From d240b79b45c042360e92fd17921a5aaaf37d7eef2fc76875d2f652d1e74c53d0 Mon Sep 17 00:00:00 2001 From: c unix Date: Mon, 18 Jan 2021 17:46:09 +0000 Subject: [PATCH] Accepting request 862978 from home:cunix:server_dns optional resolvconf support OBS-URL: https://build.opensuse.org/request/show/862978 OBS-URL: https://build.opensuse.org/package/show/server:dns/dnscrypt-proxy?expand=0&rev=33 --- README.openSUSE | 74 ++++++++++++++++++++++++++++--- dnscrypt-proxy-resolvconf.service | 25 +++++++++++ dnscrypt-proxy.changes | 5 +++ dnscrypt-proxy.service | 1 - dnscrypt-proxy.socket | 1 + dnscrypt-proxy.spec | 29 +++++++----- 6 files changed, 116 insertions(+), 19 deletions(-) create mode 100644 dnscrypt-proxy-resolvconf.service diff --git a/README.openSUSE b/README.openSUSE index b9197f8..cd01c21 100644 --- a/README.openSUSE +++ b/README.openSUSE @@ -1,6 +1,6 @@ *************************************************************************** * * -* README.openSUSE last edited by cunix for version 2.0.44 * +* README.openSUSE last edited by cunix for version 2.0.45 * * * *************************************************************************** @@ -43,7 +43,7 @@ example. C. Alternatively the unit dnscrypt-proxy.service can be used the same way as the -socket unit described in A for starting and enabling. +socket unit described in A. for starting and enabling. This will require you to set "listen_addresses" in file @@ -56,18 +56,78 @@ ports < 1024. If dnscrypt-proxy should listen on these lower ports a) the socket unit should be used or b) the program has to be started directly by root or -c) the user settings in the service unit have to be overridden - as described in B with files ending with ".conf" +c) the user and group settings in the service unit have to be overridden + as described in B. with files ending with ".conf" in a to be created directory at /etc/systemd/system/dnscrypt-proxy.service.d D. -The socket OR the service unit should be started/enabled - not both. -If the socket unit is used, it will start the service unit when queries are sent -to one of its configured addresses. +To make applications aware of the local domain name resolver and +to make the setups described above operational, you might have +to add a line like for example +nameserver 127.0.0.1 + +to the file + +/etc/resolv.conf + + +E. +If dnscrypt-proxy should be started by socket activation as described +in A. or B. and step D. should be automated, "resolvconf" can be utilized: + +- Package "openresolv" has to be installed. + +- Instead of the unit dnscrypt-proxy.socket or dnscrypt-proxy.service , + the systemd unit dnscrypt-proxy-resolvconf.service has to be used. + +- The file /etc/resolv.conf will be edited temporarily. + Do not use this approach if this unintended. + +- You should be aware of and ready to deal with possible fallout taking this + not really tested route. + For example manual edits to /etc/resolv.conf will be lost if resolvconf is + in control of this file, the clean-up on shutdown might fail, custom + or invalid resolvconf configuration might prevent startup of dnscrypt-proxy + and possibly more, ... + +Make sure the other units are deactivated (as root): + + $ systemctl stop dnscrypt-proxy.socket + + $ systemctl disable dnscrypt-proxy.socket + + $ systemctl stop dnscrypt-proxy.service + + $ systemctl disable dnscrypt-proxy.service + +Now start, and if you don't want to restart manually after reboot, +enable (as root): + + $ systemctl start dnscrypt-proxy-resolvconf.service + + $ systemctl enable dnscrypt-proxy-resolvconf.service + +This will not work as intended for a setup as described in C., where +the "listen_addresses" is not configured through the socket unit. + + +F. +The socket OR one of the service unit should be started/enabled - not all +and not two of them. + +If the socket unit is used, it will start the dnscrypt-proxy.service unit +when queries are sent to one of its configured addresses. + +On the other hand dnscrypt-proxy-resolvconf.service can be made responsible for +activating dnscrypt-proxy.socket. + + +G. If using systemd, the PID should be available in file + /run/dnscrypt-proxy/dnscrypt-proxy.pid diff --git a/dnscrypt-proxy-resolvconf.service b/dnscrypt-proxy-resolvconf.service new file mode 100644 index 0000000..7bf9df4 --- /dev/null +++ b/dnscrypt-proxy-resolvconf.service @@ -0,0 +1,25 @@ +[Unit] +Description=DNSCrypt proxy resolvconf support +Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd +# with openSUSE changes +Documentation=file:/usr/share/doc/packages/dnscrypt-proxy/README.openSUSE +Before=nss-lookup.target +Wants=nss-lookup.target +After=dnscrypt-proxy.socket +BindsTo=dnscrypt-proxy.socket +# available in package openresolv +ConditionFileIsExecutable=/usr/sbin/resolvconf + +[Service] +Type=oneshot +RemainAfterExit=true +ExecStart=/bin/sh -c 'systemctl show dnscrypt-proxy.socket \ + | grep "Listen.