[ipfire-2.x.git] / src / initscripts / init.d / unbound

#!/bin/sh
# Begin $rc_base/init.d/unbound

# Description : Unbound DNS resolver boot script for IPfire
# Author      : Marcel Lorenz <marcel.lorenz@ipfire.org>
#
# Comment     : This init script additional starts the dhcpd watcher daemon
#               if DNS-Update (RFC2136) in web interface enabled

. /etc/sysconfig/rc
. ${rc_functions}

USE_FORWARDERS=1

# Load optional configuration
[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound

function cidr() {
    local cidr nbits IFS;
    IFS=. read -r i1 i2 i3 i4 <<< ${1}
    IFS=. read -r m1 m2 m3 m4 <<< ${2}
    cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
    nbits=0
    IFS=.
    for dec in $2 ; do
        case $dec in
            255) let nbits+=8;;
            254) let nbits+=7;;
            252) let nbits+=6;;
            248) let nbits+=5;;
            240) let nbits+=4;;
            224) let nbits+=3;;
            192) let nbits+=2;;
            128) let nbits+=1;;
            0);;
            *) echo "Error: $dec is not recognised"; exit 1
        esac
    done
    echo "${cidr}/${nbits}"
}

read_name_servers() {
	local i
	for i in 1 2; do
		echo "$(</var/ipfire/red/dns${i})"
	done | xargs echo
}

config_header() {
	echo "# This file is automatically generated and any changes"
	echo "# will be overwritten. DO NOT EDIT!"
	echo
}

update_forwarders() {
	local forwarders="$(read_name_servers)"

	if [ "${USE_FORWARDERS}" = "1" ] && [ -n "${forwarders}" ]; then
		boot_mesg "Using Name Server(s): ${forwarders}"
		boot_mesg_flush

		unbound-control -q forward ${forwarders}

	# If forwarders cannot be used we run in recursor mode
	else
		unbound-control -q forward off
	fi
}

write_interfaces_conf() {
	(
		config_header

		if [ -n "${GREEN_ADDRESS}" ]; then
			echo "# GREEN"
			echo "interface: ${GREEN_ADDRESS}"
			echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow"
		fi

		if [ -n "${BLUE_ADDRESS}" ]; then
			echo "# BLUE"
			echo "interface: ${BLUE_ADDRESS}"
			echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow"
		fi
	) > /etc/unbound/interfaces.conf
}

write_forward_conf() {
	(
		config_header

		local enabled zone server remark
		while IFS="," read -r enabled zone server remark; do
			# Line must be enabled.
			[ "${enabled}" = "on" ] || continue

			echo "forward-zone:"
			echo "	name: ${zone}"
			echo "	forward-addr: ${server}"
			echo
		done < /var/ipfire/dnsforward/config
	) > /etc/unbound/forward.conf
}

write_tuning_conf() {
	# https://www.unbound.net/documentation/howto_optimise.html

	# Determine number of online processors
	local processors=$(getconf _NPROCESSORS_ONLN)

	# Determine number of slabs
	local slabs=1
	while [ ${slabs} -lt ${processors} ]; do
		slabs=$(( ${slabs} * 2 ))
	done

	# Determine amount of system memory
	local mem=$(get_memory_amount)

	# In the worst case scenario, unbound can use double the
	# amount of memory allocated to a cache due to malloc overhead

	# Large systems with more than 2GB of RAM
	if [ ${mem} -ge 2048 ]; then
		mem=128

	# Small systems with less than 256MB of RAM
	elif [ ${mem} -le 256 ]; then
		mem=8

	# Everything else
	else
		mem=32
	fi

	(
		config_header

		# We run one thread per processor
		echo "num-threads: ${processors}"

		# Adjust number of slabs
		echo "infra-cache-slabs: ${slabs}"
		echo "key-cache-slabs: ${slabs}"
		echo "msg-cache-slabs: ${slabs}"
		echo "rrset-cache-slabs: ${slabs}"

		# Slice up the cache
		echo "rrset-cache-size: $(( ${mem} / 2 ))m"
		echo "msg-cache-size: $(( ${mem} / 4 ))m"
		echo "key-cache-size: $(( ${mem} / 4 ))m"
	) > /etc/unbound/tuning.conf
}

get_memory_amount() {
	local key val unit

	while read -r key val unit; do
		case "${key}" in
			MemTotal:*)
				# Convert to MB
				echo "$(( ${val} / 1024 ))"
				break
				;;
		esac
	done < /proc/meminfo
}

case "$1" in
	start)
		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
		eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)

		# Create control keys at first run
		if [ ! -r "/etc/unbound/unbound_control.key" ]; then
			unbound-control-setup -d /etc/unbound &>/dev/null
		fi

		# Update configuration files
		write_tuning_conf
		write_interfaces_conf
		write_forward_conf

		boot_mesg "Starting Unbound DNS Proxy..."
		loadproc /usr/sbin/unbound || exit $?

