[bind] Rework the chroot setup/destruction workflow
Tomas Hozza
thozza at fedoraproject.org
Tue Dec 17 16:15:14 UTC 2013
commit 7eb562bbab26218331bc2cc99a405e6730992dbb
Author: Tomas Hozza <thozza at redhat.com>
Date: Tue Dec 17 17:08:42 2013 +0100
Rework the chroot setup/destruction workflow
- Split chroot package for named and named-sdb
- Extract setting-up/destroying of chroot to a separate systemd service (#997030)
Signed-off-by: Tomas Hozza <thozza at redhat.com>
bind.spec | 129 ++++++++++++++++++++++++++++++++++++++--
named-chroot-setup.service | 12 ++++
named-chroot.service | 5 +-
named-sdb-chroot-setup.service | 12 ++++
named-sdb-chroot.service | 13 ++--
named-sdb.service | 3 +-
named-setup-rndc.service | 7 ++
named.service | 3 +-
setup-named-chroot.sh | 2 +-
9 files changed, 168 insertions(+), 18 deletions(-)
---
diff --git a/bind.spec b/bind.spec
index 576f320..000e817 100644
--- a/bind.spec
+++ b/bind.spec
@@ -22,12 +22,15 @@
%{?!developer: %global developer 0}
%global bind_dir /var/named
%global chroot_prefix %{bind_dir}/chroot
+%if %{SDB}
+%global chroot_sdb_prefix %{bind_dir}/chroot_sdb
+%endif
#
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: ISC
Version: 9.9.4
-Release: 9%{?PATCHVER}%{?PREVER}%{?dist}
+Release: 10%{?PATCHVER}%{?PREVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -56,6 +59,9 @@ Source40: named-sdb-chroot.service
Source41: setup-named-chroot.sh
Source42: generate-rndc-key.sh
Source43: named.rwtab
+Source44: named-chroot-setup.service
+Source45: named-sdb-chroot-setup.service
+Source46: named-setup-rndc.service
# Common patches
Patch5: bind-nonexec.patch
@@ -251,6 +257,21 @@ This package contains a tree of files which can be used as a
chroot(2) jail for the named(8) program from the BIND package.
Based on the code from Jan "Yenya" Kasprzak <kas at fi.muni.cz>
+%if %{SDB}
+%package sdb-chroot
+Summary: A chroot runtime environment for the ISC BIND DNS server, named-sdb(8)
+Group: System Environment/Daemons
+Prefix: %{chroot_prefix}
+Requires: bind-sdb
+Requires: systemd-units
+
+%description sdb-chroot
+This package contains a tree of files which can be used as a
+chroot(2) jail for the named-sdb(8) program from the BIND package.
+Based on the code from Jan "Yenya" Kasprzak <kas at fi.muni.cz>
+%endif
+
+
%prep
%setup -q -n %{name}-%{VERSION}
@@ -444,6 +465,29 @@ touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/localtime
touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf
#end chroot
+#sdb-chroot
+%if %{SDB}
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/{dev,etc,var,run/named}
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var/{log,named,tmp}
+
+# create symlink as it is on real filesystem
+pushd ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var
+ln -s ../run run
+popd
+
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/{pki/dnssec-keys,named}
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/%{_libdir}/bind
+# these are required to prevent them being erased during upgrade of previous
+# versions that included them (bug #130121):
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/null
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/random
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/zero
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/localtime
+
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/named.conf
+%endif
+#end sdb-chroot
+
make DESTDIR=${RPM_BUILD_ROOT} install
# Remove unwanted files
@@ -453,10 +497,14 @@ rm -f ${RPM_BUILD_ROOT}/etc/bind.keys
mkdir -p ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
+
%if %{SDB}
install -m 644 %{SOURCE39} ${RPM_BUILD_ROOT}%{_unitdir}
-%endif
install -m 644 %{SOURCE40} ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE45} ${RPM_BUILD_ROOT}%{_unitdir}
+%endif
mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
@@ -593,7 +641,6 @@ fi
%post chroot
%systemd_post named-chroot.service
-%systemd_post named-sdb-chroot.service
if [ "$1" -gt 0 ]; then
[ -e %{chroot_prefix}/dev/random ] || \
/bin/mknod %{chroot_prefix}/dev/random c 1 8
