In the past, the only option for unbound-control was a TCP socket
using SSL/TLS, but nowadays it also supports unix domain sockets,
so it seems like it would be reasonable to enable it by default
in our configuration so that users added to the _unbound group
can access stats and do various types of runtime reconfiguration.
We can then also get rid of the not-squeaky-clean config check
and cert generation from the rc script.
I've been using this for ages. Any comments? OK?
srw-rw---- 1 _unbound _unbound 0 Jul 18 08:43 /var/run/unbound.sock
Index: rc.d/unbound
===================================================================
RCS file: /cvs/src/etc/rc.d/unbound,v
retrieving revision 1.2
diff -u -p -r1.2 unbound
--- rc.d/unbound 29 Dec 2014 11:17:43 -0000 1.2
+++ rc.d/unbound 19 Jul 2015 16:47:12 -0000
@@ -10,14 +10,6 @@ daemon_flags="-c /var/unbound/etc/unboun
pexp="unbound${daemon_flags:+ ${daemon_flags}}"
rc_pre() {
- if grep '^[[:space:]]*control-enable:[[:space:]]*yes' \
- /var/unbound/etc/unbound.conf > /dev/null 2>&1 && \
- ! [[ -f /var/unbound/etc/unbound_server.key ||
- -f /var/unbound/etc/unbound_server.pem ||
- -f /var/unbound/etc/unbound_control.key ||
- -f /var/unbound/etc/unbound_control.pem ]]; then
- /usr/sbin/unbound-control-setup 2> /dev/null
- fi
if grep '^[[:space:]]*auto-trust-anchor-file:' \
/var/unbound/etc/unbound.conf > /dev/null 2>&1; then
/usr/sbin/unbound-anchor -v || true
Index: unbound.conf
===================================================================
RCS file: /cvs/src/etc/unbound.conf,v
retrieving revision 1.4
diff -u -p -r1.4 unbound.conf
--- unbound.conf 2 Apr 2014 21:43:30 -0000 1.4
+++ unbound.conf 19 Jul 2015 16:47:12 -0000
@@ -37,6 +37,11 @@ server:
#
#tcp-upstream: yes
+remote-control:
+ control-enable: yes
+ control-use-cert: no
+ control-interface: /var/run/unbound.sock
+
# Use an upstream forwarder (recursive resolver) for specific zones.
# Example addresses given below are public resolvers valid as of 2014/03.
#