		# Update any known forwarding name servers
		update_forwarders

		# Start Unbound DHCP Lease Bridge unless RFC2136 is used
		if [ "${DNS_UPDATE_ENABLED}" != on ]; then
			boot_mesg "Starting Unbound DHCP Leases Bridge..."
			loadproc /usr/sbin/unbound-dhcp-leases-bridge -d
		fi
		;;

	stop)
		boot_mesg "Stopping Unbound DHCP Leases Bridge..."
		killproc /usr/sbin/unbound-dhcp-leases-bridge

		boot_mesg "Stopping Unbound DNS Proxy..."
		killproc /usr/sbin/unbound
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	status)
		statusproc /usr/sbin/unbound
		statusproc /usr/sbin/unbound-dhcp-leases-bridge
		;;

	update-forwarders)
		update_forwarders
		;;

	*)
		echo "Usage: $0 {start|stop|restart|status|update-forwarders}"
		exit 1
		;;
esac

# End $rc_base/init.d/unbound
Commit	Line	Data
d0e5f71f ML	1	#!/bin/sh
	2	# Begin $rc_base/init.d/unbound
	3
	4	# Description : Unbound DNS resolver boot script for IPfire
	5	# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
	6	#
	7	# Comment : This init script additional starts the dhcpd watcher daemon
	8	# if DNS-Update (RFC2136) in web interface enabled
	9
	10	. /etc/sysconfig/rc
	11	. ${rc_functions}
	12
b8f5eda8	13	USE_FORWARDERS=1
d0e5f71f	14
b8f5eda8 MT	15	# Load optional configuration
b8f5eda8 MT	16	[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
d0e5f71f ML	17
	18	function cidr() {
	19	local cidr nbits IFS;
	20	IFS=. read -r i1 i2 i3 i4 <<< ${1}
	21	IFS=. read -r m1 m2 m3 m4 <<< ${2}
	22	cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
	23	nbits=0
	24	IFS=.
	25	for dec in $2 ; do
	26	case $dec in
	27	255) let nbits+=8;;
	28	254) let nbits+=7;;
	29	252) let nbits+=6;;
	30	248) let nbits+=5;;
	31	240) let nbits+=4;;
	32	224) let nbits+=3;;
	33	192) let nbits+=2;;
	34	128) let nbits+=1;;
	35	0);;
	36	*) echo "Error: $dec is not recognised"; exit 1
	37	esac
	38	done
	39	echo "${cidr}/${nbits}"
	40	}
	41
b8f5eda8 MT	42	read_name_servers() {
	43	local i
	44	for i in 1 2; do
	45	echo "$(</var/ipfire/red/dns${i})"
	46	done \| xargs echo
	47	}
	48
	49	config_header() {
	50	echo "# This file is automatically generated and any changes"
	51	echo "# will be overwritten. DO NOT EDIT!"
	52	echo
	53	}
	54
	55	update_forwarders() {
	56	local forwarders="$(read_name_servers)"
	57
	58	if [ "${USE_FORWARDERS}" = "1" ] && [ -n "${forwarders}" ]; then
	59	boot_mesg "Using Name Server(s): ${forwarders}"
	60	boot_mesg_flush
	61
	62	unbound-control -q forward ${forwarders}
	63
	64	# If forwarders cannot be used we run in recursor mode
	65	else
	66	unbound-control -q forward off
	67	fi
	68	}
	69
	70	write_interfaces_conf() {
	71	(
	72	config_header
	73
	74	if [ -n "${GREEN_ADDRESS}" ]; then
	75	echo "# GREEN"
	76	echo "interface: ${GREEN_ADDRESS}"
	77	echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow"
	78	fi
	79
	80	if [ -n "${BLUE_ADDRESS}" ]; then
	81	echo "# BLUE"
	82	echo "interface: ${BLUE_ADDRESS}"
	83	echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow"
	84	fi
	85	) > /etc/unbound/interfaces.conf
	86	}
	87
	88	write_forward_conf() {
	89	(
	90	config_header
	91
	92	local enabled zone server remark
	93	while IFS="," read -r enabled zone server remark; do
	94	# Line must be enabled.
	95	[ "${enabled}" = "on" ] \|\| continue
	96
	97	echo "forward-zone:"
	98	echo " name: ${zone}"
	99	echo " forward-addr: ${server}"
	100	echo
	101	done < /var/ipfire/dnsforward/config
