Bug#790392: [Pkg-dns-devel] Bug#790392: unbound chroot accumulates old files

2016-02-15 Thread Simon Deziel 
Hello Robert,

On 2016-01-30 10:26 PM, Robert Edmonds wrote:
> Simon Deziel wrote:
>> What do you think of the 2nd version of the proposed fixed 
>> (unbound-fresh-chroot-2.patch)?
> 
> This version of the patch will read from any *.conf file in 
> /etc/unbound, which could easily not be part of the active config,
> e.g.:
> 
> /etc/unbound/unbound-bad.conf
> 
> /etc/unbound/unbound.conf.d.bak/chroot.conf
> 
> Or the admin could simply delete the 'include' directive in the
> default /etc/unbound/unbound.conf file, in which case we shouldn't be
> looking at any /etc/unbound/unbound.conf.d/*.conf files at all.
> 
> The awk/find/sed/etc. code that you use to try to find the chroot 
> directory makes me uncomfortable.  It seems that if we need to find
> the configured chroot directory, we should be fixing
> unbound-checkconf so that we can use the Unbound config parser itself
> to tell us where the chroot directory is, rather than trying to
> implement an ad hoc config parser in shell.

Turns out that unbound-checkconf has been fixed somewhere between 1.4.22
and 1.5.7. "unbound-checkconf -o chroot" just works now. Please see the
updated patch attached.

>> If we could resolve this chroot'ing problem, Ubuntu, that turns
>> off chroot by default, would be more comfortable to drop part of
>> their delta with Debian.
> 
> What delta is there in Ubuntu?  I'm looking at the unbound 
> 1.5.7-1ubuntu1 source package and the only change I see is to
> disable dnstap support.

After I sent this patch, Ubuntu pulled 1.5.7-1 in and dropped most of
the delta.

Best regards,
Simon
--- /etc/init.d/unbound.orig	2015-12-12 15:08:27.0 -0500
+++ /etc/init.d/unbound	2016-02-15 17:45:11.838356275 -0500
@@ -21,7 +21,7 @@
 UNBOUND_ENABLE=true
 UNBOUND_CONF=/etc/unbound/unbound.conf
 UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF)
-CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g")
+CHROOT_DIR="$(unbound-checkconf -o chroot)"
 ROOT_TRUST_ANCHOR_UPDATE=false
 ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
 RESOLVCONF=false
@@ -93,8 +93,9 @@
 
 do_chroot_setup() {
 if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then
+rm -rf $CHROOT_DIR/$UNBOUND_BASE_DIR && mkdir -p $CHROOT_DIR/$UNBOUND_BASE_DIR
 cd /
-tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR | sed 's#^/##') | (cd $CHROOT_DIR && tar -xf -)
+tar -cf - $(echo $UNBOUND_BASE_DIR | sed 's/^\///') | (cd $CHROOT_DIR && tar -xf -)
 fi
 }
 


signature.asc
Description: OpenPGP digital signature

Bug#790392: [Pkg-dns-devel] Bug#790392: unbound chroot accumulates old files

2016-01-30 Thread Robert Edmonds 
Hi, Simon:

Simon Deziel wrote:
> What do you think of the 2nd version of the proposed fixed
> (unbound-fresh-chroot-2.patch)?

This version of the patch will read from any *.conf file in
/etc/unbound, which could easily not be part of the active config, e.g.:

/etc/unbound/unbound-bad.conf

/etc/unbound/unbound.conf.d.bak/chroot.conf

Or the admin could simply delete the 'include' directive in the default
/etc/unbound/unbound.conf file, in which case we shouldn't be looking at
any /etc/unbound/unbound.conf.d/*.conf files at all.

The awk/find/sed/etc. code that you use to try to find the chroot
directory makes me uncomfortable.  It seems that if we need to find the
configured chroot directory, we should be fixing unbound-checkconf so
that we can use the Unbound config parser itself to tell us where the
chroot directory is, rather than trying to implement an ad hoc config
parser in shell.

> If we could resolve this chroot'ing problem, Ubuntu, that turns off
> chroot by default, would be more comfortable to drop part of their delta
> with Debian.

What delta is there in Ubuntu?  I'm looking at the unbound
1.5.7-1ubuntu1 source package and the only change I see is to disable
dnstap support.

-- 
Robert Edmonds
edmo...@debian.org