From 1e6073025e6c747a1718661313ebf8cec3c202faadafa970a72a3a540a9636bd Mon Sep 17 00:00:00 2001 From: c unix Date: Fri, 10 Jul 2020 15:22:57 +0000 Subject: [PATCH] Accepting request 820013 from home:cunix:server_dns OBS-URL: https://build.opensuse.org/request/show/820013 OBS-URL: https://build.opensuse.org/package/show/server:dns/dnscrypt-proxy?expand=0&rev=26 --- README.openSUSE | 76 ++++++++++++++++++++++++++------- dnscrypt-proxy.changes | 11 +++++ dnscrypt-proxy.service | 9 +++- dnscrypt-proxy.socket | 1 + dnscrypt-proxy.socket.conf | 9 ++++ dnscrypt-proxy.spec | 14 ++++-- example-dnscrypt-proxy.toml.sed | 4 ++ 7 files changed, 103 insertions(+), 21 deletions(-) create mode 100644 dnscrypt-proxy.socket.conf diff --git a/README.openSUSE b/README.openSUSE index cf3068b..9238ad6 100644 --- a/README.openSUSE +++ b/README.openSUSE @@ -1,27 +1,73 @@ -Some tips: +*************************************************************************** +* * +* README.openSUSE last edited for version 2.0.44 * +* * +*************************************************************************** -1. Configure /etc/dnscrypt-proxy/dnscrypt-proxy.toml for your use case first! -2. Override "ListenStream" and "ListenDatagram" for dnscrypt-proxy.socket - according to your setup, especially if dnscrypt-proxy should not be used as - your primary name resolver. - In this case you might want to forward queries from a tool - like "dnsmasq" to dnscrypt-proxy. - Then the later should probably not listen on the default adress/port. +Some hints: +----------- -3. If running via systemd, start as root once with +Configure /etc/dnscrypt-proxy/dnscrypt-proxy.toml for your use case first! + +A. +If dnscrypt-proxy should act as your primary resolver and only listen at +127.0.0.1:53, start as root once with $ systemctl start dnscrypt-proxy.socket - For always activating, do + and if you don't want to repeat this after next boots, do $ systemctl enable dnscrypt-proxy.socket -4. Alternatively dnscrypt-proxy.service can be used the same way. - This will require you to set or uncomment "listen_addresses" in - /etc/dnscrypt-proxy/dnscrypt-proxy.toml - In this case the socket configuration described in (2.) - has to be done in this file directly. + +B. +If you have some other resolver listening on 127.0.0.1:53 that should forward +queries to dnscrypt-proxy it is recommended to create as root the directory + +/etc/systemd/system/dnscrypt-proxy.socket.d + +and copy the file + +dnscrypt-proxy.socket.conf + +into the created directory. +An example file should be available in this doc directory: +/usr/share/doc/packages/dnscrypt-proxy + +Afterwards you have to start/enable the socket unit as described above in A. +Additionally your primary resolver has to be configured to forward requests to +the address specified in file dnscrypt-proxy.socket.conf - 127.0.0.1:5353 for +example. +C. +Alternatively the unit dnscrypt-proxy.service can be used the same way as the +socket unit described in A for starting and enabling. + +This will require you to set "listen_addresses" in file + +/etc/dnscrypt-proxy/dnscrypt-proxy.toml + +In this case dnscrypt-proxy has to setup the sockets itself and because it is +by default executed as user "dnscrypt" it is not allowed to listen on +ports < 1024. + +If dnscrypt-proxy should listen on these lower ports +a) the socket unit should be used or +b) the program has to be started directly by root or +c) the user settings in the service unit have to be overridden + as described in B with files ending with ".conf" + in a to be created directory at + + /etc/systemd/system/dnscrypt-proxy.service.d + + +D. +The socket OR the service unit should be started/enabled - not both. +If the socket unit is used, it will start the service unit when queries are sent +to one of its configured addresses. + +If using systemd, the PID should be available in file +/run/dnscrypt-proxy/dnscrypt-proxy.pid diff --git a/dnscrypt-proxy.changes b/dnscrypt-proxy.changes index e90815b..af10e44 100644 --- a/dnscrypt-proxy.changes +++ b/dnscrypt-proxy.