@@ -614,7 +661,6 @@ fi;
%preun chroot
%systemd_preun named-chroot.service
-%systemd_preun named-sdb-chroot.service
if [ "$1" -eq 0 ]; then
# Package removal, not upgrade
rm -f %{chroot_prefix}/dev/{random,zero,null}
@@ -625,8 +671,45 @@ fi
%postun chroot
# Package upgrade, not uninstall
%systemd_postun_with_restart named-chroot.service
+
+
+%if %{SDB}
+
+%post sdb-chroot
+%systemd_post named-sdb-chroot.service
+if [ "$1" -gt 0 ]; then
+ [ -e %{chroot_sdb_prefix}/dev/random ] || \
+ /bin/mknod %{chroot_sdb_prefix}/dev/random c 1 8
+ [ -e %{chroot_sdb_prefix}/dev/zero ] || \
+ /bin/mknod %{chroot_sdb_prefix}/dev/zero c 1 5
+ [ -e %{chroot_sdb_prefix}/dev/null ] || \
+ /bin/mknod %{chroot_sdb_prefix}/dev/null c 1 3
+ rm -f %{chroot_sdb_prefix}/etc/localtime
+ cp /etc/localtime %{chroot_sdb_prefix}/etc/localtime
+fi;
+:;
+
+%posttrans sdb-chroot
+if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
+ [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_sdb_prefix}/dev/* > /dev/null 2>&1;
+fi;
+:;
+
+%preun sdb-chroot
+%systemd_preun named-sdb-chroot.service
+if [ "$1" -eq 0 ]; then
+ # Package removal, not upgrade
+ rm -f %{chroot_sdb_prefix}/dev/{random,zero,null}
+ rm -f %{chroot_sdb_prefix}/etc/localtime
+fi
+:;
+
+%postun sdb-chroot
+# Package upgrade, not uninstall
%systemd_postun_with_restart named-sdb-chroot.service
+%endif
+
%clean
rm -rf ${RPM_BUILD_ROOT}
:;
@@ -640,6 +723,7 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sysconfdir}/tmpfiles.d/named.conf
%{_sysconfdir}/rwtab.d/named
%{_unitdir}/named.service
+%{_unitdir}/named-setup-rndc.service
%{_sysconfdir}/NetworkManager/dispatcher.d/13-named
%{_sbindir}/named-journalprint
%{_sbindir}/named-checkconf
@@ -770,7 +854,7 @@ rm -rf ${RPM_BUILD_ROOT}
%files chroot
%defattr(-,root,root,-)
%{_unitdir}/named-chroot.service
-%{_unitdir}/named-sdb-chroot.service
+%{_unitdir}/named-chroot-setup.service
%{_libexecdir}/setup-named-chroot.sh
%ghost %{chroot_prefix}/dev/null
%ghost %{chroot_prefix}/dev/random
@@ -796,6 +880,37 @@ rm -rf ${RPM_BUILD_ROOT}
%dir %{chroot_prefix}/usr
%dir %{chroot_prefix}/%{_libdir}
+%if %{SDB}
+%files sdb-chroot
+%defattr(-,root,root,-)
+%{_unitdir}/named-sdb-chroot.service
+%{_unitdir}/named-sdb-chroot-setup.service
+%{_libexecdir}/setup-named-chroot.sh
+%ghost %{chroot_sdb_prefix}/dev/null
+%ghost %{chroot_sdb_prefix}/dev/random
+%ghost %{chroot_sdb_prefix}/dev/zero
+%ghost %{chroot_sdb_prefix}/etc/localtime
+%defattr(0640,root,named,0750)
+%dir %{chroot_sdb_prefix}
+%dir %{chroot_sdb_prefix}/dev
+%dir %{chroot_sdb_prefix}/etc
+%dir %{chroot_sdb_prefix}/etc/named
+%dir %{chroot_sdb_prefix}/etc/pki
+%dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys
+%dir %{chroot_sdb_prefix}/var
+%dir %{chroot_sdb_prefix}/run
+%dir %{chroot_sdb_prefix}/var/named
+%dir %{chroot_sdb_prefix}/%{_libdir}/bind
+%ghost %config(noreplace) %{chroot_sdb_prefix}/etc/named.conf
+%defattr(0660,named,named,0770)
+%dir %{chroot_sdb_prefix}/run/named
+%dir %{chroot_sdb_prefix}/var/tmp
+%dir %{chroot_sdb_prefix}/var/log
+%{chroot_sdb_prefix}/var/run
+%dir %{chroot_sdb_prefix}/usr
+%dir %{chroot_sdb_prefix}/%{_libdir}
+%endif
+
%if %{PKCS11}
%files pkcs11
%defattr(-,root,root,-)
@@ -807,6 +922,10 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Tue Dec 17 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.4-10
+- Split chroot package for named and named-sdb
+- Extract setting-up/destroying of chroot to a separate systemd service (#997030)
+
* Thu Nov 28 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.4-9
- Fixed memory leak in nsupdate if 'realm' was used multiple times (#984687)
diff --git a/named-chroot-setup.service b/named-chroot-setup.service
new file mode 100644
index 0000000..9870a88
--- /dev/null
+++ b/named-chroot-setup.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Set-up/destroy chroot environment for named (DNS)
+BindsTo=named-chroot.service
+Wants=named-setup-rndc.service
+After=named-setup-rndc.service
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
diff --git a/named-chroot.service b/named-chroot.service
