPTNAME=$1 +scriptbasename="$(basename $1)" +if [ "$scriptbasename" != "init-d-script" ] ; then + script="$1" + shift + . $script +else + exit 0 +fi + +NAME=${NAME:=$(basename $DAEMON)} +DESC=${DESC:=$NAME} + +# Do not use pid file if $PIDFILE is 'none'. Otherwise, generate from +# $NAME or use the value provided by the init.d script. +if [ none = "$PIDFILE" ] ; then + PIDFILE= +elif [ -z "$PIDFILE" ] ; then + PIDFILE=/var/run/$NAME.pid +fi + +# Exit if the package is not installed +if [ none != "$DAEMON" ] && [ ! -x "$DAEMON" ] ; then + exit 0 +fi + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh +if [ -t 0 ] ; then # Be verbose when called from a terminal + VERBOSE=yes +fi + +case "$1" in + start) + call do_start + ;; + stop) + call do_stop + ;; + status) + call do_status + ;; + reload) + if is_call_implemented do_reload ; then + do_reload + else + call do_usage + exit 3 + fi + ;; + force-reload) + call do_force_reload + ;; + restart) + call do_restart + ;; + try-restart) + log_daemon_msg "Trying to restart $DESC" "$NAME" + if call do_status > /dev/null 2>&1 ; then + call do_restart + log_end_msg $? + else + log_progress_msg "is not running." + log_end_msg 1 + fi + ;; + '') + call do_usage + exit 3 + ;; + *) + if is_call_implemented do_unknown ; then + call do_unknown "$1" + exit 3 + else + call do_usage + exit 3 + fi + ;; +esac +exit 0 diff --git a/distro/deb/knot-resolver-doc.doc-base b/distro/deb/knot-resolver-doc.doc-base new file mode 100644 index 0000000..f82b8ba --- /dev/null +++ b/distro/deb/knot-resolver-doc.doc-base @@ -0,0 +1,11 @@ +Document: knot-resolver +Title: Knot Resolver documentation +Author: CZ.NIC labs +Abstract: Documentation for the Knot Resolver, + including building from source, using the library, + and configuration and operation of the daemon. +Section: Network/Communication + +Format: HTML +Index: /usr/share/doc/knot-resolver/index.html +Files: /usr/share/doc/knot-resolver/*.html diff --git a/distro/deb/knot-resolver-doc.docs b/distro/deb/knot-resolver-doc.docs new file mode 100644 index 0000000..3ff7356 --- /dev/null +++ b/distro/deb/knot-resolver-doc.docs @@ -0,0 +1 @@ +doc/html/* diff --git a/distro/deb/knot-resolver-doc.links b/distro/deb/knot-resolver-doc.links new file mode 100644 index 0000000..4c7c74f --- /dev/null +++ b/distro/deb/knot-resolver-doc.links @@ -0,0 +1,2 @@ +usr/share/javascript/jquery/jquery.min.js usr/share/doc/knot-resolver/_static/jquery.js +usr/share/javascript/underscore/underscore.min.js usr/share/doc/knot-resolver/_static/underscore.js diff --git a/distro/deb/knot-resolver-module-http.install b/distro/deb/knot-resolver-module-http.install new file mode 100644 index 0000000..3c2d56b --- /dev/null +++ b/distro/deb/knot-resolver-module-http.install @@ -0,0 +1,6 @@ +usr/lib/knot-resolver/http.lua +usr/lib/knot-resolver/http/*.css +usr/lib/knot-resolver/http/*.ico +usr/lib/knot-resolver/http/*.js +usr/lib/knot-resolver/http/*.tpl +usr/lib/knot-resolver/http/*.woff2 diff --git a/distro/deb/knot-resolver-module-http.links b/distro/deb/knot-resolver-module-http.links new file mode 100644 index 0000000..322529c --- /dev/null +++ b/distro/deb/knot-resolver-module-http.links @@ -0,0 +1,5 @@ +/usr/share/javascript/bootstrap/css/bootstrap-theme.min.css /usr/lib/knot-resolver/http/bootstrap-theme.min.css +/usr/share/javascript/bootstrap/css/bootstrap.min.css /usr/lib/knot-resolver/http/bootstrap.min.css +/usr/share/javascript/bootstrap/js/bootstrap.min.js /usr/lib/knot-resolver/http/bootstrap.min.js +/usr/share/javascript/d3/d3.min.js /usr/lib/knot-resolver/http/d3.js +/usr/share/javascript/jquery/jquery.min.js /usr/lib/knot-resolver/http/jquery.js diff --git a/distro/deb/knot-resolver-module-tinyweb.install b/distro/deb/knot-resolver-module-tinyweb.install new file mode 100644 index 0000000..905241c --- /dev/null +++ b/distro/deb/knot-resolver-module-tinyweb.install @@ -0,0 +1 @@ +usr/lib/knot-resolver/tinyweb/* diff --git a/distro/deb/knot-resolver.dirs b/distro/deb/knot-resolver.dirs new file mode 100644 index 0000000..472b32a --- /dev/null +++ b/distro/deb/knot-resolver.dirs @@ -0,0 +1,3 @@ +/etc/knot-resolver +/usr/share/doc/knot-resolver/examples/ +/var/lib/knot-resolver diff --git a/distro/deb/knot-resolver.install b/distro/deb/knot-resolver.install new file mode 100644 index 0000000..d6c9b10 --- /dev/null +++ b/distro/deb/knot-resolver.install @@ -0,0 +1,38 @@ +debian/init-d-script usr/lib/knot-resolver/ +debian/kresd.conf etc/knot-resolver/ +etc/knot-resolver/config.