Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
base: 884d7ac41111
Choose a base ref
...
head repository: NixOS/nixpkgs
compare: 5f5d38e88f5a
Choose a head ref
  • 11 commits
  • 6 files changed
  • 2 contributors

Commits on Nov 3, 2020

  1. unbound: allow building with systemd support

    Systemd has to remain an optional (non-default) dependency as otherwise
    we will have an unpleasant bootstrap cycle. Most (if not all) of the
    (lib)unbound consumers will likely not care about unbound's systemd
    integration that only affects the daemon mode, anyway.
    andir committed Nov 3, 2020
    Copy the full SHA
    c07ce09 View commit details
    Browse the repository at this point in the history
  2. unbound-with-systemd: init

    This introduces an unbound variant that is built with systemd support.
    That means it is able to signal readiness to systemd once it did start
    or finished reloading. This likely allows us to close a small gap during
    bootup where the service is assumed up but doesn't respond to DNS
    queries just yet.
    andir committed Nov 3, 2020
    Copy the full SHA
    f6d570b View commit details
    Browse the repository at this point in the history
  3. nixos/modules/services/networking/unbound: update systemd unit

    Previously we just applied a very minimal set of restrictions and
    trusted unbound to properly drop root privs and capabilities.
    
    With this change I am (for the most part) just using the upstream
    example unit file for unbound. The main difference is that we start
    unbound was `unbound` user with the required capabilities instead of
    letting unbound do the chroot & uid/gid changes.
    
    The upstream unit configuration this is based on is a lot stricter with
    all kinds of permissions then our previous variant. It also came with
    the default of having the `Type` set to `notify`, therefore we are also
    using the `unbound-with-systemd` package here. Unbound will start up,
    read the configuration files and start listening on the configured ports
    before systemd will declare the unit "running". This will likely help
    with startup order and the occasional race condition during system
    activation where the DNS service is started but not yet ready to answer
    queries.
    
    Aditionally to the much stricter runtime environmet I removed the
    `/dev/urandom` mount lines we previously had in the code (that would
    randomly fail during `stop`-phase).
    
    The `preStart` script is now only required if we enabled the trust
    anchor updates (which are still enabled by default).
    
    Another beneefit of the refactoring is that we can now issue reloads via
    either `pkill -HUP unbound` or `systemctl reload unbound` to reload the
    running configuration without taking the daemon offline. A prerequisite
    of this was that unbound configuration is available on a well known path
    on the file system. I went for /etc/unbound/unbound.conf as that is the
    default in the CLI tooling which in turn enables us to use
    `unbound-control` without passing a custom configuration location.
    andir committed Nov 3, 2020
    Copy the full SHA
    5e602f8 View commit details
    Browse the repository at this point in the history
  4. Copy the full SHA
    72fbf05 View commit details
    Browse the repository at this point in the history
  5. nixos/unbound: drop ReadWritePaths from systemd unit configuration

    Both of the configured paths should be implicit due to RuntimeDirectory
    & StateDirectory.
    andir committed Nov 3, 2020
    Copy the full SHA
    aadc076 View commit details
    Browse the repository at this point in the history
  6. nixos/tests/unbound: init

    andir committed Nov 3, 2020
    Copy the full SHA
    a040a8a View commit details
    Browse the repository at this point in the history
  7. Copy the full SHA
    b67cc62 View commit details
    Browse the repository at this point in the history
  8. nixos/unbound: add option to configure the local control socket path

    This option allows users to specify a local UNIX control socket to
    "remote control" the daemon. System users, that should be permitted to
    access the daemon, must be in the `unbound` group in order to access the
    socket. When a socket path is configured we are also creating the
    required group.
    
    Currently this only supports the UNIX socket mode while unbound actually
    supports more advanced types. Users are still able to configure more
    complex scenarios via the `extraConfig` attribute.
    
    When this option is set to `null` (the default) it doesn't affect the
    system configuration at all. The unbound defaults for control sockets
    apply and no additional groups are created.
    andir committed Nov 3, 2020
    Copy the full SHA
    2aa64e5 View commit details
    Browse the repository at this point in the history
  9. nixos/unbound: add release notes for the changes that were introduced

    As part of this patch series a few changes have been made to the unbound
    serivce the deserve proper documentation.
    andir committed Nov 3, 2020
    Copy the full SHA
    5c16c31 View commit details
    Browse the repository at this point in the history
  10. nixos/unbond: unbound should be required for nss-lookup.target

    Other units depend on nss-lookup.target and expect the DNS resolution to
    work once that target is reached. The previous version
    `wants=nss-lookup.target` made this unit require the nss-lookup.target
    to be reached before this was started.
    
    Another change that we can probalby do is drop the before relationship
    with the nss-lookup.target. That might just be implied with the current
    version.
    andir committed Nov 3, 2020
    Copy the full SHA
    5903ea5 View commit details
    Browse the repository at this point in the history

Commits on Nov 8, 2020

  1. Merge pull request #101218 from andir/unbound-systemd

    Ninjatrappeur committed Nov 8, 2020
    Copy the full SHA
    5f5d38e View commit details
    Browse the repository at this point in the history