index f11533c..39d3700 100644
--- a/named-chroot.service
+++ b/named-chroot.service
@@ -5,8 +5,10 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
+Requires=named-chroot-setup.service
Before=nss-lookup.target
After=network.target
+After=named-chroot-setup.service
[Service]
Type=forking
@@ -14,15 +16,12 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot/run/named/named.pid
-ExecStartPre=/usr/libexec/generate-rndc-key.sh
-ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf
ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
-ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
PrivateTmp=false
diff --git a/named-sdb-chroot-setup.service b/named-sdb-chroot-setup.service
new file mode 100644
index 0000000..0967a60
--- /dev/null
+++ b/named-sdb-chroot-setup.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Set-up/destroy chroot environment for named-sdb
+BindsTo=named-sdb-chroot.service
+Wants=named-setup-rndc.service
+After=named-setup-rndc.service
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off
diff --git a/named-sdb-chroot.service b/named-sdb-chroot.service
index 23b632b..09b7974 100644
--- a/named-sdb-chroot.service
+++ b/named-sdb-chroot.service
@@ -1,28 +1,27 @@
-# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
+# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log"
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
# broken when rsyslogd daemon is restarted (due update, for example).
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
+Requires=named-sdb-chroot-setup.service
Before=nss-lookup.target
After=network.target
+After=named-sdb-chroot-setup.service
[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
-PIDFile=/var/named/chroot/run/named/named.pid
+PIDFile=/var/named/chroot_sdb/run/named/named.pid
-ExecStartPre=/usr/libexec/generate-rndc-key.sh
-ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
-ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf
-ExecStart=/usr/sbin/named-sdb -u named -t /var/named/chroot $OPTIONS
+ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot_sdb -z /etc/named.conf
+ExecStart=/usr/sbin/named-sdb -u named -t /var/named/chroot_sdb $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
-ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
PrivateTmp=false
diff --git a/named-sdb.service b/named-sdb.service
index ef3f6ab..e0cd31c 100644
--- a/named-sdb.service
+++ b/named-sdb.service
@@ -1,8 +1,10 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
+Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
+After=named-setup-rndc.service
[Service]
Type=forking
@@ -10,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
-ExecStartPre=/usr/libexec/generate-rndc-key.sh
ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf
ExecStart=/usr/sbin/named-sdb -u named $OPTIONS
diff --git a/named-setup-rndc.service b/named-setup-rndc.service
new file mode 100644
index 0000000..ff85e3c
--- /dev/null
+++ b/named-setup-rndc.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Generate rndc key for BIND (DNS)
+
+[Service]
+Type=oneshot
+
+ExecStart=/usr/libexec/generate-rndc-key.sh
diff --git a/named.service b/named.service
index f04403b..7e48c89 100644
--- a/named.service
+++ b/named.service
@@ -1,8 +1,10 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
+Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
+After=named-setup-rndc.service
[Service]
Type=forking
@@ -10,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
-ExecStartPre=/usr/libexec/generate-rndc-key.sh
ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf
ExecStart=/usr/sbin/named -u named $OPTIONS
diff --git a/setup-named-chroot.sh b/setup-named-chroot.sh
index 9f96278..8de494b 100755
--- a/setup-named-chroot.sh
+++ b/setup-named-chroot.sh
@@ -44,7 +44,7 @@ mount_chroot_conf()
# Mount source is a directory. Mount it only if directory in chroot is
# empty.
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
- mount --rbind "$all" "$ROOTDIR$all"
+ mount --bind --make-private "$all" "$ROOTDIR$all"
fi
fi
done
More information about the scm-commits
mailing list