	102	) > /etc/unbound/forward.conf
	103	}
	104
b658a451 MT	105	write_tuning_conf() {
	106	# https://www.unbound.net/documentation/howto_optimise.html
	107
	108	# Determine number of online processors
	109	local processors=$(getconf _NPROCESSORS_ONLN)
	110
	111	# Determine number of slabs
	112	local slabs=1
	113	while [ ${slabs} -lt ${processors} ]; do
	114	slabs=$(( ${slabs} * 2 ))
	115	done
	116
	117	# Determine amount of system memory
	118	local mem=$(get_memory_amount)
	119
	120	# In the worst case scenario, unbound can use double the
	121	# amount of memory allocated to a cache due to malloc overhead
	122
	123	# Large systems with more than 2GB of RAM
	124	if [ ${mem} -ge 2048 ]; then
	125	mem=128
	126
	127	# Small systems with less than 256MB of RAM
	128	elif [ ${mem} -le 256 ]; then
	129	mem=8
	130
	131	# Everything else
	132	else
	133	mem=32
	134	fi
	135
	136	(
	137	config_header
	138
	139	# We run one thread per processor
	140	echo "num-threads: ${processors}"
	141
	142	# Adjust number of slabs
	143	echo "infra-cache-slabs: ${slabs}"
	144	echo "key-cache-slabs: ${slabs}"
	145	echo "msg-cache-slabs: ${slabs}"
	146	echo "rrset-cache-slabs: ${slabs}"
	147
	148	# Slice up the cache
	149	echo "rrset-cache-size: $(( ${mem} / 2 ))m"
	150	echo "msg-cache-size: $(( ${mem} / 4 ))m"
	151	echo "key-cache-size: $(( ${mem} / 4 ))m"
	152	) > /etc/unbound/tuning.conf
	153	}
	154
	155	get_memory_amount() {
	156	local key val unit
	157
	158	while read -r key val unit; do
	159	case "${key}" in
	160	MemTotal:*)
	161	# Convert to MB
	162	echo "$(( ${val} / 1024 ))"
	163	break
	164	;;
	165	esac
	166	done < /proc/meminfo
	167	}
b8f5eda8	168
d0e5f71f ML	169	case "$1" in
d0e5f71f ML	170	start)
b8f5eda8 MT	171	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
b8f5eda8 MT	172	eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
d0e5f71f	173
b8f5eda8 MT	174	# Create control keys at first run
	175	if [ ! -r "/etc/unbound/unbound_control.key" ]; then
	176	unbound-control-setup -d /etc/unbound &>/dev/null
	177	fi
	178
	179	# Update configuration files
b658a451	180	write_tuning_conf
b8f5eda8 MT	181	write_interfaces_conf
	182	write_forward_conf
	183
	184	boot_mesg "Starting Unbound DNS Proxy..."
	185	loadproc /usr/sbin/unbound \|\| exit $?
	186
	187	# Update any known forwarding name servers
	188	update_forwarders
	189
	190	# Start Unbound DHCP Lease Bridge unless RFC2136 is used
	191	if [ "${DNS_UPDATE_ENABLED}" != on ]; then
	192	boot_mesg "Starting Unbound DHCP Leases Bridge..."
	193	loadproc /usr/sbin/unbound-dhcp-leases-bridge -d
	194	fi
	195	;;
d0e5f71f ML	196
d0e5f71f ML	197	stop)
b8f5eda8 MT	198	boot_mesg "Stopping Unbound DHCP Leases Bridge..."
b8f5eda8 MT	199	killproc /usr/sbin/unbound-dhcp-leases-bridge
d0e5f71f	200
b8f5eda8 MT	201	boot_mesg "Stopping Unbound DNS Proxy..."
	202	killproc /usr/sbin/unbound
	203	;;
d0e5f71f ML	204
d0e5f71f ML	205	restart)
b8f5eda8 MT	206	$0 stop
	207	sleep 1
	208	$0 start
	209	;;
d0e5f71f ML	210
d0e5f71f ML	211	status)
b8f5eda8 MT	212	statusproc /usr/sbin/unbound
	213	statusproc /usr/sbin/unbound-dhcp-leases-bridge
	214	;;
	215
	216	update-forwarders)
	217	update_forwarders
	218	;;
d0e5f71f ML	219
d0e5f71f ML	220	*)
b8f5eda8 MT	221	echo "Usage: $0 {start\|stop\|restart\|status\|update-forwarders}"
	222	exit 1
	223	;;
d0e5f71f ML	224	esac
	225
	226	# End $rc_base/init.d/unbound