diff options
Diffstat (limited to '')
28 files changed, 1419 insertions, 0 deletions
diff --git a/distro/pkg/arch/PKGBUILD b/distro/pkg/arch/PKGBUILD new file mode 100644 index 0000000..7eea556 --- /dev/null +++ b/distro/pkg/arch/PKGBUILD @@ -0,0 +1,71 @@ +# Maintainer: Tomas Krizek <tomas.krizek@nic.cz> +# Contributor: Ondřej Surý <ondrej@sury.org> +# SPDX-License-Identifier: GPL-3.0-or-later + +pkgname=knot-resolver +pkgver={{ version }} +pkgrel={{ release }} +pkgdesc='Caching DNSSEC-validating DNS resolver' +arch=('x86_64' 'armv7h') +url='https://www.knot-resolver.cz/' +license=('GPL3') +depends=( + 'dnssec-anchors' + 'gnutls' + 'knot' + 'libedit' + 'libuv' + 'lmdb' + 'luajit' + 'systemd' + 'libcap-ng' + 'libnghttp2' + 'jemalloc' +) +makedepends=( + 'cmocka' + 'meson' + 'systemd-libs' +) +optdepends=( + 'lua51-basexx: experimental_dot_auth module' + 'lua51-cqueues: http and dns64 module, policy.rpz() function' + 'lua51-http: http and prefill modules, trust_anchors bootstrap' + 'lua51-psl: policy.slice_randomize_psl() function' +) +backup=('etc/knot-resolver/kresd.conf') +options=(debug strip) +source=("knot-resolver-${pkgver}.tar.xz") +sha256sums=('SKIP') + +build() { + cd "${srcdir}/${pkgname}-${pkgver}" + meson build \ + --buildtype=release \ + --prefix=/usr \ + --sbindir=bin \ + -D keyfile_default=/etc/trusted-key.key \ + -D systemd_files=enabled \ + -D client=enabled \ + -D install_kresd_conf=enabled \ + -D malloc=jemalloc \ + -D unit_tests=enabled + ninja -C build +} + +check() { + cd "${srcdir}/${pkgname}-${pkgver}" + meson test -C build +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + DESTDIR=${pkgdir} ninja -C build install + + # add kresd.target to multi-user.target.wants to support enabling kresd services + install -d -m 0755 "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants" + ln -s ../kresd.target "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants/kresd.target" + + # remove modules with missing dependencies + rm "${pkgdir}/usr/lib/knot-resolver/kres_modules/etcd.lua" +} diff --git a/distro/pkg/deb/changelog b/distro/pkg/deb/changelog new file mode 100644 index 0000000..e1e7de9 --- /dev/null +++ b/distro/pkg/deb/changelog @@ -0,0 +1,6 @@ +knot-resolver ({{ version }}-cznic.{{ release }}) unstable; urgency=medium + + * upstream package + * see NEWS or https://knot-resolver.cz + + -- Jakub Ružička <jakub.ruzicka@nic.cz> {{ now }} diff --git a/distro/pkg/deb/clean b/distro/pkg/deb/clean new file mode 100644 index 0000000..3c2f3ba --- /dev/null +++ b/distro/pkg/deb/clean @@ -0,0 +1,3 @@ +build_deb/ +doc/doxyxml/ +doc/html/ diff --git a/distro/pkg/deb/compat b/distro/pkg/deb/compat new file mode 100644 index 0000000..b4de394 --- /dev/null +++ b/distro/pkg/deb/compat @@ -0,0 +1 @@ +11 diff --git a/distro/pkg/deb/control b/distro/pkg/deb/control new file mode 100644 index 0000000..275dae5 --- /dev/null +++ b/distro/pkg/deb/control @@ -0,0 +1,140 @@ +Source: knot-resolver +Section: net +Priority: optional +Maintainer: Knot Resolver <knot-resolver@labs.nic.cz> +Build-Depends: + debhelper (>= 11~), + libcmocka-dev (>= 1.0.0), + libedit-dev, + libfstrm-dev, + libgnutls28-dev, + libknot-dev (>= 3.0.2), + liblmdb-dev, + libluajit-5.1-dev, + libnghttp2-dev, + libprotobuf-c-dev, + libsystemd-dev (>= 227) [linux-any], + libcap-ng-dev, + libuv1-dev, + libjemalloc-dev, + luajit, + pkg-config, + meson (>= 0.49), + doxygen, + protobuf-c-compiler, + python3-breathe, + python3-sphinx, + python3-sphinx-rtd-theme, + texinfo, + libssl-dev, +Homepage: https://www.knot-resolver.cz/ + +Package: knot-resolver +Architecture: any +Depends: + adduser, + dns-root-data, + systemd, + ${misc:Depends}, + ${shlibs:Depends}, +Replaces: + libkres9 (<< 3.2.1-2), +Breaks: + libkres9 (<< 3.2.1-2), +Recommends: + lua-basexx, + lua-cqueues, + lua-http, + lua-psl, +Suggests: + knot-resolver-module-http, +Description: caching, DNSSEC-validating DNS resolver + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. There are three built-in modules - iterator, cache, + validator, and many external. + . + The Lua modules, switchable and shareable cache, and fast FFI + bindings makes it great to tap into resolution process, or be used + for your recursive DNS service. It's the OpenResty of DNS. + . + The server adopts a different scaling strategy than the rest of the + DNS recursors - no threading, shared-nothing architecture (except + MVCC cache that may be shared). You can start and stop additional + nodes depending on the contention without downtime. + +Package: knot-resolver-dbg +Architecture: any +Depends: knot-resolver (= ${binary:Version}), + ${misc:Depends} +Recommends: gdb +Section: debug +Priority: extra +Description: Debug symbols for Knot Resolver + This package provides the debug symbols for Knot Resolver needed + for properly debugging errors in Knot Resolver with gdb. + +Package: knot-resolver-module-dnstap +Architecture: any +Multi-Arch: same +Depends: + knot-resolver (= ${binary:Version}), + libfstrm0, + libprotobuf-c1, + ${misc:Depends}, + ${shlibs:Depends}, +Description: dnstap module for Knot Resolver + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. There are three built-in modules - iterator, cache, + validator, and many external. + . + This package contains dnstap module for logging DNS responses + to a unix socket in dnstap format. + +Package: knot-resolver-module-http +Architecture: all +Depends: + knot-resolver (= ${binary:Version}), + libjs-bootstrap, + libjs-d3, + libjs-jquery, + lua-cqueues (>= 20171014), + lua-http, + lua-mmdb, + systemd, + ${misc:Depends}, + ${shlibs:Depends}, +Breaks: + knot-resolver-module-tinyweb (<< 1.1.0~git20160713-1~), +Description: HTTP module for Knot Resolver + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. There are three built-in modules - iterator, cache, + validator, and many external. + . + This package contains HTTP/2 module for local visualization of the + resolver cache and queries. + +Package: knot-resolver-doc +Architecture: all +Section: doc +Depends: + libjs-jquery, + libjs-underscore, + ${misc:Depends}, +Description: Documentation for Knot Resolver + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. There are three built-in modules - iterator, cache, + validator, and many external. + . + This package contains Knot Resolver Documentation. diff --git a/distro/pkg/deb/copyright b/distro/pkg/deb/copyright new file mode 100644 index 0000000..96e23ca --- /dev/null +++ b/distro/pkg/deb/copyright @@ -0,0 +1,440 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: knot-resolver +Source: https://www.knot-resolver.cz/ + +Files: * +Copyright: CZ.NIC +License: GPL-3.0+ + +Files: contrib/ccan/asprintf/* +Copyright: Rusty Russell +License: Expat + +Files: contrib/ccan/compiler/* +Copyright: Rusty Russell +License: CC0 + +Files: tests/config/tapered/* +Copyright: 2012-2017, Peter Aronoff +License: BSD-3-clause + +Files: contrib/lmdb/* +Copyright: 1999-2003 The OpenLDAP Foundation +License: OpenLDAP + +Files: tests/deckard/contrib/libfaketime/* +Copyright: 2003-2017 Wolfgang Hommel +License: GPL-2 + +Files: tests/deckard/contrib/libswrap/* +Copyright: 2005,2008 Jelmer Vernooij <jelmer@samba.org> + 2006-2009 Stefan Metzmacher <metze@samba.org> + 2013 Andreas Schneider <asn@samba.org> +License: BSD-3-clause + +Files: contrib/murmurhash3/* +Copyright: Austin Appleby +License: CC0-1.0 + +Files: debian/missing-sources/dygraph-combined.js + modules/http/static/dygraph-combined.js +Copyright: 2006-2014 Dan Vanderkam <danvdk@gmail.com> + 2016 Paul Miller + 2011 Robert Konigsberg <konigsberg@google.com> + 2013 David Eberlein <david.eberlein@ch.sauter-bc.com> +License: MIT + +Files: contrib/ucw/* +Copyright: 1997-2015 Martin Mares + 2005-2014 Tomas Valla + 2006 Robert Spalek + 2007-2015 Pavel Charvat +License: LGPL-2.1 + +Files: contrib/ccan/json/* +Copyright: 2011 Joey Adams +License: Expat + +Files: modules/policy/lua-aho-corasick/* +Copyright: 2013 CloudFlare, Inc. +License: BSD-3-CloudFlare + +Files: modules/http/static/jquery.js +Copyright: 2005-2011 John Resig, Brandon Aaron & Jörn Zaefferer +License: GPL-2 or Expat + +Files: modules/http/static/d3.js + modules/http/static/topojson.js +Copyright: 2010-2015 Michael Bostock +License: BSD-3-clause + +Files: modules/http/static/epoch.* + debian/missing-sources/epoch/* + debian/missing-sources/epoch.* +Copyright: 2014 Fastly, Inc. +License: Expat + +Files: modules/http/static/datamaps.world.min.js +Copyright: 2012 Mark DiMarco +License: Expat + +Files: modules/http/static/bootstrap.min.css + modules/http/static/bootstrap.min.js + modules/http/static/bootstrap-theme.min.css + modules/http/static/glyphicons-halflings-regular.woff2 +Copyright: 2012-2016 Thomas Park + 2011-2015 Twitter, Inc. +License: Expat + +Files: modules/http/static/selectize.bootstrap3.min.css + modules/http/static/selectize.min.css + modules/http/static/selectize.min.js +Copyright: 2013–2015 Brian Reavis & contributors +License: Apache-2.0 + +Files: debian/* +Copyright: 2015 Ondřej Surý <ondrej@debian.org> +License: GPL-3.0+ + +License: LGPL-2.1 + This library is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of the + License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this library. If not, see <https://www.gnu.org/licenses/>. + . + On Debian systems, the complete text of the GNU General + Public License version 3 can be found in "/usr/share/common-licenses/LGPL-2.1". + +License: GPL-3.0+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + . + On Debian systems, the complete text of the GNU General + Public License version 3 can be found in "/usr/share/common-licenses/GPL-3". + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +License: CC0 + Statement of Purpose + . + The laws of most jurisdictions throughout the world automatically + confer exclusive Copyright and Related Rights (defined below) upon + the creator and subsequent owner(s) (each and all, an "owner") of an + original work of authorship and/or a database (each, a "Work"). + . + Certain owners wish to permanently relinquish those rights to a Work + for the purpose of contributing to a commons of creative, cultural + and scientific works ("Commons") that the public can reliably and + without fear of later claims of infringement build upon, modify, + incorporate in other works, reuse and redistribute as freely as + possible in any form whatsoever and for any purposes, including + without limitation commercial purposes. These owners may contribute + to the Commons to promote the ideal of a free culture and the further + production of creative, cultural and scientific works, or to gain + reputation or greater distribution for their Work in part through the + use and efforts of others. + . + For these and/or other purposes and motivations, and without any + expectation of additional consideration or compensation, the person + associating CC0 with a Work (the "Affirmer"), to the extent that he + or she is an owner of Copyright and Related Rights in the Work, + voluntarily elects to apply CC0 to the Work and publicly distribute + the Work under its terms, with knowledge of his or her Copyright and + Related Rights in the Work and the meaning and intended legal effect + of CC0 on those rights. + . + 1. Copyright and Related Rights. A Work made available under CC0 may + be protected by copyright and related or neighboring rights + ("Copyright and Related Rights"). Copyright and Related Rights + include, but are not limited to, the following: + . + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or + performer(s); + iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a + Work, subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse + of data in a Work; + vi. database rights (such as those arising under Directive 96/9/EC + of the European Parliament and of the Council of 11 March 1996 + on the legal protection of databases, and under any national + implementation thereof, including any amended or successor + version of such directive); and + vii. other similar, equivalent or corresponding rights throughout + the world based on applicable law or treaty, and any national + implementations thereof. + . + 2. Waiver. To the greatest extent permitted by, but not in + contravention of, applicable law, Affirmer hereby overtly, fully, + permanently, irrevocably and unconditionally waives, abandons, and + surrenders all of Affirmer's Copyright and Related Rights and + associated claims and causes of action, whether now known or + unknown (including existing as well as future claims and causes of + action), in the Work (i) in all territories worldwide, (ii) for + the maximum duration provided by applicable law or treaty + (including future time extensions), (iii) in any current or future + medium and for any number of copies, and (iv) for any purpose + whatsoever, including without limitation commercial, advertising + or promotional purposes (the "Waiver"). Affirmer makes the Waiver + for the benefit of each member of the public at large and to the + detriment of Affirmer's heirs and successors, fully intending that + such Waiver shall not be subject to revocation, rescission, + cancellation, termination, or any other legal or equitable action + to disrupt the quiet enjoyment of the Work by the public as + contemplated by Affirmer's express Statement of Purpose. + . + 3. Public License Fallback. Should any part of the Waiver for any + reason be judged legally invalid or ineffective under applicable + law, then the Waiver shall be preserved to the maximum extent + permitted taking into account Affirmer's express Statement of + Purpose. In addition, to the extent the Waiver is so judged + Affirmer hereby grants to each affected person a royalty-free, non + transferable, non sublicensable, non exclusive, irrevocable and + unconditional license to exercise Affirmer's Copyright and Related + Rights in the Work (i) in all territories worldwide, (ii) for the + maximum duration provided by applicable law or treaty (including + future time extensions), (iii) in any current or future medium and + for any number of copies, and (iv) for any purpose whatsoever, + including without limitation commercial, advertising or + promotional purposes (the "License"). The License shall be deemed + effective as of the date CC0 was applied by Affirmer to the + Work. Should any part of the License for any reason be judged + legally invalid or ineffective under applicable law, such partial + invalidity or ineffectiveness shall not invalidate the remainder + of the License, and in such case Affirmer hereby affirms that he + or she will not (i) exercise any of his or her remaining Copyright + and Related Rights in the Work or (ii) assert any associated + claims and causes of action with respect to the Work, in either + case contrary to Affirmer's express Statement of Purpose. + . + 4. Limitations and Disclaimers. + . + a. No trademark or patent rights held by Affirmer are waived, + abandoned, surrendered, licensed or otherwise affected by this + document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties + of title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, + accuracy, or the present or absence of errors, whether or not + discoverable, all to the greatest extent permissible under + applicable law. + c. Affirmer disclaims responsibility for clearing rights of other + persons that may apply to the Work or any use thereof, including + without limitation any person's Copyright and Related Rights in + the Work. Further, Affirmer disclaims responsibility for + obtaining any necessary consents, permissions or other rights + required for any use of the Work. + d. Affirmer understands and acknowledges that Creative Commons is + not a party to this document and has no duty or obligation with + respect to this CC0 or use of the Work. + +License: BSD-3-CloudFlare + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + . + 3. Neither the name of CloudFlare, Inc. nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the author nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + . + On Debian systems, the complete text of the GNU General Public + License version 2 can be found in "/usr/share/common-licenses/GPL-2". + +License: Apache-2.0 + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + . + https://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the full text of the Apache Software License version 2 can + be found in the file `/usr/share/common-licenses/Apache-2.0'. + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +License: OpenLDAP + Redistribution and use of this software and associated documentation + ("Software"), with or without modification, are permitted provided + that the following conditions are met: + . + 1. Redistributions in source form must retain copyright statements + and notices, + . + 2. Redistributions in binary form must reproduce applicable copyright + statements and notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution, and + . + 3. Redistributions must contain a verbatim copy of this document. + . + The OpenLDAP Foundation may revise this license from time to time. + Each revision is distinguished by a version number. You may use + this Software under terms of this license revision or under the + terms of any subsequent revision of the license. + . + THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS + CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT + SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) + OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + . + The names of the authors and copyright holders must not be used in + advertising or otherwise to promote the sale, use or other dealing + in this Software without specific, written prior permission. Title + to copyright in this Software shall at all times remain with copyright + holders. + . + OpenLDAP is a registered trademark of the OpenLDAP Foundation. + +License: CC0-1.0 + This work is licensed