diff --git a/dnscrypt b/dnscrypt deleted file mode 100644 index aa61e2c..0000000 --- a/dnscrypt +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -# wrapper to feed dnscrypt-proxy with user config - -if test -f /etc/sysconfig/dnscrypt; then - source /etc/sysconfig/dnscrypt -fi - -/usr/sbin/dnscrypt-proxy \ - ${DNSCRYPT_LOCAL_ADDRESS:+--local-address "$DNSCRYPT_LOCAL_ADDRESS"} \ - ${DNSCRYPT_USER:+--user "$DNSCRYPT_USER"} \ - --resolver-name "${DNSCRYPT_RESOLVER_NAME:-cisco}" \ - ${DNSCRYPT_EPHEMERAL_KEYS:+--ephemeral-keys} \ - ${DNSCRYPT_LOGFILE:+--logfile "$DNSCRYPT_LOGFILE"} \ - ${DNSCRYPT_PLUGIN1:+--plugin "$DNSCRYPT_PLUGIN1"} \ - ${DNSCRYPT_PLUGIN2:+--plugin "$DNSCRYPT_PLUGIN2"} \ - ${DNSCRYPT_PLUGIN3:+--plugin "$DNSCRYPT_PLUGIN3"} \ - ${DNSCRYPT_PLUGIN4:+--plugin "$DNSCRYPT_PLUGIN4"} \ - ${DNSCRYPT_OPTIONS} \ - "$@" diff --git a/dnscrypt-proxy.changes b/dnscrypt-proxy.changes index 74a129c..0f7eec5 100644 --- a/dnscrypt-proxy.changes +++ b/dnscrypt-proxy.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Sat Aug 13 13:52:25 UTC 2016 - i@marguerite.su + +- switched to systemd template service. in the future, users + should use 'sudo systemctl start dnscrypt-proxy@127.0.0.1:53.service' + to start the service. any local address can be used. +- dropped dnscrypt-proxy.socket again. the listen address in the + socket can't be substituted at runtime that makes it impossible + to use multiple instances. and it doesn't work together with + the forking method in our systemd service. +- move pidfile and logfile into their own directories. in previous + submit, we finnaly used the user 'dnscrypt' to start the job, but + that user doesn't have write permission for /var/run and /var/log. +- dropped the /usr/sbin/dnscrypt wrapper that broke the systemd + service from forking. we used EnvironmentFile in systemd service + to load the user-customizable variables. +- changed /etc/sysconfig/dnscrypt to /etc/sysconfig/dnscrypt-proxy. + deleted those plugin items that can't be loaded by systemd. users + can use DNSCRYPT_OPTIONS to configure the plugins anyway, no need + to keep those placeholders. + ------------------------------------------------------------------- Sat Aug 6 04:14:25 UTC 2016 - i@marguerite.su diff --git a/dnscrypt-proxy.spec b/dnscrypt-proxy.spec index cc77c6d..af7577b 100644 --- a/dnscrypt-proxy.spec +++ b/dnscrypt-proxy.spec @@ -25,10 +25,10 @@ Group: Productivity/Networking/DNS/Utilities #Git-Url: https://github.com/jedisct1/dnscrypt-proxy Url: https://dnscrypt.org Source: https://download.dnscrypt.org/dnscrypt-proxy/%{name}-%{version}.tar.bz2 -Source1: %{name}.service -Source2: dnscrypt -Source3: sysconfig.dnscrypt +Source1: %{name}@.service +Source3: sysconfig.%{name} Source4: https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv +Source5: %{name}.tmpfile BuildRequires: libsodium-devel BuildRequires: libtool BuildRequires: pkg-config @@ -78,12 +78,11 @@ make %{?_smp_mflags} install -d -m 755 %{buildroot}%{_unitdir} install -m 644 %{SOURCE1} %{buildroot}%{_unitdir} -install -m 644 dnscrypt-proxy.socket %{buildroot}%{_unitdir} -install -d -m 755 %{buildroot}%{_sbindir} -install -m 755 %{SOURCE2} %{buildroot}%{_sbindir} install -m 755 -d %{buildroot}%{_localstatedir}/adm/fillup-templates install -m 644 -D %{SOURCE3} %{buildroot}%{_localstatedir}/adm/fillup-templates install -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/%{name}/dnscrypt-resolvers.csv +install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/ +install -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} find %{buildroot} -name "*.la" -delete -print @@ -97,43 +96,45 @@ if ! %{_bindir}/getent passwd dnscrypt >/dev/null; then -r -s /bin/false dnscrypt 2>/dev/null || : fi %if 0%{?suse_version} >= 1210 -%service_add_pre %{name}.service +%service_add_pre %{name}@.service %post -%service_add_post %{name}.service -%{fillup_only -n dnscrypt} +%service_add_post %{name}@.service +%if 0%{?suse_version} > 1320 +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf +%endif +%{fillup_only -n %{name}} %preun -%service_del_preun %{name}.service +%service_del_preun %{name}@.service %postun -%service_del_postun %{name}.service +%service_del_postun %{name}@.service %else # non-systemd %post -%{fillup_only -n dnscrypt} +%{fillup_only -n %{name}} %endif %files %defattr(-,root,root) %doc AUTHORS ChangeLog README COPYING NEWS DNSCRYPT-V2-PROTOCOL.txt THANKS %{_bindir}/hostip -%{_sbindir}/dnscrypt %{_sbindir}/%{name} %{_sbindir}/rc%{name} -%{_unitdir}/%{name}.service -%{_unitdir}/%{name}.socket +%{_unitdir}/%{name}@.service %{_mandir}/man8/hostip.8%{ext_man} %{_mandir}/man8/%{name}.8%{ext_man} %dir %{_datadir}/%{name} %{_datadir}/%{name}/dnscrypt-resolvers.csv %{_datadir}/%{name}/minisign.pub -%{_localstatedir}/adm/fillup-templates/sysconfig.dnscrypt +%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %dir %{_libdir}/%{name} %{_libdir}/%{name}/libdcplugin_example.so %{_libdir}/%{name}/libdcplugin_example_logging.so +%{_libexecdir}/tmpfiles.d/%{name}.conf %files devel %defattr(-,root,root) diff --git a/dnscrypt-proxy.tmpfile b/dnscrypt-proxy.tmpfile new file mode 100644 index 0000000..7e3727e --- /dev/null +++ b/dnscrypt-proxy.tmpfile @@ -0,0 +1,2 @@ +d /var/run/dnscrypt-proxy 0755 dnscrypt dnscrypt +d /var/log/dnscrypt-proxy 0755 dnscrypt dnscrypt diff --git a/dnscrypt-proxy.service b/dnscrypt-proxy@.service similarity index 62% rename from dnscrypt-proxy.service rename to dnscrypt-proxy@.service index 14f00e0..87bcf1e 100644 --- a/dnscrypt-proxy.service +++ b/dnscrypt-proxy@.service @@ -3,37 +3,36 @@ # Version: 1.7.0 # Description: dnscrypt is a tool that encrypts your DNS queries in order to # protect against man-in-the-middle attacks and DNS hijacking -# (commonly seen in China). It uses OpenDNS resolvers by default. +# (commonly seen in China). It uses CiscoDNS resolvers by default. # It is BSD-licensed. # In openSUSE it's licensed under SuSE-Permissive (non-free ware). # For details, refer to its documentation. [Unit] Description=Secure connection between your computer and a DNS resolver Documentation=man:dnscrypt-proxy(8) -Requires=dnscrypt-proxy.socket -After=network.target ntp.service # NTP always has local servers, and there's nothing to encrypt for time. # and ntp.service isn't native systemd service, if we start before it, # it will take a long time to sync. just save 20000+ms on boot. +After=network.target ntp.service Before=nss-lookup.target [Service] Type=forking NonBlocking=true -PIDFile=/var/run/dnscrypt-proxy.pid -# Execute a wrapper that calls the dnscrypt-proxy with config from -# /etc/sysconfig/dnscrypt and substitutes defaults that cannot be passed -# to ExecStart in combination with EnvironmentFile -ExecStart=/usr/sbin/dnscrypt \ +PIDFile=/var/run/dnscrypt-proxy/dnscrypt-proxy@%i.pid +EnvironmentFile=-/etc/sysconfig/dnscrypt-proxy +ExecStart=/usr/sbin/dnscrypt-proxy \ --daemonize \ - --pidfile=/var/run/dnscrypt-proxy.pid \ - --user=dnscrypt \ - --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv \ - --logfile=/var/log/dnscrypt-proxy.log + --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy@%i.pid \ + --local-address=%i \ + --user=${DNSCRYPT_USER} \ + --resolver-name=${DNSCRYPT_RESOLVER_NAME} \ + ${DNSCRYPT_EPHEMERAL_KEYS} \ + ${DNSCRYPT_OPTIONS} \ + --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy@%i.log \ + --loglevel=${DNSCRYPT_LOGLEVEL} # Automatically Restart Restart=on-abort [Install] -Also=dnscrypt-proxy.socket WantedBy=multi-user.target -Alias=dnscrypt.service diff --git a/sysconfig.dnscrypt b/sysconfig.dnscrypt deleted file mode 100644 index 9641631..0000000 --- a/sysconfig.dnscrypt +++ /dev/null @@ -1,107 +0,0 @@ -## Path: Network/DNS/DNSCrypt -## Description: Local address -## Type: string -## Default: "" -# -# Address and port where the dnscrypt-proxy daemon listens. Format is -# address:port, with dnscrypt-proxy's default 127.0.0.1:53 . -# -DNSCRYPT_LOCAL_ADDRESS= - -## Path: Network/DNS/DNSCrypt -## Description: Run daemon under specified user -## Type: string -## Default: "dnscrypt" -# -# The recommended user is 'dnscrypt' but the empty value will not pass -# any --user parameter to dnscrypt-proxy if this is desired by the user. -# -DNSCRYPT_USER=dnscrypt - -## Path: Network/DNS/DNSCrypt -## Description: Resolver name -## Type: string -## Default: "cisco" -# -# Short name of resolver, see /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv -# for the full list. -# -# If the value is empty, the default is substituted. -# -DNSCRYPT_RESOLVER_NAME= - -## Path: Network/DNS/DNSCrypt -## Description: Log file -## Type: string -## Default: "/var/log/dnscrypt-proxy.log" -# -# Use the given log file instead of standard out, where the output is possibly -# grabbed by the system logger. -# -DNSCRYPT_LOGFILE=/var/log/dnscrypt-proxy.log - -## Path: Network/DNS/DNSCrypt -## Description: Log level -## Type: string -## Default: "" -# -# Don't log events with priority above this level after the service has been -# started up. Default is the value for LOG_INFO. -# -# NOTE: currently unused -# -DNSCRYPT_LOGLEVEL= - -## Path: Network/DNS/DNSCrypt -## Description: Optional plugin (1) -## Type: string -## Default: "" -# -# Use the given dnscrypt plugin. -# -DNSCRYPT_PLUGIN1= - -## Path: Network/DNS/DNSCrypt -## Description: Optional plugin (2) -## Type: string -## Default: "" -# -# Use the given dnscrypt plugin. -# -DNSCRYPT_PLUGIN2= - -## Path: Network/DNS/DNSCrypt -## Description: Optional plugin (3) -## Type: string -## Default: "" -# -# Use the given dnscrypt plugin. -# -DNSCRYPT_PLUGIN3= - -## Path: Network/DNS/DNSCrypt -## Description: Optional plugin (4) -## Type: string -## Default: "" -# -# Use the given dnscrypt plugin. -# -DNSCRYPT_PLUGIN4= - -## Path: Network/DNS/DNSCrypt -## Description: Other options -## Type: string -## Default: "" -# -# Additional user options -# -DNSCRYPT_OPTIONS= - -## Path: Network/DNS/DNSCrypt -## Description: Use ephemeral keys -## Type: string -## Default: "yes" -# -# Enable ephemeral keys for connections. -# -DNSCRYPT_EPHEMERAL_KEYS= diff --git a/sysconfig.dnscrypt-proxy b/sysconfig.dnscrypt-proxy new file mode 100644 index 0000000..e400a65 --- /dev/null +++ b/sysconfig.dnscrypt-proxy @@ -0,0 +1,57 @@ +## Path: Network/DNS/DNSCrypt +## Description: Run daemon under specified user +## Type: string +## Default: "dnscrypt" +# +# The recommended user is 'dnscrypt' but the empty value will not pass +# any --user parameter to dnscrypt-proxy if this is desired by the user. +# +DNSCRYPT_USER="dnscrypt" + +## Path: Network/DNS/DNSCrypt +## Description: Resolver name +## Type: string +## Default: "cisco" +# +# Short name of resolver, see /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv +# for the full list. +# +DNSCRYPT_RESOLVER_NAME="cisco" + +## Path: Network/DNS/DNSCrypt +## Description: Log level +## Type: string +## Default: "7" +# +# Don't log events with priority above this level after the service has been +# started up. +# +# Valid values are: +# 0 (system is unusable) +# 1 (action must be taken immediately) +# 2 (critical conditions) +# 3 (error conditions) +# 4 (warning conditions) +# 5 (normal but significant condition) +# 6 (informational) +# 7 (debug-level messages) +# +DNSCRYPT_LOGLEVEL="7" + +## Path: Network/DNS/DNSCrypt +## Description: Other options +## Type: string +## Default: "" +# +# Additional user options, plugin can be configured here +# +DNSCRYPT_OPTIONS="" + +## Path: Network/DNS/DNSCrypt +## Description: Use ephemeral keys +## Type: string +## Default: "--ephemeral-keys" +# +# Enable ephemeral keys for connections. +# +DNSCRYPT_EPHEMERAL_KEYS="--ephemeral-keys"