[opendnssec] * Initial package
Paul Wouters
pwouters at fedoraproject.org
Tue Mar 27 02:29:50 UTC 2012
commit 14d52d44e6b0b46c6e3a4cff7c18caa53d53126b
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 26 22:29:33 2012 -0400
* Initial package
.gitignore | 1 +
conf.xml | 84 ++++++++++++++++++++++++++
ods-enforcerd.init | 106 +++++++++++++++++++++++++++++++++
ods-enforcerd.service | 12 ++++
ods-signerd.init | 112 ++++++++++++++++++++++++++++++++++
ods-signerd.service | 14 ++++
ods.sysconfig | 2 +
opendnssec.spec | 158 +++++++++++++++++++++++++++++++++++++++++++++++++
sources | 1 +
9 files changed, 490 insertions(+), 0 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e69de29..d6549ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/opendnssec-1.4.0a1.tar.gz
diff --git a/conf.xml b/conf.xml
new file mode 100644
index 0000000..8d684e6
--- /dev/null
+++ b/conf.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<Configuration>
+
+ <RepositoryList>
+
+ <Repository name="SoftHSM">
+ <Module>/usr/lib64/softhsm/libsofthsm.so</Module>
+ <TokenLabel>OpenDNSSEC</TokenLabel>
+ <PIN>1234</PIN>
+<!--
+ # Disabled so it stores the public key in the HSM too,
+ # so bind's dnssec-signzone can be used as well
+ <SkipPublicKey/>
+-->
+ </Repository>
+
+<!--
+ <Repository name="sca6000">
+ <Module>/usr/lib64/opencryptoki/PKCS11_API.so</Module>
+ <TokenLabel>Sun Metaslot</TokenLabel>
+ <PIN>test:1234</PIN>
+ <Capacity>255</Capacity>
+ <RequireBackup/>
+ <SkipPublicKey/>
+ </Repository>
+-->
+
+ </RepositoryList>
+
+ <Common>
+ <Logging>
+ <Syslog><Facility>local0</Facility></Syslog>
+ </Logging>
+
+ <PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
+ <ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
+
+ <!--
+ <ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
+ -->
+ </Common>
+
+ <Enforcer>
+ <Privileges>
+ <User>ods</User>
+ <Group>ods</Group>
+ </Privileges>
+
+ <Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
+ <Interval>PT3600S</Interval>
+ <!-- <ManualKeyGeneration/> -->
+ <!-- <RolloverNotification>P14D</RolloverNotification> -->
+
+ <!-- the <DelegationSignerSubmitCommand> will get all current
+ DNSKEYs (as a RRset) on standard input
+ -->
+ <!-- <DelegationSignerSubmitCommand>/usr/sbin/eppclient</DelegationSignerSubmitCommand> -->
+ </Enforcer>
+
+ <Signer>
+ <Privileges>
+ <User>ods</User>
+ <Group>ods</Group>
+ </Privileges>
+
+ <WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
+ <WorkerThreads>4</WorkerThreads>
+<!--
+ <SignerThreads>4</SignerThreads>
+-->
+
+ <!-- the <NotifyCommmand> will expand the following variables:
+
+ %zone the name of the zone that was signed
+ %zonefile the filename of the signed zone
+ <NotifyCommand>sudo systemctl reload nsd.service</NotifyCommand>
+ -->
+<!--
+ <NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
+-->
+ </Signer>
+
+</Configuration>
diff --git a/ods-enforcerd.init b/ods-enforcerd.init
new file mode 100644
index 0000000..c131e77
--- /dev/null
+++ b/ods-enforcerd.init
@@ -0,0 +1,106 @@
+#!/bin/bash
+#
+# ods-enforcerd: Starts the OpenDNSSEC Enforcer Daemon
+#
+# chkconfig: - 13 87
+# description: ods-enforcerd is the OpenDNSSEC DNSSEC policy enforcer daemon
+# processname: /usr/sbin/ods-enforcerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-enforcerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart| OpenDNSSEC Enforcer Daemon
+# Description: control OpenDNSSEC enforcer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_ENFORCERD_CONF="/etc/opendnssec/conf.xml"
+ODS_ENFORCERD_OPT=""
+ODS_ENFORCERD_PROG="/usr/sbin/ods-enforcerd"
+ODS_ENFORCERD_PIDFILE="/var/run/opendnssec/enforcerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+ # Source networking configuration.
