13.11.2025 22:14, [email protected] пишет:
>> Synopsis: /etc/rc.d/unbound assumes defaults in rc_pre()
>> Category: system
>> Environment:
> System : OpenBSD 7.8
> Details : OpenBSD 7.8 (GENERIC.MP) #54: Sun Oct 12 12:58:11 MDT 2025
>
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> Architecture: OpenBSD.amd64
> Machine : amd64
>> Description:
> The commands used in rc_pre() assume default config file for unbound.
> The unbound-checkconf lines in rc_pre will always use default config,
> ignoring the config file specified in daemon_flags.
> The unbound-anchor line also assumes default and does not provide
> the $_anchor that was already just looked up (from default config file).
> Why two unbounds? One for query forwarding and one for recursive
> resolution.
>> How-To-Repeat:
> Follow "man rcctl" recommended way to run second copy of daemon
> by creating symbolic link unbound2 (ln -s unbound unbound2) and
> and adding "unbound2_flags=-c /var/unbound/etc/unbound2.conf"
> to rc.conf.local (and adding unbound2 to pkg_scripts=).
> Also create /etc/login.conf.d/unbound2 with "unbound2:tc=unbound:".
> And of course use different "interface:, control-interface:,
> auto-trust-anchor-file:"
> lines in the unbound configuration files to avoid conflicts.
Yes, pointing at a different config file breaks the startup checks.
With one instance, there's no point in not using the default, I guess,
which is why the script works that way.
With two instances, I'm not sure we want to cater for such setups.
If that's really needed in your setup, you can copy and amend instead
of symlink unbound2 and be done with it.
>From a quick look, only spamlogd's script peeks into the arguments and
no other daemon seems to need this.
Are two instances really needed or is this a special snowflake?
>> Fix:
> The following diff fixes /etc/rc.d/unbound by:
> Sets _config to the configuration file used in $daemon_flags.
> Pass $_config to unbound-checkconf (two lines).
> Pass $_anchor to unbound-anchor.
>
> --- /etc/rc.d/unbound Wed Oct 9 11:42:56 2024
> +++ /etc/rc.d/unbound Sun Oct 12 14:32:22 2025
> @@ -1,20 +1,21 @@
> #!/bin/ksh
> #
> # $OpenBSD: unbound,v 1.9 2024/10/09 15:42:56 kn Exp $
>
> daemon="/usr/sbin/unbound"
> daemon_flags="-c /var/unbound/etc/unbound.conf"
This is the default and can/should go, making our script even shorter.
>
> . /etc/rc.d/rc.subr
>
> rc_pre() {
> + local _config=$(while getopts :c: _opt $daemon_flags; do case $_opt {
> (c) echo $OPTARG; } done)
> - local _anchor=$(/usr/sbin/unbound-checkconf -o auto-trust-anchor-file)
> + local _anchor=$(/usr/sbin/unbound-checkconf -o auto-trust-anchor-file
> $_config)
getopts with a leading : reads much nicer than spamlogd's sed(1) golf,
but it still looks like... too much.
>
> if [[ -n $_anchor && ! -f $_anchor ]]; then
> - /usr/sbin/unbound-anchor -v
> + /usr/sbin/unbound-anchor -v -a $_anchor
> fi
>
> - /usr/sbin/unbound-checkconf
> + /usr/sbin/unbound-checkconf $_config
> }
>
> rc_cmd $1