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Jun 30 12:00:00 UTC 2020 - cunix@mail.de + +- Made PID available in /run/dnscrypt-proxy/dnscrypt-proxy.pid + through systemd service unit. + +- README.openSUSE updated. + +- dnscrypt-proxy.socket.conf added as example for a systemd + drop-in file to override the socket unit. + ------------------------------------------------------------------- Fri Jun 12 12:00:00 UTC 2020 - cunix@mail.de - 2.0.44 diff --git a/dnscrypt-proxy.service b/dnscrypt-proxy.service index bde995a..8a86d74 100644 --- a/dnscrypt-proxy.service +++ b/dnscrypt-proxy.service @@ -2,7 +2,8 @@ Description=DNSCrypt-proxy client Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd # with openSUSE changes -Requires=dnscrypt-proxy.socket +Documentation=file:/usr/share/doc/packages/dnscrypt-proxy/README.openSUSE +PartOf=dnscrypt-proxy.socket After=network.target Before=nss-lookup.target Wants=nss-lookup.target @@ -12,6 +13,10 @@ NonBlocking=true ExecStart=/usr/sbin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml +# May substitute command line option "pidfile". +PIDFile=/run/dnscrypt-proxy/dnscrypt-proxy.pid +ExecStartPost=-/bin/bash -c '/bin/echo -n $MAINPID > /run/dnscrypt-proxy/dnscrypt-proxy.pid' + Group=dnscrypt User=dnscrypt WorkingDirectory=~ @@ -26,5 +31,5 @@ ProtectControlGroups=yes ProtectKernelModules=yes [Install] -Also=dnscrypt-proxy.socket +# Also=dnscrypt-proxy.socket WantedBy=multi-user.target diff --git a/dnscrypt-proxy.socket b/dnscrypt-proxy.socket index d8d0806..b1752d8 100644 --- a/dnscrypt-proxy.socket +++ b/dnscrypt-proxy.socket @@ -2,6 +2,7 @@ Description=DNSCrypt-proxy socket Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd # with openSUSE changes +Documentation=file:/usr/share/doc/packages/dnscrypt-proxy/README.openSUSE Before=nss-lookup.target Wants=nss-lookup.target diff --git a/dnscrypt-proxy.socket.conf b/dnscrypt-proxy.socket.conf new file mode 100644 index 0000000..323b956 --- /dev/null +++ b/dnscrypt-proxy.socket.conf @@ -0,0 +1,9 @@ +[Unit] +Description=DNSCrypt-proxy forward config +Documentation=file:/usr/share/doc/packages/dnscrypt-proxy/README.openSUSE + +[Socket] +ListenStream= +ListenDatagram= +ListenDatagram=127.0.0.1:5353 +#ListenDatagram=[::1]:5353 diff --git a/dnscrypt-proxy.spec b/dnscrypt-proxy.spec index ea97987..26d5955 100644 --- a/dnscrypt-proxy.spec +++ b/dnscrypt-proxy.spec @@ -41,12 +41,16 @@ Source4: find_licenses.sh Source5: install_licenses.sh # Some words Source6: README.openSUSE +# Example how to override socket unit +Source7: %{name}.socket.conf BuildRequires: golang(API) >= 1.14 BuildRequires: golang-packaging BuildRequires: pkgconfig BuildRequires: shadow BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(libsystemd) +# For systemd pidfile solution. +Requires: bash # for daemon group/user Requires(pre): shadow %{?systemd_requires} @@ -81,7 +85,7 @@ sed -i "s/## This is an example configuration file./## This is a configuration f sed -i "1s/#! \/usr\/bin\/env python3/#! \/usr\/bin\/python3/" utils/generate-domains-blacklists/generate-domains-blacklist.py %build -cd dnscrypt-proxy +cd %{name} go build -mod=vendor -buildmode=pie %install @@ -91,8 +95,7 @@ install -D -d -m 0750 \ %{buildroot}%{home_dir} \ %{buildroot}%{config_dir} -install -D -d -m 0755 \ - %{buildroot}%{_datadir}/%{name}/ +install -D -d -m 0755 %{buildroot}%{_datadir}/%{name}/ # Binary install -D -m 0755 %{name}/%{name} %{buildroot}%{_sbindir}/%{name} @@ -132,6 +135,9 @@ bash %{SOURCE5} %{vlic_dir} %{buildroot}/%{_licensedir}/%{name}/%{vlic_dir} # Some hints. Improvements and feedback welcome! cp %{SOURCE6} README.openSUSE +# Example drop-in. +cp %{SOURCE7} %{name}.socket.conf + %pre # group and user getent group %{user_group} >/dev/null || %{_sbindir}/groupadd -r %{user_group} @@ -166,7 +172,7 @@ getent passwd %{user_group} >/dev/null || %{_sbindir}/useradd -r -g %{user_group %dir %attr(0750,%{user_group},%{user_group}) %{home_dir} %dir %attr(0750,%{user_group},%{user_group}) %{log_dir} %{_docdir}/%{name}/ -%doc ChangeLog README.md README.openSUSE +%doc ChangeLog README.md README.openSUSE %{name}.socket.conf %license LICENSE %{_licensedir}/%{name}/%{vlic_dir}/ diff --git a/example-dnscrypt-proxy.toml.sed b/example-dnscrypt-proxy.toml.sed index 059c15d..6057984 100644 --- a/example-dnscrypt-proxy.toml.sed +++ b/example-dnscrypt-proxy.toml.sed @@ -1,6 +1,10 @@ # the socket unit should listen s/listen_addresses = \['127.0.0.1:53']/#listen_addresses = ['127.0.0.1:53']\nlisten_addresses = []/ +# point to shipped distro specific documentation +12c\\n##********************************************************************##\n## ## +13c\## README.openSUSE in directory ##\n## \/usr\/share\/doc\/packages\/dnscrypt-proxy ##\n## might be useful to read. ##\n## ##\n##********************************************************************## + # absolute paths by default s/# log_file = 'dnscrypt-proxy.log'/# log_file = '\/var\/log\/dnscrypt-proxy\/dnscrypt-proxy.log'/ s/# forwarding_rules = 'forwarding-rules.txt'/# forwarding_rules = '\/etc\/dnscrypt-proxy\/forwarding-rules.txt'/