+ [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+ # Check that networking is up
+ [ "${NETWORKING}" = "no" ] && exit 1
+
+ # Sanity checks.
+ [ -f $ODS_ENFORCERD_CONF ] || exit 5
+ [ -x $ODS_ENFORCERD_PROG ] || exit 5
+ # /var/run could (and should) be tmpfs
+ [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+ echo -n $"Starting ods-enforcerd:"
+ $ODS_ENFORCERD_PROG -c $ODS_ENFORCERD_CONF $ODS_ENFORCERD_OPT
+ RETVAL=$?
+ if [ $RETVAL -eq 0 ]; then
+ touch /var/lock/subsys/ods-enforcerd;
+ success
+ echo
+ else
+ failure
+ echo
+ exit 7;
+ fi
+ return 0;
+}
+
+stop() {
+ echo -n $"Stopping ods-enforcerd: "
+ killproc -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+ retval=$?
+ if [ $retval -eq 0 ] ; then
+ rm -f $ODS_ENFORCERD_PIDFILE
+ rm -f /var/lock/subsys/ods-enforcerd
+ success
+ else
+ failure
+ fi
+ echo
+ return $retval
+}
+
+restart() {
+ stop
+ start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ condrestart)
+ [ -f /var/lock/subsys/ods-enforcerd ] && restart || :
+ ;;
+ status)
+ status -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+ exit 1
+esac
+
+exit $?
diff --git a/ods-enforcerd.service b/ods-enforcerd.service
new file mode 100644
index 0000000..b660d86
--- /dev/null
+++ b/ods-enforcerd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenDNSSEC Enforcer daemon
+After=syslog.target network.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/opendnssec/enforcerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ods-signerd.init b/ods-signerd.init
new file mode 100644
index 0000000..4e3289d
--- /dev/null
+++ b/ods-signerd.init
@@ -0,0 +1,112 @@
+#!/bin/bash
+#
+# ods-signerd: Starts the OpenDNSSEC Signer Daemon
+#
+# chkconfig: - 13 87
+# description: ods-signerd is the OpenDNSSEC DNSSEC zone signer daemon
+# processname: /usr/sbin/ods-signerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-signerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart|reload|force-reload OpenDNSSEC Signer Daemon
+# Description: control OpenDNSSEC signer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_SIGNERD_CONF="/etc/opendnssec/conf.xml"
+ODS_SIGNERD_OPT=""
+ODS_SIGNERD_PROG="/usr/sbin/ods-signerd"
+ODS_SIGNER_PROG="/usr/sbin/ods-signer"
+ODS_SIGNERD_PIDFILE="/var/run/opendnssec/signerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+ # Source networking configuration.
+ [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+ # Check that networking is up
+ [ "${NETWORKING}" = "no" ] && exit 1
+
+ # Sanity checks.
+ [ -f $ODS_SIGNERD_CONF ] || exit 5
+ [ -x $ODS_SIGNERD_PROG ] || exit 5
+ # /var/run could (and should) be tmpfs
+ [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+ echo -n $"Starting ods-signerd:"
+# ods-signerd is lying about supporting -c conf.file option :(
+# $ODS_SIGNERD_PROG -c $ODS_SIGNERD_CONF $ODS_SIGNERD_OPT
+ $ODS_SIGNERD_PROG $ODS_SIGNERD_OPT
+ RETVAL=$?