under the "Creative Commons Zero" license. + . + On debian systems, a copy of the Creative Commons Zero license may be + found at /usr/share/common-licenses/CC0-1.0. + +License: public-domain + This work has been released into the public domain. The map + implementation builds off of prior public domain work from Dan + Bernstein (qhasm) and Adam Langley (critbit). diff --git a/distro/pkg/deb/knot-resolver-doc.doc-base b/distro/pkg/deb/knot-resolver-doc.doc-base new file mode 100644 index 0000000..9cd0fdf --- /dev/null +++ b/distro/pkg/deb/knot-resolver-doc.doc-base @@ -0,0 +1,11 @@ +Document: knot-resolver +Title: Knot Resolver documentation +Author: CZ.NIC labs +Abstract: Documentation for the Knot Resolver, + including building from source, using the library, + and configuration and operation of the daemon. +Section: Network/Communication + +Format: HTML +Index: /usr/share/doc/knot-resolver/html/index.html +Files: /usr/share/doc/knot-resolver/html/*.html diff --git a/distro/pkg/deb/knot-resolver-doc.docs b/distro/pkg/deb/knot-resolver-doc.docs new file mode 100644 index 0000000..c6f13d8 --- /dev/null +++ b/distro/pkg/deb/knot-resolver-doc.docs @@ -0,0 +1,3 @@ +debian/tmp/usr/share/doc/knot-resolver/html/* +debian/tmp/usr/share/info/knot-resolver.info +debian/tmp/usr/share/info/knot-resolver-figures/* diff --git a/distro/pkg/deb/knot-resolver-doc.links b/distro/pkg/deb/knot-resolver-doc.links new file mode 100644 index 0000000..25e9584 --- /dev/null +++ b/distro/pkg/deb/knot-resolver-doc.links @@ -0,0 +1,2 @@ +usr/share/javascript/jquery/jquery.min.js usr/share/doc/knot-resolver/html/_static/jquery.js +usr/share/javascript/underscore/underscore.min.js usr/share/doc/knot-resolver/html/_static/underscore.js diff --git a/distro/pkg/deb/knot-resolver-module-dnstap.install b/distro/pkg/deb/knot-resolver-module-dnstap.install new file mode 100644 index 0000000..ae5404e --- /dev/null +++ b/distro/pkg/deb/knot-resolver-module-dnstap.install @@ -0,0 +1 @@ +usr/lib/knot-resolver/kres_modules/dnstap.so diff --git a/distro/pkg/deb/knot-resolver-module-http.install b/distro/pkg/deb/knot-resolver-module-http.install new file mode 100644 index 0000000..ffa04d0 --- /dev/null +++ b/distro/pkg/deb/knot-resolver-module-http.install @@ -0,0 +1,7 @@ +usr/lib/knot-resolver/kres_modules/http*.lua +usr/lib/knot-resolver/kres_modules/prometheus.lua +usr/lib/knot-resolver/kres_modules/http/*.css +usr/lib/knot-resolver/kres_modules/http/*.ico +usr/lib/knot-resolver/kres_modules/http/*.js +usr/lib/knot-resolver/kres_modules/http/*.tpl +usr/lib/knot-resolver/kres_modules/http/*.woff2 diff --git a/distro/pkg/deb/knot-resolver-module-http.links b/distro/pkg/deb/knot-resolver-module-http.links new file mode 100644 index 0000000..4963c5c --- /dev/null +++ b/distro/pkg/deb/knot-resolver-module-http.links @@ -0,0 +1,5 @@ +usr/share/javascript/bootstrap/css/bootstrap-theme.min.css usr/lib/knot-resolver/kres_modules/http/bootstrap-theme.min.css +usr/share/javascript/bootstrap/css/bootstrap.min.css usr/lib/knot-resolver/kres_modules/http/bootstrap.min.css +usr/share/javascript/bootstrap/js/bootstrap.min.js usr/lib/knot-resolver/kres_modules/http/bootstrap.min.js +usr/share/javascript/d3/d3.min.js usr/lib/knot-resolver/kres_modules/http/d3.js +usr/share/javascript/jquery/jquery.min.js usr/lib/knot-resolver/kres_modules/http/jquery.js diff --git a/distro/pkg/deb/knot-resolver-module-http.preinst b/distro/pkg/deb/knot-resolver-module-http.preinst new file mode 100644 index 0000000..c2bd87d --- /dev/null +++ b/distro/pkg/deb/knot-resolver-module-http.preinst @@ -0,0 +1,26 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-3.0-or-later +set -e + +# upgrade-4-to-5 +if [ -f /lib/systemd/system/kresd-doh.socket ] ; then + export UPG_DIR=/var/lib/knot-resolver/.upgrade-4-to-5 + mkdir -p ${UPG_DIR} + touch ${UPG_DIR}/.unfinished + + for sock in kresd-webmgmt.socket kresd-doh.socket ; do + if systemctl is-enabled ${sock} 2>/dev/null | grep -qv masked ; then + systemctl show ${sock} -p Listen > ${UPG_DIR}/${sock} + case "$(systemctl show ${sock} -p BindIPv6Only)" in + *ipv6-only) + touch ${UPG_DIR}/${sock}.v6only + ;; + *default) + if cat /proc/sys/net/ipv6/bindv6only | grep -q 1 ; then + touch ${UPG_DIR}/${sock}.v6only + fi + ;; + esac + fi + done +fi diff --git a/distro/pkg/deb/knot-resolver.dirs b/distro/pkg/deb/knot-resolver.dirs new file mode 100644 index 0000000..f8981d8 --- /dev/null +++ b/distro/pkg/deb/knot-resolver.dirs @@ -0,0 +1,2 @@ +/var/lib/knot-resolver +/var/cache/knot-resolver diff --git a/distro/pkg/deb/knot-resolver.docs b/distro/pkg/deb/knot-resolver.docs new file mode 100644 index 0000000..8e919d0 --- /dev/null +++ b/distro/pkg/deb/knot-resolver.docs @@ -0,0 +1,4 @@ +debian/tmp/usr/share/doc/knot-resolver/AUTHORS +debian/tmp/usr/share/doc/knot-resolver/COPYING +debian/tmp/usr/share/doc/knot-resolver/NEWS +debian/tmp/usr/share/doc/knot-resolver/examples diff --git a/distro/pkg/deb/knot-resolver.install b/distro/pkg/deb/knot-resolver.install new file mode 100644 index 0000000..7e4af15 --- /dev/null +++ b/distro/pkg/deb/knot-resolver.install @@ -0,0 +1,38 @@ +etc/knot-resolver/kresd.conf +usr/lib/systemd/system/kresd@.service lib/systemd/system/ +usr/lib/systemd/system/kres-cache-gc.service lib/systemd/system/ +usr/lib/systemd/system/kresd.target lib/systemd/system/ +usr/lib/*.so.