Accepting request 657300 from home:rtorrero:branches:server:dns

- Migrate from cron to systemd timers (bsc#1115417) OBS-URL: https://build.opensuse.org/request/show/657300 OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=94
2018-12-21 06:38:50 +00:00 · 2018-12-21 06:38:50 +00:00 · 47ec6e5b44
commit 47ec6e5b44
parent cfd08afadc
6 changed files with 50 additions and 8 deletions
--- a/unbound-anchor.service
+++ b/unbound-anchor.service
@ -0,0 +1,9 @@
+[Unit]
+Description=update of the root trust anchor for DNSSEC validation in unbound
+Documentation=man:unbound-anchor(8)
+
+[Service]
+Type=oneshot
+User=unbound
+ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
+SuccessExitStatus=1
--- a/unbound-anchor.timer
+++ b/unbound-anchor.timer
@ -0,0 +1,13 @@
+[Unit]
+Description=daily update of the root trust anchor for DNSSEC
+Documentation=man:unbound-anchor(8)
+
+[Timer]
+# Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days.
+# It means that unboud-anchor should be run at least once a day.
+OnCalendar=daily
+Persistent=true
+AccuracySec=24h
+
+[Install]
+WantedBy=timers.target
--- a/unbound.changes
+++ b/unbound.changes
@ -4,6 +4,11 @@ Tue Dec 11 19:59:00 UTC 2018 - Michael Ströder <michael@stroeder.com>
 - update to 1.8.3 fixes crash bug introduced in 1.8.2
  in the dns64 processing.

+-------------------------------------------------------------------
+Tue Dec 11 17:44:56 UTC 2018 - Rubén Torrero Marijnissen <rtorreromarijnissen@suse.com>
+
+- Migrate from cron to systemd timers (bsc#1115417) 
+
 -------------------------------------------------------------------
 Wed Dec  5 11:12:42 UTC 2018 - Michael Ströder <michael@stroeder.com>

--- a/unbound.cron
+++ b/unbound.cron
@ -1,3 +0,0 @@
-# Look to see if the DNSSEC Root key got rolled, if so check trust and update
-
-10 3 1 * * unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.anchor -c /etc/unbound/icannbundle.pem
--- a/unbound.service
+++ b/unbound.service
@ -3,6 +3,7 @@ Description=Unbound recursive Domain Name Server
 After=syslog.target network.target
 After=unbound-keygen.service
 Wants=unbound-keygen.service
+Wants=unbound-anchor.timer
 Before=nss-lookup.target
 Wants=nss-lookup.target

--- a/unbound.spec
+++ b/unbound.spec
@ -109,9 +109,10 @@ Source11:       block-example.com.conf
 Source12:       icannbundle.pem
 Source13:       root.anchor
 Source14:       unbound.sysconfig
-Source15:       unbound.cron
+Source15:       unbound-anchor.timer
 Source16:       unbound-munin.README
 Source17:       unbound.firewall
+Source18:       unbound-anchor.service

 Summary:        Validating, recursive, and caching DNS(SEC) resolver
 License:        BSD-3-Clause
@ -171,7 +172,6 @@ This package holds the development files to work with libunbound.

 %package anchor
 #
-Requires:       cron
 Summary:        Unbound Anchor cert management tools
 Group:          Productivity/Networking/DNS/Servers

@ -240,9 +240,9 @@ install -D -p -m 0644 %{SOURCE14} %{buildroot}%{_fillupdir}/sysconfig.%{name}
 ln -sf /usr/sbin/service          %{buildroot}%{_sbindir}/rcunbound
 ln -sf /usr/sbin/service          %{buildroot}%{_sbindir}/rcunbound-keygen

+install -p -m 0644 %{SOURCE15}    %{buildroot}%{_unitdir}/unbound-anchor.timer
+install -p -m 0644 %{SOURCE18}    %{buildroot}%{_unitdir}/unbound-anchor.service
 install -p -m 0644 %{SOURCE16}  .
-install -d 0755                   %{buildroot}%{_sysconfdir}/cron.d
-install -p -m 0644 %{SOURCE15}    %{buildroot}%{_sysconfdir}/cron.d/unbound-anchor

 install -d 0755 %{buildroot}%{fwdir}
 install -p -m 0644 %{SOURCE17} %{buildroot}%{fwdir}/%{name}
@ -306,6 +306,7 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control
 make check ||:

 %pre anchor
+%service_add_pre  unbound-anchor.service unbound-anchor.timer
 getent group unbound >/dev/null || groupadd -r unbound
 getent passwd unbound >/dev/null || \
 	useradd -g unbound -s /bin/false -r -c "unbound caching DNS server" \
@ -316,6 +317,11 @@ getent passwd unbound >/dev/null || \
 %service_add_pre    unbound-keygen.service unbound.service
 %endif

+%post anchor
+%if %{with systemd}
+%service_add_post   unbound-anchor.service unbound-anchor.timer
+%endif
+
 %post
 %fillup_only %{name}
 %if %{with systemd}
@ -323,6 +329,11 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %service_add_post   unbound-keygen.service unbound.service
 %endif

+%preun anchor
+%if %{with systemd}
+%service_del_preun  unbound-anchor.service unbound-anchor.timer
+%endif
+
 %preun
 %if %{with systemd}
 %service_del_preun  unbound-keygen.service unbound.service
@ -330,6 +341,11 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %stop_on_removal %{name}
 %endif

+%postun anchor
+%if %{with systemd}
+%service_del_postun unbound-anchor.service unbound-anchor.timer
+%endif
+
 %postun
 %if %{with systemd}
 %service_del_postun unbound-keygen.service unbound.service
@ -418,7 +434,8 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %dir %{_sysconfdir}/%{name}/
 %{_sbindir}/unbound-anchor
 %config %{_sysconfdir}/%{name}/icannbundle.pem
-%config %{_sysconfdir}/cron.d/unbound-anchor
+%{_unitdir}/unbound-anchor.timer
+%{_unitdir}/unbound-anchor.service
 %dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name}
 %attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
 %attr(0644,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key