* /usr/share/doc/knot-resolver/examples/ +distro/common/systemd/kresd-control@.socket lib/systemd/system/ +distro/common/systemd/kresd-tls.socket lib/systemd/system/ +distro/common/systemd/kresd.socket lib/systemd/system/ +distro/common/systemd/kresd@.service lib/systemd/system/ +distro/common/systemd/kresd.target lib/systemd/system/ +distro/common/tmpfiles/knot-resolver.conf usr/lib/tmpfiles.d/ +usr/lib/knot-resolver/*.so +usr/lib/knot-resolver/basexx.lua +usr/lib/knot-resolver/daf.lua +usr/lib/knot-resolver/daf/ +usr/lib/knot-resolver/detect_time_jump.lua +usr/lib/knot-resolver/detect_time_skew.lua +usr/lib/knot-resolver/dns64.lua +usr/lib/knot-resolver/etcd.lua +usr/lib/knot-resolver/experimental_dot_auth.lua +usr/lib/knot-resolver/graphite.lua +usr/lib/knot-resolver/http_trace.lua +usr/lib/knot-resolver/kres-gen.lua +usr/lib/knot-resolver/kres.lua +usr/lib/knot-resolver/policy.lua +usr/lib/knot-resolver/predict.lua +usr/lib/knot-resolver/prefill.lua +usr/lib/knot-resolver/priming.lua +usr/lib/knot-resolver/prometheus.lua +usr/lib/knot-resolver/rebinding.lua +usr/lib/knot-resolver/renumber.lua +usr/lib/knot-resolver/serve_stale.lua +usr/lib/knot-resolver/ta_sentinel.lua +usr/lib/knot-resolver/ta_signal_query.lua +usr/lib/knot-resolver/trust_anchors.lua +usr/lib/knot-resolver/view.lua +usr/lib/knot-resolver/workarounds.lua +usr/lib/knot-resolver/zonefile.lua +usr/sbin/kresc +usr/sbin/kresd diff --git a/distro/deb/knot-resolver.kresd.default b/distro/deb/knot-resolver.kresd.default new file mode 100644 index 0000000..f7c46e5 --- /dev/null +++ b/distro/deb/knot-resolver.kresd.default @@ -0,0 +1,13 @@ +# /etc/default/kresd + +# This file is used only under sysvinit. If you use systemd and you +# want to modify the arguments with which kresd is invoked, you should +# instead use "systemctl edit kresd@.service" to override ExecStart= +# in the [Service] section (see kresd.systemd(7) for more details). + +# For sysvinit users: KRESD_ARGS used to exist for historical reasons, +# but that variable is deprecated and may stop working at some point +# in the future. You are encouraged to merge any local changes into +# DAEMON_ARGS directly. + +DAEMON_ARGS="--config=/etc/knot-resolver/kresd.conf --addr=127.0.0.1#53 --addr=::1#53 $KRESD_ARGS" diff --git a/distro/deb/knot-resolver.kresd.init b/distro/deb/knot-resolver.kresd.init new file mode 100644 index 0000000..b1361fd --- /dev/null +++ b/distro/deb/knot-resolver.kresd.init @@ -0,0 +1,59 @@ +#!/bin/sh +# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing. +if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then + if [ -x /lib/init/init-d-script ]; then + set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script + else + set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /usr/lib/knot-resolver/init-d-script + fi +fi +### BEGIN INIT INFO +# Provides: kresd +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Knot Resolver +# Description: Knot Resolver +### END INIT INFO + +# Author: Ondřej Surý + +NAME=kresd +DESC="Knot Resolver" +DAEMON=/usr/sbin/kresd +START_ARGS="--background --make-pidfile" + +do_tmpfiles() { + local tmpfile type path mode user group age argument + tmpfile=/usr/lib/tmpfiles.d/$1.conf + if [ -r "$tmpfile" ]; then + if [ -x /bin/systemd-tmpfiles ]; then + /bin/systemd-tmpfiles --create "$tmpfile" + else + while read type path mode user group age argument; do + case "$type" in + d) + mkdir -p "$path"; + chmod "$mode" "$path"; + chown "$user:$group" "$path"; + ;; + L) + if [ ! -e "$path" ]; then ln -s "$argument" "$path"; fi + ;; + \#*) + ;; + *) + log_warning_msg "tmpfile.d type '$type' is not supported yet" + ;; + esac + done < "$tmpfile" + fi + else + log_warning_msg "tmpfiles.d file '$1' doesn't exist or is not readable" + fi +} + +do_start_prepare() { + do_tmpfiles knot-resolver +} diff --git a/distro/deb/knot-resolver.links b/distro/deb/knot-resolver.links new file mode 100644 index 0000000..8196524 --- /dev/null +++ b/distro/deb/knot-resolver.links @@ -0,0 +1,2 @@ +dev/null lib/systemd/system/kresd.service +lib/systemd/system/kresd.target lib/systemd/system/multi-user.target.wants/kresd.target diff --git a/distro/deb/knot-resolver.manpages b/distro/deb/knot-resolver.manpages new file mode 100644 index 0000000..9f97677 --- /dev/null +++ b/distro/deb/knot-resolver.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man8/kresd.8 +distro/common/systemd/kresd.systemd.7 diff --git a/distro/deb/knot-resolver.postinst b/distro/deb/knot-resolver.postinst new file mode 100644 index 0000000..7c4bc5b --- /dev/null +++ b/distro/deb/knot-resolver.postinst @@ -0,0 +1,30 @@ +#!/bin/sh +set -e + +if [ "$1" = "configure" ]; then + adduser --quiet --system --group --no-create-home --home /var/cache/knot-resolver knot-resolver +fi + +# Restart any running kresd instances if the root key is updated. +# Note: if knot-resolver upstream watches this file and reloads it +# upon a change, we can and should remove this trigger. +if [ "$1" = "triggered" ]; then + if [ "$2" = "/usr/share/dns/root.key" ]; then + # systemctl of the sub-services is the preferred method to restart + systemctl try-restart 'kresd@*.service' || true + # but if we are running sysvinit, we can try to restart that process anyway + # (kresd.service is masked on systems that use systemd) + invoke-rc.d kresd try-restart || true + fi + exit 0 +fi + +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then + if [ -d /run/systemd/system ]; then + systemctl try-restart 'kresd@*.service' || true + else + invoke-rc.d kresd try-restart || true + fi +fi + +#DEBHELPER# diff --git a/distro/deb/knot-resolver.postrm b/distro/deb/knot-resolver.postrm new file mode 100644 index 0000000..d67739e --- /dev/null +++ b/distro/deb/knot-resolver.postrm @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ "$1" = "remove" ] && [ -x "/bin/systemctl" ]; then + systemctl stop system-kresd.slice || true +fi + +#DEBHELPER# diff --git a/distro/deb/knot-resolver.triggers b/distro/deb/knot-resolver.triggers new file mode 100644 index 0000000..e8d8246 --- /dev/null +++ b/distro/deb/knot-resolver.triggers @@ -0,0 +1 @@ +interest-noawait /usr/share/dns/root.key diff --git a/distro/deb/kresd.conf b/distro/deb/kresd.conf new file mode 100644 index 0000000..e452f0e --- /dev/null +++ b/distro/deb/kresd.conf @@ -0,0 +1,19 @@ +-- vim:syntax=lua: +-- Refer to manual: http://knot-resolver.readthedocs.org/en/latest/daemon.html#configuration + +-- Load useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records +} + +-- See kresd.systemd(7) about configuring network interfaces when using systemd +-- Listen on localhost (default) +-- net = { '127.0.0.1', '::1' } + +-- To disable DNSSEC validation, uncomment the following line (not recommended) +-- trust_anchors.keyfile_default = nil + +-- Cache size +cache.size = 100 * MB diff --git a/distro/deb/libkres-dev.install b/distro/deb/libkres-dev.install new file mode 100644 index 0000000..d565b38 --- /dev/null +++ b/distro/deb/libkres-dev.install @@ -0,0 +1,3 @@ +usr/include/libkres/*.h +usr/lib/*.so +usr/lib/pkgconfig/libkres.pc diff --git a/distro/deb/libkres9.install b/distro/deb/libkres9.install new file mode 100644 index 0000000..093956b --- /dev/null +++ b/distro/deb/libkres9.install @@ -0,0 +1 @@ +usr/lib/*.so.* diff --git a/distro/deb/libkres9.symbols b/distro/deb/libkres9.symbols new file mode 100644 index 0000000..444e333 --- /dev/null +++ b/distro/deb/libkres9.symbols @@ -0,0 +1,144 @@ +libkres.so.9 libkres9 #MINVER# + cache_api@Base 2.1.0 + iterate_api@Base 2.1.0 + kr_bitcmp@Base 2.1.0 + kr_cache_clear@Base 2.1.0 + kr_cache_close@Base 2.1.0 + kr_cache_closest_apex@Base 3.1.0 + kr_cache_emergency_file_to_remove@Base 3.1.0 + kr_cache_insert_rr@Base 3.0.0 + kr_cache_match@Base 3.1.0 + kr_cache_materialize@Base 2.1.0 + kr_cache_open@Base 2.1.0 + kr_cache_peek_exact@Base 2.1.0 + kr_cache_remove@Base 3.1.0 + kr_cache_remove_subtree@Base 3.1.0 + kr_cache_sync@Base 2.1.0 + kr_cache_ttl@Base 2.1.0 + kr_cdb_lmdb@Base 2.1.0 + kr_crypto_cleanup@Base 2.1.0 + kr_crypto_init@Base 2.1.0 + kr_crypto_reinit@Base 2.1.0 + kr_dnssec_key_ksk@Base 2.1.0 + kr_dnssec_key_match@Base 2.1.0 + kr_dnssec_key_revoked@Base 2.1.0 + kr_dnssec_key_tag@Base 2.1.0 + kr_dnssec_key_zsk@Base 2.1.0 + kr_family_len@Base 2.1.0 + kr_inaddr@Base 2.1.0 + kr_inaddr_family@Base 2.1.0 + kr_inaddr_len@Base 2.1.0 + kr_inaddr_port@Base 2.1.0 + kr_inaddr_set_port@Base 3.1.0 + kr_inaddr_str@Base 2.1.0 + kr_log_qverbose_impl@Base 3.2.0 + kr_log_trace@Base 2.1.0 + kr_log_verbose@Base 2.1.0 + kr_make_query@Base 3.0.0 + kr_memreserve@Base 2.1.0 + kr_module_call@Base 2.1.0 + kr_module_embedded@Base 2.1.0 + kr_module_load@Base 2.1.0 + kr_module_unload@Base 2.1.0 + kr_now@Base 2.1.0 + kr_nsrep_elect@Base 2.1.0 + kr_nsrep_elect_addr@Base 2.1.0 + kr_nsrep_set@Base 2.1.0 + kr_nsrep_sort@Base 3.2.0 + kr_nsrep_update_rep@Base 2.1.0 + kr_nsrep_update_rtt@Base 2.1.0 + kr_pkt_clear_payload@Base 2.1.0 + kr_pkt_make_auth_header@Base 2.1.0 + kr_pkt_put@Base 2.1.0 + kr_pkt_qclass@Base 3.0.0 + kr_pkt_qtype@Base 3.0.0 + kr_pkt_recycle@Base 2.1.0 + kr_qflags_clear@Base 2.1.0 + kr_qflags_set@Base 2.1.0 + kr_ranked_rrarray_add@Base 2.1.0 + kr_resolve_begin@Base 2.1.0 + kr_resolve_checkout@Base 2.1.0 + kr_resolve_consume@Base 2.1.0 + kr_resolve_finish@Base 2.1.0 + kr_resolve_plan@Base 2.1.0 + kr_resolve_pool@Base 2.1.0 + kr_resolve_produce@Base 2.1.0 + kr_rnd_buffered@Base 3.2.0 + kr_rplan_deinit@Base 2.1.0 + kr_rplan_empty@Base 2.1.0 + kr_rplan_find_resolved@Base 2.1.0 + kr_rplan_init@Base 2.1.0 + kr_rplan_last@Base 2.1.0 + kr_rplan_pop@Base 2.1.0 + kr_rplan_push@Base 2.1.0 + kr_rplan_push_empty@Base 2.1.0 + kr_rplan_resolved@Base 2.1.0 + kr_rplan_satisfies@Base 2.1.0 + kr_rrkey@Base 2.1.0 + kr_rrset_init@Base 3.0.0 + kr_rrsig_sig_expiration@Base 3.0.0 + kr_rrsig_sig_inception@Base 3.0.0 + kr_rrsig_type_covered@Base 3.0.0 + kr_sockaddr_cmp@Base 3.0.0 + kr_sockaddr_len@Base 2.1.0 + kr_straddr_family@Base 2.1.0 + kr_straddr_join@Base 2.1.0 + kr_straddr_socket@Base 2.1.0 + kr_straddr_split@Base 2.1.0 + kr_straddr_subnet@Base 2.1.0 + kr_strcatdup@Base 2.1.0 + kr_ta_add@Base 2.1.0 + kr_ta_clear@Base 2.1.0 + kr_ta_covers@Base 2.1.0 + kr_ta_covers_qry@Base 2.1.0 + kr_ta_del@Base 2.1.0 + kr_ta_get@Base 2.1.0 + kr_ta_get_longest_name@Base 2.1.0 + kr_unpack_cache_key@Base 3.1.0 + kr_verbose_set@Base 2.1.0 + kr_verbose_status@Base 2.1.0 + kr_zonecut_add@Base 3.2.0 + kr_zonecut_copy@Base 2.1.0 + kr_zonecut_copy_trust@Base 2.1.0 + kr_zonecut_deinit@Base 2.1.0 + kr_zonecut_del@Base 3.2.0 + kr_zonecut_del_all@Base 2.1.0 + kr_zonecut_find@Base 2.1.0 + kr_zonecut_find_cached@Base 2.1.0 + kr_zonecut_init@Base 2.1.0 + kr_zonecut_is_empty@Base 3.0.0 + kr_zonecut_move@Base 3.2.0 + kr_zonecut_set@Base 2.1.0 + kr_zonecut_set_sbelt@Base 2.1.0 + lru_apply_impl@Base 2.1.0 + lru_create_impl@Base 2.1.0 + lru_free_items_impl@Base 2.1.0 + lru_get_impl@Base 