* +usr/lib/tmpfiles.d/knot-resolver.conf +usr/lib/knot-resolver/*.so +usr/lib/knot-resolver/*.lua +usr/lib/knot-resolver/kres_modules/bogus_log.so +usr/lib/knot-resolver/kres_modules/edns_keepalive.so +usr/lib/knot-resolver/kres_modules/extended_error.so +usr/lib/knot-resolver/kres_modules/hints.so +usr/lib/knot-resolver/kres_modules/nsid.so +usr/lib/knot-resolver/kres_modules/refuse_nord.so +usr/lib/knot-resolver/kres_modules/stats.so +usr/lib/knot-resolver/kres_modules/daf.lua +usr/lib/knot-resolver/kres_modules/daf/* +usr/lib/knot-resolver/kres_modules/detect_time_jump.lua +usr/lib/knot-resolver/kres_modules/detect_time_skew.lua +usr/lib/knot-resolver/kres_modules/dns64.lua +usr/lib/knot-resolver/kres_modules/experimental_dot_auth.lua +usr/lib/knot-resolver/kres_modules/graphite.lua +usr/lib/knot-resolver/kres_modules/policy.lua +usr/lib/knot-resolver/kres_modules/predict.lua +usr/lib/knot-resolver/kres_modules/prefill.lua +usr/lib/knot-resolver/kres_modules/priming.lua +usr/lib/knot-resolver/kres_modules/rebinding.lua +usr/lib/knot-resolver/kres_modules/renumber.lua +usr/lib/knot-resolver/kres_modules/serve_stale.lua +usr/lib/knot-resolver/kres_modules/ta_sentinel.lua +usr/lib/knot-resolver/kres_modules/ta_signal_query.lua +usr/lib/knot-resolver/kres_modules/ta_update.lua +usr/lib/knot-resolver/kres_modules/view.lua +usr/lib/knot-resolver/kres_modules/watchdog.lua +usr/lib/knot-resolver/kres_modules/workarounds.lua +usr/sbin/kresc +usr/sbin/kresd +usr/sbin/kres-cache-gc diff --git a/distro/pkg/deb/knot-resolver.links b/distro/pkg/deb/knot-resolver.links new file mode 100644 index 0000000..8196524 --- /dev/null +++ b/distro/pkg/deb/knot-resolver.links @@ -0,0 +1,2 @@ +dev/null lib/systemd/system/kresd.service +lib/systemd/system/kresd.target lib/systemd/system/multi-user.target.wants/kresd.target diff --git a/distro/pkg/deb/knot-resolver.manpages b/distro/pkg/deb/knot-resolver.manpages new file mode 100644 index 0000000..101a4ac --- /dev/null +++ b/distro/pkg/deb/knot-resolver.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man8/kresd.8* +debian/tmp/usr/share/man/man7/kresd.systemd.7* diff --git a/distro/pkg/deb/knot-resolver.postinst b/distro/pkg/deb/knot-resolver.postinst new file mode 100644 index 0000000..fb2bce2 --- /dev/null +++ b/distro/pkg/deb/knot-resolver.postinst @@ -0,0 +1,38 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-3.0-or-later +set -e + +# upgrade-4-to-5 +export UPG_DIR=/var/lib/knot-resolver/.upgrade-4-to-5 +if [ -f ${UPG_DIR}/.unfinished ] ; then + rm -f ${UPG_DIR}/.unfinished + kresd -c /usr/lib/knot-resolver/upgrade-4-to-5.lua >/dev/null 2>/dev/null + echo "\n !!! WARNING !!!" + echo "Knot Resolver configuration file requires manual upgrade.\n" + cat ${UPG_DIR}/kresd.conf.net 2>/dev/null +fi + +if [ "$1" = "configure" ]; then + adduser --quiet --system --group --no-create-home --home /var/cache/knot-resolver knot-resolver +fi + +# Restart any running kresd instances if the root key is updated. +# Note: if knot-resolver upstream watches this file and reloads it +# upon a change, we can and should remove this trigger. +if [ "$1" = "triggered" ]; then + if [ "$2" = "/usr/share/dns/root.key" ]; then + # use daemon-reload to load any unit changes + systemctl daemon-reload || true + # systemctl of the sub-services is the preferred method to restart + systemctl try-restart 'kresd@*.service' kres-cache-gc.service || true + fi + exit 0 +fi + +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then + systemctl daemon-reload || true + systemd-tmpfiles --create /usr/lib/tmpfiles.d/knot-resolver.conf + systemctl try-restart 'kresd@*.service' kres-cache-gc.service || true +fi + +#DEBHELPER# diff --git a/distro/pkg/deb/knot-resolver.postrm b/distro/pkg/deb/knot-resolver.postrm new file mode 100644 index 0000000..4c8a1ea --- /dev/null +++ b/distro/pkg/deb/knot-resolver.postrm @@ -0,0 +1,9 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-3.0-or-later +set -e + +if [ "$1" = "remove" ]; then + systemctl stop system-kresd.slice || true +fi + +#DEBHELPER# diff --git a/distro/pkg/deb/knot-resolver.preinst b/distro/pkg/deb/knot-resolver.preinst new file mode 100644 index 0000000..1f8f589 --- /dev/null +++ b/distro/pkg/deb/knot-resolver.preinst @@ -0,0 +1,26 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-3.0-or-later +set -e + +# upgrade-4-to-5 +if [ -f /lib/systemd/system/kresd.socket ] ; then + export UPG_DIR=/var/lib/knot-resolver/.upgrade-4-to-5 + mkdir -p ${UPG_DIR} + touch ${UPG_DIR}/.unfinished + + for sock in kresd.socket kresd-tls.socket ; do + if systemctl is-enabled ${sock} 2>/dev/null | grep -qv masked ; then + systemctl show ${sock} -p Listen > ${UPG_DIR}/${sock} + case "$(systemctl show ${sock} -p BindIPv6Only)" in + *ipv6-only) + touch ${UPG_DIR}/${sock}.v6only + ;; + *default) + if cat /proc/sys/net/ipv6/bindv6only | grep -q 1 ; then + touch ${UPG_DIR}/${sock}.v6only + fi + ;; + esac + fi + done +fi diff --git a/distro/pkg/deb/knot-resolver.triggers b/distro/pkg/deb/knot-resolver.triggers new file mode 100644 index 0000000..e8d8246 --- /dev/null +++ b/distro/pkg/deb/knot-resolver.triggers @@ -0,0 +1 @@ +interest-noawait /usr/share/dns/root.key diff --git a/distro/pkg/deb/not-installed b/distro/pkg/deb/not-installed new file mode 100644 index 0000000..f527e79 --- /dev/null +++ b/distro/pkg/deb/not-installed @@ -0,0 +1,7 @@ +usr/lib/knot-resolver/kres_modules/http/LICENSE +usr/lib/knot-resolver/kres_modules/etcd.lua +debian/tmp/usr/share/doc/knot-resolver/html/.buildinfo +usr/include/libkres/*.h +usr/lib/*.so +usr/lib/pkgconfig/libkres.pc +usr/lib/sysusers.d/knot-resolver.conf diff --git a/distro/pkg/deb/rules b/distro/pkg/deb/rules new file mode 100755 index 0000000..c577476 --- /dev/null +++ b/distro/pkg/deb/rules @@ -0,0 +1,51 @@ +#!