+ if [ $RETVAL -eq 0 ]; then
+ touch /var/lock/subsys/ods-signerd;
+ success
+ echo
+ else
+ failure
+ echo
+ exit 7;
+ fi
+ return 0;
+}
+
+stop() {
+ echo -n $"Stopping ods-signerd: "
+ #$ODS_SIGNER_PROG -c $ODS_SIGNERD_CONF stop
+ # seems that this loses our settings :(
+ /usr/sbin/ods-signer stop
+ RETVAL=$?
+ [ "$RETVAL" -eq 0 ] || killproc $ODS_SIGNERD_PROG -TERM >/dev/null 2>&1
+ if [ $RETVAL -eq 0 ] ; then
+ rm -f $ODS_SIGNERD_PIDFILE
+ rm -f /var/lock/subsys/ods-signerd
+ success
+ else
+ failure
+ fi
+ echo
+ return $RETVAL
+}
+
+restart() {
+ stop
+ start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ condrestart)
+ [ -f /var/lock/subsys/ods-signerd ] && restart || :
+ ;;
+ status)
+ status -p $ODS_SIGNERD_PIDFILE $ODS_SIGNERD_PROG
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+ exit 1
+esac
+
+exit $?
diff --git a/ods-signerd.service b/ods-signerd.service
new file mode 100644
index 0000000..d6d5060
--- /dev/null
+++ b/ods-signerd.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenDNSSEC signer daemon
+After=syslog.target network.target
+
+[Service]
+Type=simple
+PIDFile=/var/run/opendnssec/signerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-signerd -d ODS_SIGNERD_OPT
+After=ods-enforcerd
+Wants=ods-enforcerd
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ods.sysconfig b/ods.sysconfig
new file mode 100644
index 0000000..1cf67f2
--- /dev/null
+++ b/ods.sysconfig
@@ -0,0 +1,2 @@
+ODS_SIGNERD_OPT=""
+ODS_ENFORCERD_OPT=""
diff --git a/opendnssec.spec b/opendnssec.spec
new file mode 100644
index 0000000..ccc762a
--- /dev/null
+++ b/opendnssec.spec
@@ -0,0 +1,158 @@
+Summary: DNSSEC key and zone management software
+Name: opendnssec
+Version: 1.4.0
+Release: 0.a1%{?dist}.2
+License: BSD
+Url: http://www.opendnssec.org/
+#Source: http://www.opendnssec.org/files/source/% {name}-% {version}a1.tar.gz
+Source: http://www.opendnssec.org/files/source/testing/%{name}-%{version}a1.tar.gz
+Source1: ods-enforcerd.service
+Source2: ods-signerd.service
+Source3: ods.sysconfig
+Source4: conf.xml
+Source5: tmpfiles-opendnssec.conf
+Source6: opendnssec-LICENSE
+Group: Applications/System
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Requires: opencryptoki, softhsm, systemd-units
+BuildRequires: ldns-devel >= 1.6.12, sqlite-devel , openssl-devel
+BuildRequires: libxml2-devel CUnit-devel, doxygen
+Requires(pre): shadow-utils
+Requires(post): systemd-sysv
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+
+%description
+OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
+It secures zone data just before it is published in an authoritative
+name server. It requires a PKCS#11 crypto module library, such as softhsm
+
+%prep
+%setup -q -n %{name}-%{version}a1
+
+%build
+%configure --with-ldns=%{_libdir}
+make %{?_smp_mflags}
+
+%check
+# Requires sample db not shipped with upstream
+# make check
+
+%install
+rm -rf %{buildroot}
+make DESTDIR=%{buildroot} install
+mkdir -p %{buildroot}/var/opendnssec/{tmp,signed,signconf}
+
+# cleanup sample files
+rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
+install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig
+install -d -m 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
+install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
+# Install tmpfiles.d config
+mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
+install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/tmpfiles.d/opendnssec.conf
+
+mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
+
+
+%clean
+rm -rf %{buildroot}
+
+%files
