New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
knot-resolver: 4.3.0 -> 5.0.0 -> 5.0.1 #78628
Conversation
Note: upstream and packages on other distros now use the "knot-resolver" name on more places, e.g. |
I would migrate to upstream defaults soonish as it makes it easier to follow upstream documentation. And the stuff you mentioned here should not require user intervention in the most cases (different users, service names, cache directory) |
|
I wonder whether to put all the changes into this single PR, but it probably doesn't really matter, given the (expected) number of reviewers. |
knot-resolver looks like a good candidate for
I fear that deleting user data causes more harm than it helps. I would just leave it as it is. |
Right, if it would make it more difficult to give kresd read access to ACME certs, I don't think we want to go that way. So I'll get new fixed IDs, I suppose. There should be no "user data" in the cache directory. I know we don't precisely follow FHS or similar, but still.
Still, if there are any doubts, not touching the old cache is the easiest approach. |
The IDs don't need to be fixed. They can also be allocated at activation time, however a user/group name should be allocated for
Looks fine, I would just add a comment when to remove these tmpfile rules. For example NixOS 21.09. |
Whenever the IDs change, the file ownership won't match anymore. I think ownership can be force-changed by switching to "e" rule in tmpfiles, but overall I wonder about cost/benefit ratio. |
If |
Right, that's a possible approach, if we remove the possibility to configure |
I don't think this option is often used anyway. Deprecating it makes things easier and it is always possible to put a different filesystem using a bind mount. Also see: 5c18c08 |
OK, let me remove that option. By the way, larger deployments want to have cache in tmpfs to reduce the I/O load (and persistence across reboots isn't a big deal), and we/upstream recommend to mount a separate tmpfs on the cache directory instead of relocating it. Perhaps I'll add a simple NixOS option for this later, though I haven't yet looked into whether to do this via systemd features or plain |
The cqueues fix is in nixpkgs already, so it works now.
Part of this is approximate revert of commit f0d2da4.
Minor incompatibilities due to moving to upstream defaults: - capabilities are used instead of systemd.socket units - the control socket moved: /run/kresd/control -> /run/knot-resolver/control/1 - cacheDir moved and isn't configurable anymore - different user+group names, without static IDs Thanks Mic92 for multiple ideas.
I incorporated all that's been discussed now, I think. Also minor fixes/improvements were added, and the git history was cleaned up. I'm using the service already, as usual. All the namings (users, paths) should be the same now as in other distributions and (upstream) docs. I kept the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Have not tested it but I assume you did.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Have not tested it but I assume you did.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Have not tested it but I assume you did.
The service needed lots of changes. A few smaller changes are added into the PR, e.g. replacement for PR #72014. See the commit messages for details.
The service needed lots of changes. A few smaller changes are added into the PR, e.g. replacement for PR NixOS#72014. See the commit messages for details. (cherry picked from commit baeed03)
Motivation for this change
https://gitlab.labs.nic.cz/knot/knot-resolver/tags/v5.0.0
The service needed lots of changes. A few smaller changes are added into the PR, e.g. replacement for PR #72014. See the commit messages for details.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after):negligible increase (9576 bytes)