/usr/bin/make -f +# SPDX-License-Identifier: GPL-3.0-or-later + +# see FEATURE AREAS in dpkg-buildflags(1) +export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie + +# see ENVIRONMENT in dpkg-buildflags(1) +# package maintainers to append CFLAGS +export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -fno-omit-frame-pointer +# package maintainers to append LDFLAGS +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +# see EXAMPLES in dpkg-buildflags(1) and read /usr/share/dpkg/* +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/default.mk + +export ARCH=$(DEB_HOST_GNU_CPU) + +%: + dh $@ + +override_dh_auto_build: + meson build_deb \ + --buildtype=plain \ + --prefix=/usr \ + --libdir=lib \ + -Ddoc=enabled \ + -Dsystemd_files=enabled \ + -Dclient=enabled \ + -Ddnstap=enabled \ + -Dkeyfile_default=/usr/share/dns/root.key \ + -Droot_hints=/usr/share/dns/root.hints \ + -Dinstall_kresd_conf=enabled \ + -Dunit_tests=enabled \ + -Dmalloc=jemalloc \ + -Dc_args="$${CFLAGS}" \ + -Dc_link_args="$${LDFLAGS}" + ninja -v -C build_deb + ninja -v -C build_deb doc + +override_dh_auto_install: + DESTDIR="${PWD}/debian/tmp" ninja -v -C build_deb install + +override_dh_auto_test: + meson test -C build_deb + +override_dh_missing: + dh_missing --fail-missing + +override_dh_strip: + dh_strip --dbg-package=knot-resolver-dbg diff --git a/distro/pkg/deb/source/format b/distro/pkg/deb/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/distro/pkg/deb/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/distro/pkg/nix/default.nix b/distro/pkg/nix/default.nix new file mode 100644 index 0000000..16c66d0 --- /dev/null +++ b/distro/pkg/nix/default.nix @@ -0,0 +1,126 @@ +{ lib, stdenv, fetchurl +# native deps. +, runCommand, pkg-config, meson, ninja, makeWrapper +# build+runtime deps. +, knot-dns, luajitPackages, libuv, gnutls, lmdb +, jemalloc, systemd, libcap_ng, dns-root-data, nghttp2 # optionals, in principle +# test-only deps. +, cmocka, which, cacert +, extraFeatures ? false /* catch-all if defaults aren't enough */ +}: +let # un-indented, over the whole file + +result = if extraFeatures then wrapped-full else unwrapped; + +inherit (lib) optional optionals optionalString; +lua = luajitPackages; + +unwrapped = stdenv.mkDerivation rec { + pname = "knot-resolver"; + version = "{{ version }}"; + + src = fetchurl { + url = "https://secure.nic.cz/files/knot-resolver/${pname}-${version}.tar.xz"; + sha256 = "{{ src_hash }}"; + }; + + outputs = [ "out" "dev" ]; + + # Path fixups for the NixOS service. + postPatch = '' + patch meson.build <<EOF + @@ -50,2 +50,2 @@ + -systemd_work_dir = prefix / get_option('localstatedir') / 'lib' / 'knot-resolver' + -systemd_cache_dir = prefix / get_option('localstatedir') / 'cache' / 'knot-resolver' + +systemd_work_dir = '/var/lib/knot-resolver' + +systemd_cache_dir = '/var/cache/knot-resolver' + EOF + + # ExecStart can't be overwritten in overrides. + # We need that to use wrapped executable and correct config file. + sed '/^ExecStart=/d' -i systemd/kresd@.service.in + '' + # some tests have issues with network sandboxing, apparently + + optionalString doInstallCheck '' + echo 'os.exit(77)' > daemon/lua/trust_anchors.test/bootstrap.test.lua + sed -E '/^[[:blank:]]*test_(dstaddr|headers),?$/d' -i \ + tests/config/doh2.test.lua modules/http/http_doh.test.lua + ''; + + preConfigure = '' + patchShebangs scripts/ + ''; + + nativeBuildInputs = [ pkg-config meson ninja ]; + + # http://knot-resolver.readthedocs.io/en/latest/build.html#requirements + buildInputs = [ knot-dns lua.lua libuv gnutls lmdb ] + ++ optionals stdenv.isLinux [ systemd libcap_ng ] + ++ [ jemalloc nghttp2 ] + ## optional dependencies; TODO: dnstap + ; + + mesonFlags = [ + "-Dkeyfile_default=${dns-root-data}/root.ds" + "-Droot_hints=${dns-root-data}/root.hints" + "-Dinstall_kresd_conf=disabled" # not really useful; examples are inside share/doc/ + "-Dmalloc=jemalloc" + "--default-library=static" # not used by anyone + ] + ++ optional doInstallCheck "-Dunit_tests=enabled" + ++ optional (doInstallCheck && !stdenv.isDarwin) "-Dconfig_tests=enabled" + ++ optional stdenv.isLinux "-Dsystemd_files=enabled" # used by NixOS service + #"-Dextra_tests=enabled" # not suitable as in-distro tests; many deps, too. + ; + + postInstall = '' + rm "$out"/lib/libkres.a + rm "$out"/lib/knot-resolver/upgrade-4-to-5.lua # not meaningful on NixOS + '' + optionalString stdenv.targetPlatform.isLinux '' + rm -r "$out"/lib/sysusers.d/ # ATM more likely to harm than help + ''; + + doInstallCheck = with stdenv; hostPlatform == buildPlatform + && !(isDarwin && isAarch64); # avoid luarocks, as it's broken ATM on the platform + installCheckInputs = [ cmocka which cacert lua.cqueues lua.basexx lua.http ]; + installCheckPhase = '' + meson test --print-errorlogs + ''; + + meta = with lib; { + description = "Caching validating DNS resolver, from .cz domain registry"; + homepage = "https://knot-resolver.cz"; + license = licenses.gpl3Plus; + platforms = platforms.unix; + maintainers = [ maintainers.vcunat /* upstream developer */ ]; + }; +}; + +wrapped-full = runCommand unwrapped.name + { + nativeBuildInputs = [ makeWrapper ]; + buildInputs = with luajitPackages; [ + # For http module, prefill module, trust anchor bootstrap. + # It brings lots of deps; some are useful elsewhere (e.g. cqueues). + http + # psl isn't in nixpkgs yet, but policy.slice_randomize_psl() seems not important. + ]; + preferLocalBuild = true; + allowSubstitutes = false; + } + '' + mkdir -p "$out"/bin + makeWrapper '${unwrapped}/bin/kresd' "$out"/bin/kresd \ + --set LUA_PATH "$LUA_PATH" \ + --set LUA_CPATH "$LUA_CPATH" + + ln -sr '${unwrapped}/share' "$out"/ + ln -sr '${unwrapped}/lib' "$out"/ # useful in NixOS service + ln -sr "$out"/{bin,sbin} + + echo "Checking that 'http' module loads, i.e. lua search paths work:" + echo "modules.load('http')" > test-http.lua + echo -e 'quit()' | env -i "$out"/bin/kresd -a 127.0.0.1#53535 -c test-http.lua + ''; + +in result diff --git a/distro/pkg/nix/top-level.nix b/distro/pkg/nix/top-level.nix new file mode 100644 index 0000000..bdd3360 --- /dev/null +++ b/distro/pkg/nix/top-level.nix @@ -0,0 +1,12 @@ +with import <nixpkgs> {}; + +(callPackage ./. { +}).overrideAttrs (attrs: { + src = ./knot-resolver-{{ version }}.tar.xz; + + # This just breaks in our GitLab CI (not locally and not on hydra.nixos.org) + installCheckPhase = '' + meson test --print-errorlogs --no-suite snowflake + ''; +}) + diff --git a/distro/pkg/rpm/knot-resolver.spec b/distro/pkg/rpm/knot-resolver.spec new file mode 100644 index 0000000..0a7e283 --- /dev/null +++ b/distro/pkg/rpm/knot-resolver.spec @@ -0,0 +1,384 @@ +# SPDX-License-Identifier: GPL-3.0-or-later + +%global _hardened_build 1 +%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}} + +%define GPG_CHECK 0 +%define repodir %{_builddir}/%{name}-%{version} +%define NINJA ninja-build + +Name: knot-resolver +Version: {{ version }} +Release: cznic.