2.1.0 + map_clear@Base 2.1.0 + map_contains@Base 2.1.0 + map_del@Base 2.1.0 + map_get@Base 2.1.0 + map_set@Base 2.1.0 + map_walk_prefixed@Base 2.1.0 + mm_realloc@Base 3.2.0 + queue_deinit_impl@Base 3.1.0 + queue_init_impl@Base 3.1.0 + queue_push_head_impl@Base 3.1.0 + queue_push_impl@Base 3.1.0 + trie_clear@Base 3.0.0 + trie_create@Base 3.0.0 + trie_del@Base 3.0.0 + trie_del_first@Base 3.1.0 + trie_free@Base 3.0.0 + trie_get_first@Base 3.1.0 + trie_get_ins@Base 3.0.0 + trie_get_leq@Base 3.1.0 + trie_get_try@Base 3.0.0 + trie_it_begin@Base 3.0.0 + trie_it_finished@Base 3.0.0 + trie_it_free@Base 3.0.0 + trie_it_key@Base 3.0.0 + trie_it_next@Base 3.0.0 + trie_it_val@Base 3.0.0 + trie_weight@Base 3.0.0 + validate_api@Base 2.1.0 diff --git a/distro/deb/not-installed b/distro/deb/not-installed new file mode 100644 index 0000000..590e3b2 --- /dev/null +++ b/distro/deb/not-installed @@ -0,0 +1 @@ +usr/lib/knot-resolver/http/LICENSE diff --git a/distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch b/distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch new file mode 100644 index 0000000..53e6bb3 --- /dev/null +++ b/distro/deb/patches/0001-Update-documentation-of-keyfile-ro.patch @@ -0,0 +1,41 @@ +From: Daniel Kahn Gillmor +Date: Sat, 17 Feb 2018 15:52:20 -0500 +Subject: Update documentation of --keyfile-ro + +On Debian systems, we depend on the OS package management to update +the dns root data. Make the documentation for running with this +option less scary-sounding, as it is the default. +--- + doc/kresd.8.in | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/doc/kresd.8.in b/doc/kresd.8.in +index 266e9f0..6c5195b 100644 +--- a/doc/kresd.8.in ++++ b/doc/kresd.8.in +@@ -123,7 +123,7 @@ file at the default location (\fIconfig\fR). The syntax is + described in \fIdaemon/README.md\fR. + .TP + .B \-k\fI keyfile\fR, \fB\-\-keyfile=\fI +-(Recommended!) Automatically managed root trust anchors file. ++Automatically managed root trust anchors file. + Root trust anchors in this file are managed using standard RFC 5011 (Automated Updates of DNS Security Trust Anchors). + Kresd needs write access to the directory containing the keyfile. + +@@ -134,9 +134,14 @@ The file contains DNSKEY/DS records in presentation format, + and is compatible with Unbound and BIND 9 root key files. + .TP + .B \-K\fI keyfile\fR, \fB\-\-keyfile\-ro=\fI +-(Discouraged) Static root trust anchors file. The file is not updated by kresd. Use of this option is discouraged because it will break your installation when the trust anchor key changes! ++Static root trust anchors file. The file is not updated by ++kresd. Please ensure that any running kresd instances are restarted if ++the trust anchors change. (On Debian, kresd will be restarted ++automatically when the dns-root-data package updates ++/usr/share/dns/root.key, so nothing extra needs to be done unless you ++diverge from the default here.) + +-Default: "@KEYFILE_DEFAULT@" (can be empty if your distribution did not provide one) ++Default: "@KEYFILE_DEFAULT@" + .TP + .B \-m\fI path\fR, \fB\-\-moduledir=\fI + Override the directory that is searched for modules. Default: @MODULEDIR@ diff --git a/distro/deb/patches/series b/distro/deb/patches/series new file mode 100644 index 0000000..5f6f9b5 --- /dev/null +++ b/distro/deb/patches/series @@ -0,0 +1 @@ +0001-Update-documentation-of-keyfile-ro.patch diff --git a/distro/deb/rules b/distro/deb/rules new file mode 100755 index 0000000..758f30c --- /dev/null +++ b/distro/deb/rules @@ -0,0 +1,68 @@ +#!/usr/bin/make -f + +# see FEATURE AREAS in dpkg-buildflags(1) +export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie + +# see ENVIRONMENT in dpkg-buildflags(1) +# package maintainers to append CFLAGS +export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -fno-omit-frame-pointer +# package maintainers to append LDFLAGS +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +# see EXAMPLES in dpkg-buildflags(1) and read /usr/share/dpkg/* +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/default.mk + +export ARCH=$(DEB_HOST_GNU_CPU) +export PREFIX=/usr +export MODULEDIR=/usr/lib/knot-resolver +export ETCDIR=/etc/knot-resolver + +RUN_TESTS := yes +ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),hurd-i386 mips mipsel ppc64 ppc64el armel armhf arm64 kfreebsd-amd64 kfreebsd-i386)) + $(warning Disabling checks on $(DEB_HOST_ARCH)) + RUN_TESTS := no +endif + +%: + dh $@ + +override_dh_auto_clean-indep: + dh_auto_clean -- doc-clean http-clean + +override_dh_auto_build-arch: + CFLAGS="$${CFLAGS} -DNDEBUG" dh_auto_build -- V=1 BUILDMODE=static lib + CFLAGS="$${CFLAGS} -DNDEBUG" dh_auto_build -- V=1 \ + ROOTHINTS=/usr/share/dns/root.hints \ + KEYFILE_DEFAULT=/usr/share/dns/root.key + +override_dh_auto_build-indep: + dh_auto_build -- V=1 http + dh_auto_build -- V=1 doc-doxygen + cd doc && sphinx-build -b html -D html_theme=nature . html + +override_dh_auto_install-arch: + dh_auto_install --destdir=debian/tmp -- V=1 KEYFILE_DEFAULT=/usr/share/dns/root.key + rm -f debian/tmp/etc/knot-resolver/root.hints debian/tmp/etc/knot-resolver/icann-ca.pem + +override_dh_auto_install-indep: +# install just the http/2 module + make http-install DESTDIR=debian/tmp V=1 + +override_dh_installinit: + dh_installinit -pknot-resolver --name=kresd --no-start + +override_dh_installsystemd: + dh_installsystemd -pknot-resolver --name=kresd kresd-tls.socket kresd.socket + +override_dh_auto_test-indep: +override_dh_auto_test-arch: +ifeq ($(RUN_TESTS),yes) + dh_auto_test -- V=1 +endif + +override_dh_missing: + dh_missing --fail-missing + +override_dh_installchangelogs: + dh_installchangelogs NEWS diff --git a/distro/deb/source/format b/distro/deb/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/distro/deb/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/distro/deb/tests/control b/distro/deb/tests/control new file mode 100644 index 0000000..be666d7 --- /dev/null +++ b/distro/deb/tests/control @@ -0,0 +1,2 @@ +Test-Command: make installcheck +Depends: @, @builddeps@ diff --git a/distro/rpm/knot-resolver.spec b/distro/rpm/knot-resolver.spec new file mode 100644 index 0000000..359e5b6 --- /dev/null +++ b/distro/rpm/knot-resolver.spec @@ -0,0 +1,235 @@ +%global _hardened_build 1 +%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}} + +%define GPG_CHECK 0 +%define VERSION __VERSION__ +%define repodir %{_builddir}/%{name}-%{version} + +Name: knot-resolver +Version: %{VERSION} +Release: 1%{?dist} +Summary: Caching full DNS Resolver + +License: GPLv3 +URL: https://www.knot-resolver.cz/ +Source0: knot-resolver_%{version}.orig.tar.xz + +# LuaJIT only on these arches +%if 0%{?rhel} +# RHEL 7 does not have aarch64 LuaJIT +ExclusiveArch: %{ix86} x86_64 +%else +ExclusiveArch: %{arm} aarch64 %{ix86} x86_64 +%endif + +%if 0%{GPG_CHECK} +Source1: knot-resolver-%{version}.tar.xz.asc +# PGP keys used to sign upstream releases +# Export with --armor using command from https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures +# Don't forget to update %%prep section when adding/removing keys +Source100: gpgkey-B6006460B60A80E782062449E747DF1F9575A3AA.gpg.asc +Source101: gpgkey-BE26EBB9CBE059B3910CA35BCE8DD6A1A50A21E4.gpg.asc +Source102: gpgkey-4A8BA48C2AED933BD495C509A1FBA5F7EF8C4869.gpg.asc +BuildRequires: gnupg2 +%endif + +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: pkgconfig(cmocka) +BuildRequires: pkgconfig(gnutls) +BuildRequires: pkgconfig(libedit) +BuildRequires: pkgconfig(libknot) >= 2.7.2 +BuildRequires: pkgconfig(libzscanner) >= 2.7.2 +BuildRequires: pkgconfig(libdnssec) >= 2.7.2 +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libuv) +BuildRequires: pkgconfig(luajit) >= 2.0 +BuildRequires: pkgconfig(systemd) + +# Distro-dependent dependencies +%if 0%{?rhel} +BuildRequires: lmdb-devel +# Lua 5.1 version of the libraries have different package names +Requires: lua-socket +Requires: lua-sec +Requires(pre): shadow-utils +%endif +%if 0%{?fedora} +BuildRequires: pkgconfig(lmdb) +BuildRequires: python3-sphinx +Requires: lua-socket-compat +Requires: lua-sec-compat +Requires(pre): shadow-utils +%endif +%if 0%{?suse_version} +BuildRequires: lmdb-devel +BuildRequires: python3-Sphinx +Requires: lua51-luasocket +Requires: lua51-luasec +Requires(pre): shadow +%endif + +%if "x%{?rhel}" == "x" +# dependencies for doc package; disable in EPEL (missing fonts) +# https://bugzilla.redhat.com/show_bug.cgi?id=1492884 +BuildRequires: doxygen +BuildRequires: python3-breathe +BuildRequires: python3-sphinx_rtd_theme +%endif + +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description +The Knot Resolver is a caching full resolver implementation written in C +and LuaJIT, including both a resolver library and a daemon. Modular +architecture of the library keeps the core tiny and efficient, and provides +a state-machine like API for extensions. + +The package is pre-configured as local caching resolver. +To start using it, start a single kresd instance: +$ systemctl start kresd@1.service + +%package devel +Summary: Development headers for Knot Resolver +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The package contains development headers for Knot Resolver. + +%if "x%{?rhel}" == "x" +%package doc +Summary: Documentation for Knot Resolver +BuildArch: noarch +Requires: %{name} = %{version}-%{release} + +%description doc +Documentation for Knot Resolver +%endif + +%prep +%if 0%{GPG_CHECK} +export GNUPGHOME=./gpg-keyring +mkdir ${GNUPGHOME} +gpg2 --import %{SOURCE100} %{SOURCE101} %{SOURCE102} +gpg2 --verify %{SOURCE1} %{SOURCE0} +%endif +%setup -q -n %{name}-%{version} + +%build +%global build_paths PREFIX=%{_prefix} BINDIR=%{_bindir} LIBDIR=%{_libdir} INCLUDEDIR=%{_includedir} ETCDIR=%{_sysconfdir}/knot-resolver +%global build_flags V=1 CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" %{build_paths} HAS_go=no +%make_build %{build_flags} + +%if "x%{?rhel}" == "x" +# build documentation +make doc +%endif + +%check +make %{?_smp_mflags} check + +%install +%make_install %{build_flags} + +# move sample configuration files to documentation +install -m 0755 -d %{buildroot}%{_pkgdocdir} +mv %{buildroot}%{_sysconfdir}/knot-resolver/config.* %{buildroot}%{_pkgdocdir} +chmod 0644 %{buildroot}%{_pkgdocdir}/config.