+%defattr(-,root,root)
+%{_unitdir}/ods-enforcerd.service
+%{_unitdir}/ods-signerd.service
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/opendnssec.conf
+%attr(0750,root,ods) %dir %{_sysconfdir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signed
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
+%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
+%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
+%doc NEWS README %{SOURCE6}
+%{_mandir}/*/*
+%{_sbindir}/*
+%{_bindir}/*
+%attr(0755,root,root) %dir %{_prefix}/share/%{name}
+%{_prefix}/share/%{name}/*
+
+%pre
+getent group ods >/dev/null || groupadd -r ods
+getent passwd ods >/dev/null || \
+useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
+-c "opendnssec daemon account" ods
+exit 0
+
+%post
+if [ $1 -eq 1 ] ; then
+ # Initial installation
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+fi
+# Initialise a slot on the softhsm on first install
+if [ "$1" -eq 1 ]; then
+ softhsm --init-token --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234
+fi
+
+%preun
+if [ $1 -eq 0 ]; then
+ # Package removal, not upgrade
+ /bin/systemctl --no-reload disable ods-signerd.service > /dev/null 2>&1 || :
+ /bin/systemctl stop ods-signerd.service > /dev/null 2>&1 || :
+ /bin/systemctl --no-reload disable ods-enforcerd.service > /dev/null 2>&1 || :
+ /bin/systemctl stop ods-enforcerd.service > /dev/null 2>&1 || :
+fi
+
+%postun
+/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+if [ $1 -ge 1 ] ; then
+ # Package upgrade, not uninstall
+ /bin/systemctl try-restart ods-enforcerd.service >/dev/null 2>&1 || :
+ /bin/systemctl try-restart ods-signerd.service >/dev/null 2>&1 || :
+fi
+
+%changelog
+* Mon Mar 26 2012 Paul Wouters <pwouters at redhat.com> - 1.4.0-0.a1.2
+- Added opendnssec LICENSE file from trunk (Thanks Jakob!)
+
+* Mon Mar 26 2012 Paul Wouters <pwouters at redhat.com> - 1.4.0-0.a1.1
+- Fix macros in comment
+- Added missing -m to install target
+
+* Sun Mar 25 2012 Paul Wouters <pwouters at redhat.com> - 1.4.0-0.a1
+- The 1.4.x branch no longer needs ruby, as the auditor has been removed
+- Added missing openssl-devel BuildRequire
+- Comment out <SkipPublicKey/> so keys generated by ods can be used by bind
+
+* Fri Feb 24 2012 Paul Wouters <pwouters at redhat.com> - 1.3.6-3
+- Requires rubygem-soap4r when using ruby-1.9
+- Don't ghost /var/run/opendnssec
+- Converted initd to systemd
+
+* Thu Nov 24 2011 root - 1.3.2-6
+- Added rubygem-dnsruby requires as rpm does not pick it up automatically
+
+* Tue Nov 22 2011 root - 1.3.2-5
+- Added /var/opendnssec/signconf/ /as this temp dir is needed
+
+* Mon Nov 21 2011 Paul Wouters <paul at xelerance.com> - 1.3.2-4
+- Added /var/opendnssec/signed/ as this is the default output dir
+
+* Sun Nov 20 2011 Paul Wouters <paul at xelerance.com> - 1.3.2-3
+- Add ods user for opendnssec tasks
+- Added initscripts and services for ods-signerd and ods-enforcerd
+- Initialise OpenDNSSEC softhsm token on first install
+
+* Wed Oct 05 2011 Paul Wouters <paul at xelerance.com> - 1.3.2-1
+- Updated to 1.3.2
+- Added dependancies on opencryptoki and softhsm
+- Don't install duplicate unreadable .sample files
+- Fix upstream conf.xml to point to actually used library paths
+
+* Thu Mar 3 2011 Paul Wouters <paul at xelerance.com> - 1.2.0-1
+- Initial package for Fedora
diff --git a/sources b/sources
index e69de29..e57d259 100644
--- a/sources
+++ b/sources
@@ -0,0 +1 @@
+c7e00424dbbf87ccf4667f3b397b0aa1 opendnssec-1.4.0a1.tar.gz
More information about the scm-commits
mailing list