*Datagram" \ + | cut -d "=" -f 2 \ + | cut -d ":" -f 1 \ + | awk \'{ print "nameserver " $1 }\' \ + | /usr/sbin/resolvconf -a lo.dnscrypt-proxy' +ExecStop=/usr/sbin/resolvconf -d lo.dnscrypt-proxy + +[Install] +WantedBy=multi-user.target diff --git a/dnscrypt-proxy.changes b/dnscrypt-proxy.changes index 3e69024..7a02c46 100644 --- a/dnscrypt-proxy.changes +++ b/dnscrypt-proxy.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jan 7 20:00:00 UTC 2021 - cunix@mail.de + +- Added optional resolvconf support via systemd unit. + ------------------------------------------------------------------- Mon Jan 4 20:00:00 UTC 2021 - cunix@mail.de diff --git a/dnscrypt-proxy.service b/dnscrypt-proxy.service index 8a86d74..fde960f 100644 --- a/dnscrypt-proxy.service +++ b/dnscrypt-proxy.service @@ -31,5 +31,4 @@ ProtectControlGroups=yes ProtectKernelModules=yes [Install] -# Also=dnscrypt-proxy.socket WantedBy=multi-user.target diff --git a/dnscrypt-proxy.socket b/dnscrypt-proxy.socket index b1752d8..9bbbcb5 100644 --- a/dnscrypt-proxy.socket +++ b/dnscrypt-proxy.socket @@ -3,6 +3,7 @@ Description=DNSCrypt-proxy socket Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd # with openSUSE changes Documentation=file:/usr/share/doc/packages/dnscrypt-proxy/README.openSUSE +PartOf=dnscrypt-proxy-resolvconf.service Before=nss-lookup.target Wants=nss-lookup.target diff --git a/dnscrypt-proxy.spec b/dnscrypt-proxy.spec index b94b8b2..3712f7a 100644 --- a/dnscrypt-proxy.spec +++ b/dnscrypt-proxy.spec @@ -21,7 +21,7 @@ %define config_dir %{_sysconfdir}/%{name} %define home_dir %{_localstatedir}/lib/%{name} %define log_dir %{_localstatedir}/log/%{name} -%define services %{name}.socket %{name}.service +%define services %{name}.socket %{name}.service %{name}-resolvconf.service %define vlic_dir vendored Name: dnscrypt-proxy @@ -34,16 +34,17 @@ URL: https://dnscrypt.info/ Source0: https://codeload.github.com/DNSCrypt/%{name}/tar.gz/%{version}#/%{name}-%{version}.tar.gz Source1: %{name}.service Source2: %{name}.socket +Source3: %{name}-resolvconf.service # File to use with sed to modify default configuration. -Source3: example-dnscrypt-proxy.toml.sed +Source4: example-dnscrypt-proxy.toml.sed # Find licenses of vendored packages. -Source4: find_licenses.sh +Source5: find_licenses.sh # Install licenses of vendored packages. -Source5: install_licenses.sh +Source6: install_licenses.sh # Some words -Source6: README.openSUSE +Source7: README.openSUSE # Example how to override socket unit -Source7: %{name}.socket.conf +Source8: %{name}.socket.conf BuildRequires: golang-packaging BuildRequires: pkgconfig BuildRequires: shadow @@ -56,6 +57,8 @@ Requires: bash Requires(pre): shadow %{?systemd_requires} Recommends: ca-certificates +# needed for resolvconf support +Suggests: openresolv Provides: dnscrypt = %{version}-%{release} Obsoletes: dnscrypt < %{version}-%{release} BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -68,13 +71,13 @@ such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt. %setup -q -n %{name}-%{version} # Find licenses of vendored packages and prepare for installation -bash %{SOURCE4} %{vlic_dir} +bash %{SOURCE5} %{vlic_dir} # duplicate original config file cp ./%{name}/example-%{name}.toml ./%{name}.toml.default # Edit default port and file locations -sed -i -f %{SOURCE3} ./%{name}.toml.default +sed -i -f %{SOURCE4} ./%{name}.toml.default # duplicate edited config file cp ./%{name}.toml.default ./%{name}.toml @@ -118,19 +121,21 @@ install -D -m 0640 ./%{name}/example-forwarding-rules.txt %{buildroot}/%{config_ # Systemd install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service install -D -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.socket +install -D -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/%{name}-resolvconf.service # service link ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-resolvconf # Vendor Licenses install -d -m 0755 %{buildroot}%{_licensedir}/%{name}/%{vlic_dir} -bash %{SOURCE5} %{vlic_dir} %{buildroot}/%{_licensedir}/%{name}/%{vlic_dir} +bash %{SOURCE6} %{vlic_dir} %{buildroot}/%{_licensedir}/%{name}/%{vlic_dir} # Some hints. Improvements and feedback welcome! -cp %{SOURCE6} README.openSUSE +cp %{SOURCE7} README.openSUSE # Example drop-in. -cp %{SOURCE7} %{name}.socket.conf +cp %{SOURCE8} %{name}.socket.conf %pre # group and user @@ -163,8 +168,10 @@ getent passwd %{user_group} >/dev/null || %{_sbindir}/useradd -r -g %{user_group %config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/forwarding-rules.txt %{_sbindir}/%{name} %{_sbindir}/rc%{name} +%{_sbindir}/rc%{name}-resolvconf %{_unitdir}/%{name}.service %{_unitdir}/%{name}.socket +%{_unitdir}/%{name}-resolvconf.service %{_datadir}/%{name}/ %dir %attr(0750,root,%{user_group}) %{config_dir} %dir %attr(0750,%{user_group},%{user_group}) %{home_dir}