* + +# install configuration files +mkdir -p %{buildroot}%{_sysconfdir} +install -m 0755 -d %{buildroot}%{_sysconfdir}/knot-resolver +install -m 0644 -p %{repodir}/distro/common/kresd.conf %{buildroot}%{_sysconfdir}/knot-resolver/kresd.conf +install -m 0664 -p %{repodir}/distro/common/root.keys %{buildroot}%{_sysconfdir}/knot-resolver/root.keys + +# install systemd units and doc +mkdir -p %{buildroot}%{_unitdir} +install -m 0644 -p %{repodir}/distro/common/systemd/kresd@.service %{buildroot}%{_unitdir}/kresd@.service +install -m 0644 -p %{repodir}/distro/common/systemd/kresd.target %{buildroot}%{_unitdir}/kresd.target +install -m 0755 -d %{buildroot}%{_unitdir}/multi-user.target.wants +ln -s ../kresd.target %{buildroot}%{_unitdir}/multi-user.target.wants/kresd.target +mkdir -p %{buildroot}%{_mandir}/man7 +install -m 0644 -p %{repodir}/distro/common/systemd/kresd.systemd.7 %{buildroot}%{_mandir}/man7/kresd.systemd.7 + +%if 0%{?rhel} +# no socket activation for CentOS 7 (requires systemd.227) +mkdir -p %{buildroot}%{_unitdir}/kresd@.service.d +install -m 0644 -p %{repodir}/distro/common/systemd/drop-in/systemd-compat.conf %{buildroot}%{_unitdir}/kresd@.service.d/override.conf +%endif +%if "x%{?rhel}" == "x" +install -m 0644 -p %{repodir}/distro/common/systemd/kresd.socket %{buildroot}%{_unitdir}/kresd.socket +install -m 0644 -p %{repodir}/distro/common/systemd/kresd-control@.socket %{buildroot}%{_unitdir}/kresd-control@.socket +install -m 0644 -p %{repodir}/distro/common/systemd/kresd-tls.socket %{buildroot}%{_unitdir}/kresd-tls.socket +%endif + +# install tmpfiles.d +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 0644 -p %{repodir}/distro/common/tmpfiles/knot-resolver.conf %{buildroot}%{_tmpfilesdir}/knot-resolver.conf +mkdir -p %{buildroot}%{_rundir} +install -m 0750 -d %{buildroot}%{_rundir}/knot-resolver + +# install cache +mkdir -p %{buildroot}%{_localstatedir}/cache +install -m 0750 -d %{buildroot}%{_localstatedir}/cache/knot-resolver + +# remove module with unsatisfied dependencies +rm -r %{buildroot}%{_libdir}/kdns_modules/{http,http.lua} + +%pre +getent group knot-resolver >/dev/null || groupadd -r knot-resolver +getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysconfdir}/knot-resolver -s /sbin/nologin -c "Knot Resolver" knot-resolver + +%post +%systemd_post 'kresd@*.service' +/sbin/ldconfig + +%preun +%systemd_preun 'kresd@*.service' kresd.target kresd.socket kresd-tls.socket + +%postun +# NOTE: this doesn't restart the services on CentOS 7 +%systemd_postun_with_restart 'kresd@*.service' +/sbin/ldconfig + +%files +%license COPYING +%doc %{_pkgdocdir} +%attr(775,root,knot-resolver) %dir %{_sysconfdir}/knot-resolver +%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/kresd.conf +%attr(664,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.keys +%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.hints +%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/icann-ca.pem +%attr(750,knot-resolver,knot-resolver) %dir %{_localstatedir}/cache/knot-resolver +%{_unitdir}/kresd*.service +%{_unitdir}/kresd.target +%{_unitdir}/multi-user.target.wants/kresd.target +%if 0%{?rhel} +%{_unitdir}/kresd@.service.d/override.conf +%endif +%if "x%{?rhel}" == "x" +%{_unitdir}/kresd*.socket +%endif +%{_tmpfilesdir}/knot-resolver.conf +%{_sbindir}/kresd +%{_sbindir}/kresc +%{_libdir}/libkres.so.* +%{_libdir}/kdns_modules +%{_mandir}/man8/kresd.8.gz +%{_mandir}/man7/kresd.systemd.7.gz + +%files devel +%{_includedir}/libkres +%{_libdir}/pkgconfig/libkres.pc +%{_libdir}/libkres.so + +%if "x%{?rhel}" == "x" +%files doc +%doc doc/html +%endif + +%changelog +* Fri Feb 16 2018 Tomas Krizek - 2.1.0-1 +- see NEWS or https://www.knot-resolver.cz/ +- move spec file to upstream diff --git a/distro/tests/README.md b/distro/tests/README.md new file mode 100644 index 0000000..f528348 --- /dev/null +++ b/distro/tests/README.md @@ -0,0 +1,42 @@ +Requirements +------------ + +- ansible +- vagrant +- libvirt (+vagrant-libvirt) / virtualbox + +Usage +----- + +`vagrant up` command is configured to trigger ansible provisioning +which configures OBS repository, installs the knot-resolver package, +starts the kresd@1 service and finally attempts to use it to resolve +a domain name. It also tests that DNSSEC validation is turned on. + +By default, the *knot-resolver-devel* repo (for knot-resolver) along +with *knot-resoler-latest* (for knot) is used. To test only the +*knot-resolver-latest* repo, set it in `repos.yaml` (or use the +test-distro.sh script which overwrites this file). If you're running +tests in parallel, they all HAVE TO use the same repo(s). + +Run the following command for every distro (aka directory with +Vagrantfile): + +``` +./test-distro.sh devel debian9 +``` + +or + +``` +./test-distro.sh testing debian9 +``` + +or + +``` +./test-distro.sh latest debian9 +``` + +At the end of the test, the package version that was tested is +printed out. Make sure you're testing what you intended to. diff --git a/distro/tests/arch/Vagrantfile b/distro/tests/arch/Vagrantfile new file mode 100644 index 0000000..8e3677e --- /dev/null +++ b/distro/tests/arch/Vagrantfile @@ -0,0 +1,16 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "archlinux/archlinux" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "arch_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + end + end + +end diff --git a/distro/tests/centos7/Vagrantfile b/distro/tests/centos7/Vagrantfile new file mode 100644 index 0000000..a03e599 --- /dev/null +++ b/distro/tests/centos7/Vagrantfile @@ -0,0 +1,19 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "centos/7" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "centos7_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + ansible.extra_vars = { + ansible_python_interpreter: "/usr/bin/python2" + } + end + end + +end diff --git a/distro/tests/debian9/Vagrantfile b/distro/tests/debian9/Vagrantfile new file mode 100644 index 0000000..3b7891b --- /dev/null +++ b/distro/tests/debian9/Vagrantfile @@ -0,0 +1,16 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "debian/stretch64" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "debian9_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + end + end + +end diff --git a/distro/tests/fedora28/Vagrantfile b/distro/tests/fedora28/Vagrantfile new file mode 100644 index 0000000..0171b4f --- /dev/null +++ b/distro/tests/fedora28/Vagrantfile @@ -0,0 +1,19 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "generic/fedora28" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "fedora28_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + ansible.extra_vars = { + ansible_python_interpreter: "/usr/bin/python3" + } + end + end + +end diff --git a/distro/tests/fedora29/Vagrantfile b/distro/tests/fedora29/Vagrantfile new file mode 100644 index 0000000..67407e8 --- /dev/null +++ b/distro/tests/fedora29/Vagrantfile @@ -0,0 +1,19 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "generic/fedora29" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "fedora29_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + ansible.extra_vars = { + ansible_python_interpreter: "/usr/bin/python3" + } + end + end + +end diff --git a/distro/tests/knot-resolver-test.yaml b/distro/tests/knot-resolver-test.yaml new file mode 100644 index 0000000..33d07aa --- /dev/null +++ b/distro/tests/knot-resolver-test.yaml @@ -0,0 +1,148 @@ +--- +- hosts: all + + remote_user: root + become: true + + vars: + dig_package: + Debian: dnsutils + Ubuntu: dnsutils + Fedora: bind-utils + CentOS: bind-utils + openSUSE Leap: bind-utils + openSUSE Tumbleweed: bind-utils + Archlinux: bind-tools + configure_obs_repo: + Fedora: | + dnf config-manager --add-repo https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/Fedora_{{ ansible_distribution_major_version }}/home:CZ-NIC:{{ item }}.repo + CentOS: | + yum install -y wget && + wget -i wget https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/CentOS_7_EPEL/home:CZ-NIC:{{ item }}.repo -O /etc/yum.repos.d/home:CZ-NIC:{{ item }}.repo + Debian: | + echo 'deb http://download.opensuse.org/repositories/home:/CZ-NIC:/{{ item }}/Debian_9.0/ /' > /etc/apt/sources.list.d/{{ item }}.list && + wget -nv https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/Debian_9.0/Release.key -O Release.key && + apt-key add - < Release.key && + apt-get update + Ubuntu: | + echo 'deb http://download.opensuse.org/repositories/home:/CZ-NIC:/{{ item }}/xUbuntu_{{ ansible_distribution_version }}/ /' > /etc/apt/sources.list.d/{{ item }}.list && + wget -nv https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/xUbuntu_{{ ansible_distribution_version }}/Release.key -O Release.key && + apt-key add - < Release.key && + apt-get update + openSUSE Tumbleweed: | + zypper addrepo https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/openSUSE_Tumbleweed/home:CZ-NIC:{{ item }}.repo && + zypper --gpg-auto-import-keys refresh + openSUSE Leap: | + zypper addrepo https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/openSUSE_Leap_15.0/home:CZ-NIC:{{ item }}.repo && + zypper --gpg-auto-import-keys refresh + show_package_version: + Archlinux: + pacman -Qi knot-resolver | grep '^Version' + Fedora: &pkg_version_rpm | + rpm -qi knot-resolver | grep '^Version' + CentOS: *pkg_version_rpm + openSUSE Leap: *pkg_version_rpm + openSUSE Tumbleweed: *pkg_version_rpm + Debian: + dpkg -s knot-resolver | grep '^Version' + Ubuntu: | + dpkg -s knot-resolver | grep '^Version' + vars_files: + - repos.yaml + + gather_facts: false + pre_tasks: + - name: install python3 (Arch) + raw: | + (pacman-key --init && pacman-key --populate archlinux && \ + pacman -Sy python3 --noconfirm) || : + ignore_errors: true + - name: gather facts + setup: + + tasks: + - name: install epel + package: + name: epel-release + state: present + when: ansible_distribution == 'CentOS' + + - name: configure OBS repository + shell: "{{ configure_obs_repo[ansible_distribution] }}" + args: + warn: false + with_items: "{{ repos }}" + when: ansible_distribution_file_variety != 'Archlinux' + + - block: + - name: configure OBS repository (Arch) + blockinfile: + block: | + [home_CZ-NIC_{{ item }}_Arch] + SigLevel = Never + Server = https://download.opensuse.org/repositories/home:/CZ-NIC:/{{ item }}/Arch/$arch + insertbefore: '^\[core\]' + path: /etc/pacman.conf + state: present + with_items: "{{ repos }}" + - name: set up package mirrors + copy: + content: | + ## Arch Linux repository mirrorlist + ## Generated on 2018-12-10 + ## Czechia + Server = http://mirrors.nic.cz/archlinux/$repo/os/$arch + Server = http://ftp.fi.muni.cz/pub/linux/arch/$repo/os/$arch + Server = http://ftp.sh.cvut.cz/arch/$repo/os/$arch + Server = http://gluttony.sin.cvut.cz/arch/$repo/os/$arch + dest: /etc/pacman.d/mirrorlist + - name: sync repos (Arch) + shell: pacman -Syu --noconfirm + args: + warn: false + when: ansible_distribution_file_variety == 'Archlinux' + + - name: install knot-resolver + package: + name: knot-resolver + state: latest + + - name: get installed package version + shell: "{{ show_package_version[ansible_distribution] }}" + args: + warn: false + register: package_version + + - name: install dig + package: + name: "{{ dig_package[ansible_distribution] }}" + state: present + + - name: testing block + block: + - name: start kresd@1.service + service: + name: kresd@1.service + state: restarted + + - name: resolve nic.cz + shell: dig @127.0.0.1 nic.cz + register: res + failed_when: '"status: NOERROR" not in res.stdout' + + - name: test dnssec is turned on + block: + - name: test dnssec-failed.org +cd returns NOERROR + shell: dig +cd @127.0.0.1 dnssec-failed.org + register: res + failed_when: '"status: NOERROR" not in res.stdout' + + - name: test dnssec-failed.org returns SERVFAIL + shell: dig @127.0.0.1 dnssec-failed.org + register: res + failed_when: '"status: SERVFAIL" not in res.stdout' + + always: + - name: show installed version + debug: + var: package_version.stdout diff --git a/distro/tests/leap15/Vagrantfile b/distro/tests/leap15/Vagrantfile new file mode 100644 index 0000000..14bae76 --- /dev/null +++ b/distro/tests/leap15/Vagrantfile @@ -0,0 +1,16 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "opensuse/openSUSE-15.0-x86_64" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "leap15_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + end + end + +end diff --git a/distro/tests/repos.yaml b/distro/tests/repos.yaml new file mode 100644 index 0000000..9827fe7 --- /dev/null +++ b/distro/tests/repos.yaml @@ -0,0 +1,3 @@ +repos: + - knot-resolver-latest + - knot-resolver-devel diff --git a/distro/tests/test-distro.sh b/distro/tests/test-distro.sh new file mode 100755 index 0000000..0ae8662 --- /dev/null +++ b/distro/tests/test-distro.sh @@ -0,0 +1,32 @@ +#!/bin/bash -x + +# ./test-distro.sh {devel|latest} {distro} +# Example usage: ./test-distro.sh devel debian9 + +distro=$2 +repo=$1 + +# Select repos +echo -e 'repos:\n - knot-resolver-latest' > repos.yaml # latest is needed for knot +case "$repo" in + devel) + echo -e ' - knot-resolver-devel' >> repos.yaml + ;; + testing) + echo -e 'repos:\n - knot-resolver-testing' > repos.yaml + ;; + latest) + ;; + *) + echo "Unknown repo, choose devel|latest|testing" + exit 1 + ;; +esac + +cd "$distro" +vagrant destroy -f &>/dev/null +vagrant up +ret=$? +vagrant destroy -f &>/dev/null +exit $ret + diff --git a/distro/tests/tumbleweed/Vagrantfile b/distro/tests/tumbleweed/Vagrantfile new file mode 100644 index 0000000..ba0dada --- /dev/null +++ b/distro/tests/tumbleweed/Vagrantfile @@ -0,0 +1,16 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "opensuse/openSUSE-Tumbleweed-x86_64" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "tumbleweed_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + end + end + +end diff --git a/distro/tests/ubuntu1604/Vagrantfile b/distro/tests/ubuntu1604/Vagrantfile new file mode 100644 index 0000000..40e0492 --- /dev/null +++ b/distro/tests/ubuntu1604/Vagrantfile @@ -0,0 +1,19 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "generic/ubuntu1604" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "ubuntu1604_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + ansible.extra_vars = { + ansible_python_interpreter: "/usr/bin/python3" + } + end + end + +end diff --git a/distro/tests/ubuntu1804/Vagrantfile b/distro/tests/ubuntu1804/Vagrantfile new file mode 100644 index 0000000..57e210d --- /dev/null +++ b/distro/tests/ubuntu1804/Vagrantfile @@ -0,0 +1,19 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "generic/ubuntu1804" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "ubuntu1804_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + ansible.extra_vars = { + ansible_python_interpreter: "/usr/bin/python3" + } + end + end + +end diff --git a/distro/tests/ubuntu1810/Vagrantfile b/distro/tests/ubuntu1810/Vagrantfile new file mode 100644 index 0000000..c560be1 --- /dev/null +++ b/distro/tests/ubuntu1810/Vagrantfile @@ -0,0 +1,19 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +Vagrant.configure(2) do |config| + + config.vm.box = "generic/ubuntu1810" + config.vm.synced_folder ".", "/vagrant", disabled: true + + config.vm.define "ubuntu1810_knot-resolver" do |machine| + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "../knot-resolver-test.yaml" + ansible.extra_vars = { + ansible_python_interpreter: "/usr/bin/python3" + } + end + end + +end -- cgit v1.2.3