{{ release }}%{?dist} +Summary: Caching full DNS Resolver + +License: GPL-3.0-or-later +URL: https://www.knot-resolver.cz/ +Source0: knot-resolver-%{version}.tar.xz + +# LuaJIT only on these arches +%if 0%{?rhel} == 7 +# RHEL 7 does not have aarch64 LuaJIT +ExclusiveArch: %{ix86} x86_64 +%else +ExclusiveArch: %{arm} aarch64 %{ix86} x86_64 +%endif + +%if 0%{GPG_CHECK} +Source1: knot-resolver-%{version}.tar.xz.asc +# PGP keys used to sign upstream releases +# Export with --armor using command from https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures +# Don't forget to update %%prep section when adding/removing keys +# This key is from: https://secure.nic.cz/files/knot-resolver/kresd-keyblock.asc +Source100: kresd-keyblock.asc +BuildRequires: gnupg2 +%endif + +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: meson +BuildRequires: pkgconfig(cmocka) +BuildRequires: pkgconfig(gnutls) +BuildRequires: pkgconfig(libedit) +BuildRequires: pkgconfig(libknot) >= 3.0.2 +BuildRequires: pkgconfig(libzscanner) >= 3.0.2 +BuildRequires: pkgconfig(libdnssec) >= 3.0.2 +BuildRequires: pkgconfig(libnghttp2) +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libcap-ng) +BuildRequires: pkgconfig(libuv) +BuildRequires: pkgconfig(luajit) >= 2.0 +BuildRequires: jemalloc-devel + +Requires: systemd +Requires(post): systemd + +# dnstap module dependencies +# SUSE is missing protoc-c protobuf compiler +%if "x%{?suse_version}" == "x" +BuildRequires: pkgconfig(libfstrm) +BuildRequires: pkgconfig(libprotobuf-c) +%endif + +# Distro-dependent dependencies +%if 0%{?rhel} == 7 +BuildRequires: lmdb-devel +# Lua 5.1 version of the libraries have different package names +Requires: lua-basexx +Requires: lua-psl +Requires: lua-http +Requires(pre): shadow-utils +%endif +%if 0%{?fedora} || 0%{?rhel} > 7 +BuildRequires: pkgconfig(lmdb) +BuildRequires: python3-sphinx +Requires: lua5.1-basexx +Requires: lua5.1-cqueues +Requires: lua5.1-http +Recommends: lua5.1-psl +Requires(pre): shadow-utils +%endif + +# we do not build HTTP module on SuSE so the build requires is not needed +%if "x%{?suse_version}" == "x" +BuildRequires: openssl-devel +%endif + +%if 0%{?suse_version} +%define NINJA ninja +BuildRequires: lmdb-devel +BuildRequires: python3-Sphinx +Requires(pre): shadow +%endif + +%if "x%{?rhel}" == "x" +# dependencies for doc package +# NOTE: doc isn't possible to build on CentOS 7, 8 +# python2-sphinx is too old and python36-breathe is broken on CentOS 7 +# python3-breathe isn't available for CentOS 8 (yet? rhbz#1808766) +BuildRequires: doxygen +BuildRequires: python3-breathe +BuildRequires: python3-sphinx_rtd_theme +BuildRequires: texinfo +%endif + +%description +The Knot Resolver is a DNSSEC-enabled caching full resolver implementation +written in C and LuaJIT, including both a resolver library and a daemon. +Modular architecture of the library keeps the core tiny and efficient, and +provides a state-machine like API for extensions. + +The package is pre-configured as local caching resolver. +To start using it, start a single kresd instance: +$ systemctl start kresd@1.service + +%package devel +Summary: Development headers for Knot Resolver +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The package contains development headers for Knot Resolver. + +%if "x%{?rhel}" == "x" +%package doc +Summary: Documentation for Knot Resolver +BuildArch: noarch +Requires: %{name} = %{version}-%{release} + +%description doc +Documentation for Knot Resolver +%endif + +%if "x%{?suse_version}" == "x" +%package module-dnstap +Summary: dnstap module for Knot Resolver +Requires: %{name} = %{version}-%{release} + +%description module-dnstap +dnstap module for Knot Resolver supports logging DNS responses to a unix socket +in dnstap format using fstrm framing library. This logging is useful if you +need effectively log all DNS traffic. +%endif + +%if "x%{?suse_version}" == "x" +%package module-http +Summary: HTTP module for Knot Resolver +Requires: %{name} = %{version}-%{release} +%if 0%{?fedora} || 0%{?rhel} > 7 +Requires: lua5.1-http +Requires: lua5.1-mmdb +%else +Requires: lua-http +Requires: lua-mmdb +%endif + +%description module-http +HTTP module for Knot Resolver can serve as API endpoint for other modules or +provide a web interface for local visualization of the resolver cache and +queries. It can also serve DNS-over-HTTPS, but it is deprecated in favor of +native C implementation, which doesn't require this package. +%endif + +%prep +%if 0%{GPG_CHECK} +export GNUPGHOME=./gpg-keyring +mkdir -m 700 ${GNUPGHOME} +gpg2 --import %{SOURCE100} +gpg2 --verify %{SOURCE1} %{SOURCE0} +%endif +%setup -q -n %{name}-%{version} + +%build +CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" meson build_rpm \ +%if "x%{?rhel}" == "x" + -Ddoc=enabled \ +%endif + -Dsystemd_files=enabled \ + -Dclient=enabled \ +%if "x%{?suse_version}" == "x" + -Ddnstap=enabled \ +%endif + -Dunit_tests=enabled \ + -Dmanaged_ta=enabled \ + -Dkeyfile_default="%{_sharedstatedir}/knot-resolver/root.keys" \ + -Dinstall_root_keys=enabled \ + -Dinstall_kresd_conf=enabled \ + -Dmalloc=jemalloc \ + --buildtype=plain \ + --prefix="%{_prefix}" \ + --sbindir="%{_sbindir}" \ + --libdir="%{_libdir}" \ + --includedir="%{_includedir}" \ + --sysconfdir="%{_sysconfdir}" \ + +%{NINJA} -v -C build_rpm +%if "x%{?rhel}" == "x" +%{NINJA} -v -C build_rpm doc +%endif + +%check +meson test -C build_rpm + +%install +DESTDIR="${RPM_BUILD_ROOT}" %{NINJA} -v -C build_rpm install + +# add kresd.target to multi-user.target.wants to support enabling kresd services +install -m 0755 -d %{buildroot}%{_unitdir}/multi-user.target.wants +ln -s ../kresd.target %{buildroot}%{_unitdir}/multi-user.target.wants/kresd.target + +# remove modules with missing dependencies +rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/etcd.lua + +# remove unused sysusers +rm %{buildroot}%{_prefix}/lib/sysusers.d/knot-resolver.conf + +%if 0%{?suse_version} +rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/experimental_dot_auth.lua +rm -r %{buildroot}%{_libdir}/knot-resolver/kres_modules/http +rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/http*.lua +rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/prometheus.lua +%endif + +# rename doc directory for centos 7, opensuse +%if 0%{?suse_version} || 0%{?rhel} == 7 +install -m 755 -d %{buildroot}/%{_pkgdocdir} +mv %{buildroot}/%{_datadir}/doc/%{name}/* %{buildroot}/%{_pkgdocdir}/ +%endif + +%pre +getent group knot-resolver >/dev/null || groupadd -r knot-resolver +getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysconfdir}/knot-resolver -s /sbin/nologin -c "Knot Resolver" knot-resolver + +%if "x%{?rhel}" == "x" +# upgrade-4-to-5 +if [ -f %{_unitdir}/kresd.socket ] ; then + export UPG_DIR=%{_sharedstatedir}/knot-resolver/.upgrade-4-to-5 + mkdir -p ${UPG_DIR} + touch ${UPG_DIR}/.unfinished + + for sock in kresd.socket kresd-tls.socket kresd-webmgmt.socket kresd-doh.socket ; do + if systemctl is-enabled ${sock} 2>/dev/null | grep -qv masked ; then + systemctl show ${sock} -p Listen > ${UPG_DIR}/${sock} + case "$(systemctl show ${sock} -p BindIPv6Only)" in + *ipv6-only) + touch ${UPG_DIR}/${sock}.v6only + ;; + *default) + if cat /proc/sys/net/ipv6/bindv6only | grep -q 1 ; then + touch ${UPG_DIR}/${sock}.v6only + fi + ;; + esac + fi + done +fi +%endif + + +%post +# upgrade-4-to-5 +%if "x%{?rhel}" == "x" +export UPG_DIR=%{_sharedstatedir}/knot-resolver/.upgrade-4-to-5 +if [ -f ${UPG_DIR}/.unfinished ] ; then + rm -f ${UPG_DIR}/.unfinished + kresd -c %{_libdir}/knot-resolver/upgrade-4-to-5.lua &>/dev/null + echo -e "\n !!! WARNING !!!" + echo -e "Knot Resolver configuration file requires manual upgrade.\n" + cat ${UPG_DIR}/kresd.conf.net 2>/dev/null +fi +%endif + +# 5.0.1 fix to force restart of kres-cache-gc.service, which was missing in systemd_postun_with_restart +# TODO: remove once most users upgrade to 5.0.1+ +systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 2 ] ; then + systemctl try-restart kres-cache-gc.service >/dev/null 2>&1 || : +fi + +# systemd_post macro is not needed for anything (calls systemctl preset) +%tmpfiles_create %{_tmpfilesdir}/knot-resolver.conf +%if "x%{?fedora}" == "x" +/sbin/ldconfig +%endif + +%preun +%systemd_preun kres-cache-gc.service kresd.target + +%postun +%systemd_postun_with_restart 'kresd@*.service' kres-cache-gc.service +%if "x%{?fedora}" == "x" +/sbin/ldconfig +%endif + +%files +%dir %{_pkgdocdir} +%license %{_pkgdocdir}/COPYING +%doc %{_pkgdocdir}/AUTHORS +%doc %{_pkgdocdir}/NEWS +%doc %{_pkgdocdir}/examples +%dir %{_sysconfdir}/knot-resolver +%config(noreplace) %{_sysconfdir}/knot-resolver/kresd.conf +%config(noreplace) %{_sysconfdir}/knot-resolver/root.hints +%{_sysconfdir}/knot-resolver/icann-ca.pem +%attr(750,knot-resolver,knot-resolver) %dir %{_sharedstatedir}/knot-resolver +%attr(640,knot-resolver,knot-resolver) %{_sharedstatedir}/knot-resolver/root.keys +%{_unitdir}/kresd@.service +%{_unitdir}/kres-cache-gc.service +%{_unitdir}/kresd.target +%dir %{_unitdir}/multi-user.target.wants +%{_unitdir}/multi-user.target.wants/kresd.target +%{_mandir}/man7/kresd.systemd.7.gz +%{_tmpfilesdir}/knot-resolver.conf +%ghost /run/%{name} +%ghost %{_localstatedir}/cache/%{name} +%attr(750,knot-resolver,knot-resolver) %dir %{_libdir}/%{name} +%{_sbindir}/kresd +%{_sbindir}/kresc +%{_sbindir}/kres-cache-gc +%{_libdir}/libkres.so.* +%dir %{_libdir}/knot-resolver +%{_libdir}/knot-resolver/*.so +%{_libdir}/knot-resolver/*.lua +%dir %{_libdir}/knot-resolver/kres_modules +%{_libdir}/knot-resolver/kres_modules/bogus_log.so +%{_libdir}/knot-resolver/kres_modules/edns_keepalive.so +%{_libdir}/knot-resolver/kres_modules/extended_error.so +%{_libdir}/knot-resolver/kres_modules/hints.so +%{_libdir}/knot-resolver/kres_modules/nsid.so +%{_libdir}/knot-resolver/kres_modules/refuse_nord.so +%{_libdir}/knot-resolver/kres_modules/stats.so +%{_libdir}/knot-resolver/kres_modules/daf +%{_libdir}/knot-resolver/kres_modules/daf.lua +%{_libdir}/knot-resolver/kres_modules/detect_time_jump.lua +%{_libdir}/knot-resolver/kres_modules/detect_time_skew.lua +%{_libdir}/knot-resolver/kres_modules/dns64.lua +%if "x%{?suse_version}" == "x" +%{_libdir}/knot-resolver/kres_modules/experimental_dot_auth.lua +%endif +%{_libdir}/knot-resolver/kres_modules/graphite.lua +%{_libdir}/knot-resolver/kres_modules/policy.lua +%{_libdir}/knot-resolver/kres_modules/predict.lua +%{_libdir}/knot-resolver/kres_modules/prefill.lua +%{_libdir}/knot-resolver/kres_modules/priming.lua +%{_libdir}/knot-resolver/kres_modules/rebinding.lua +%{_libdir}/knot-resolver/kres_modules/renumber.lua +%{_libdir}/knot-resolver/kres_modules/serve_stale.lua +%{_libdir}/knot-resolver/kres_modules/ta_sentinel.lua +%{_libdir}/knot-resolver/kres_modules/ta_signal_query.lua +%{_libdir}/knot-resolver/kres_modules/ta_update.lua +%{_libdir}/knot-resolver/kres_modules/view.lua +%{_libdir}/knot-resolver/kres_modules/watchdog.lua +%{_libdir}/knot-resolver/kres_modules/workarounds.lua +%{_mandir}/man8/kresd.8.gz + +%files devel +%{_includedir}/libkres +%{_libdir}/pkgconfig/libkres.pc +%{_libdir}/libkres.so + +%if "x%{?rhel}" == "x" +%files doc +%dir %{_pkgdocdir} +%doc %{_pkgdocdir}/html +%doc %{_datadir}/info/knot-resolver.info* +%dir %{_datadir}/info/knot-resolver-figures +%doc %{_datadir}/info/knot-resolver-figures/* +%endif + +%if "x%{?suse_version}" == "x" +%files module-dnstap +%{_libdir}/knot-resolver/kres_modules/dnstap.so +%endif + +%if "x%{?suse_version}" == "x" +%files module-http +%{_libdir}/knot-resolver/debug_opensslkeylog.so +%{_libdir}/knot-resolver/kres_modules/http +%{_libdir}/knot-resolver/kres_modules/http*.lua +%{_libdir}/knot-resolver/kres_modules/prometheus.lua +%endif + +%changelog +* {{ now }} Jakub Ružička <jakub.ruzicka@nic.cz> - {{ version }}-{{ release }} +- upstream package +- see NEWS or https://www.knot-resolver.cz/ |