Comparing changes
Open a pull request
base repository: NixOS/nixpkgs
base: 884d7ac41111
head repository: NixOS/nixpkgs
compare: 5f5d38e88f5a
- 11 commits
- 6 files changed
- 2 contributors
Commits on Nov 3, 2020
-
unbound: allow building with systemd support
Systemd has to remain an optional (non-default) dependency as otherwise we will have an unpleasant bootstrap cycle. Most (if not all) of the (lib)unbound consumers will likely not care about unbound's systemd integration that only affects the daemon mode, anyway.
-
This introduces an unbound variant that is built with systemd support. That means it is able to signal readiness to systemd once it did start or finished reloading. This likely allows us to close a small gap during bootup where the service is assumed up but doesn't respond to DNS queries just yet.
-
nixos/modules/services/networking/unbound: update systemd unit
Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
-
-
nixos/unbound: drop ReadWritePaths from systemd unit configuration
Both of the configured paths should be implicit due to RuntimeDirectory & StateDirectory.
-
-
nixos/unbound: add option to configure the local control socket path
This option allows users to specify a local UNIX control socket to "remote control" the daemon. System users, that should be permitted to access the daemon, must be in the `unbound` group in order to access the socket. When a socket path is configured we are also creating the required group. Currently this only supports the UNIX socket mode while unbound actually supports more advanced types. Users are still able to configure more complex scenarios via the `extraConfig` attribute. When this option is set to `null` (the default) it doesn't affect the system configuration at all. The unbound defaults for control sockets apply and no additional groups are created.
-
nixos/unbound: add release notes for the changes that were introduced
As part of this patch series a few changes have been made to the unbound serivce the deserve proper documentation.
-
nixos/unbond: unbound should be required for nss-lookup.target
Other units depend on nss-lookup.target and expect the DNS resolution to work once that target is reached. The previous version `wants=nss-lookup.target` made this unit require the nss-lookup.target to be reached before this was started. Another change that we can probalby do is drop the before relationship with the nss-lookup.target. That might just be implied with the current version.
Commits on Nov 8, 2020
-
Merge pull request #101218 from andir/unbound-systemd
Ninjatrappeur committedNov 8, 2020
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 884d7ac41111...5f5d38e88f5a