From: Aleš Mrázek <ales.mrazek@nic.cz>
Date: Mon, 7 Jul 2025 13:47:39 +0000 (+0200)
Subject: kresctl: commands: changed validation strictness default to false
X-Git-Tag: v6.0.15~5^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fc0253e91c6af0bc1de1dc07f469f66952d16e0;p=thirdparty%2Fknot-resolver.git

kresctl: commands: changed validation strictness default to false
---

diff --git a/NEWS b/NEWS
index c53b27c5f..d4d87dcff 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ Improvements
 - update/more precise default answers for special names (!1709)
   https://www.iana.org/assignments/special-use-domain-names
   https://www.iana.org/assignments/locally-served-dns-zones
+- kresctl: strict validation is now disabled by default (!1714)
 
 
 Knot Resolver 6.0.14 (2025-06-03)
diff --git a/doc/user/manager-client.rst b/doc/user/manager-client.rst
index abeab2c93..c0c757c01 100644
--- a/doc/user/manager-client.rst
+++ b/doc/user/manager-client.rst
@@ -241,9 +241,15 @@ single ``kresctl`` command.
 
     Validate declarative configuration.
 
-    .. option:: --no-strict
+    .. option:: --strict
 
-        Ignore strict rules during validation, e.g. path/file existence.
+        Enable strict rules during validation.
+
+        During strict validation, the existence and access rights of paths are also checked.
+        However, if you are using an additional file system permission control mechanism,
+        such as access control lists (ACLs), this validation will likely fail.
+        This is because the validation runs under a different user/group than the resolver
+        itself and attempts to access the configured paths directly.
 
     .. option:: <input_file>
 
@@ -258,9 +264,15 @@ single ``kresctl`` command.
 
     Convert declarative configuration to a Lua script.
 
-    .. option:: --no-strict
+    .. option:: --strict
+
+        Enable strict rules during validation.
 
-        Ignore strict rules during validation, e.g. path/file existence.
+        During strict validation, the existence and access rights of paths are also checked.
+        However, if you are using an additional file system permission control mechanism,
+        such as access control lists (ACLs), this validation will likely fail.
+        This is because the validation runs under a different user/group than the resolver
+        itself and attempts to access the configured paths directly.
 
     .. option:: --type=<worker|policy-loader>
 
diff --git a/python/knot_resolver/client/commands/convert.py b/python/knot_resolver/client/commands/convert.py
index aab07519c..eea383e1f 100644
--- a/python/knot_resolver/client/commands/convert.py
+++ b/python/knot_resolver/client/commands/convert.py
@@ -24,11 +24,11 @@ class ConvertCommand(Command):
         subparser: "argparse._SubParsersAction[argparse.ArgumentParser]",
     ) -> Tuple[argparse.ArgumentParser, "Type[Command]"]:
         convert = subparser.add_parser("convert", help="Converts JSON or YAML configuration to Lua script.")
-        convert.set_defaults(strict=True)
+        convert.set_defaults(strict=False)
         convert.add_argument(
-            "--no-strict",
-            help="Ignore strict rules during validation, e.g. path/file existence.",
-            action="store_false",
+            "--strict",
+            help="Enable strict rules during validation, e.g. path/file existence and permissions.",
+            action="store_true",
             dest="strict",
         )
         convert.add_argument(
diff --git a/python/knot_resolver/client/commands/validate.py b/python/knot_resolver/client/commands/validate.py
index 92848b584..2a336db3e 100644
--- a/python/knot_resolver/client/commands/validate.py
+++ b/python/knot_resolver/client/commands/validate.py
@@ -22,11 +22,11 @@ class ValidateCommand(Command):
         subparser: "argparse._SubParsersAction[argparse.ArgumentParser]",
     ) -> Tuple[argparse.ArgumentParser, "Type[Command]"]:
         validate = subparser.add_parser("validate", help="Validates configuration in JSON or YAML format.")
-        validate.set_defaults(strict=True)
+        validate.set_defaults(strict=False)
         validate.add_argument(
-            "--no-strict",
-            help="Ignore strict rules during validation, e.g. path/file existence.",
-            action="store_false",
+            "--strict",
+            help="Enable strict rules during validation, e.g. paths/files existence and permissions.",
+            action="store_true",
             dest="strict",
         )
         validate.add_argument(
@@ -57,3 +57,13 @@ class ValidateCommand(Command):
         except (DataParsingError, DataValidationError) as e:
             print(e, file=sys.stderr)
             sys.exit(1)
+        if not self.strict:
+            print(
+                "Basic validation was successful."
+                "\nIf you want more strict validation, you can use the '--strict' switch."
+                "\nDuring strict validation, the existence and access rights of paths are also checked."
+                "\n\nHowever, if you are using an additional file system permission control mechanism,"
+                "\nsuch as access control lists (ACLs), this validation will likely fail."
+                "\nThis is because the validation runs under a different user/group than the resolver itself"
+                "\nand attempts to access the configured paths directly."
+            )
diff --git a/scripts/poe-tasks/examples b/scripts/poe-tasks/examples
index d4437203d..78117e2d1 100755
--- a/scripts/poe-tasks/examples
+++ b/scripts/poe-tasks/examples
@@ -7,5 +7,5 @@ source $src_dir/utils/_env.sh
 # validate all configuration examples
 for example in $PWD/etc/config/config.example.*.yaml;
 do
-    python3 -m knot_resolver.client validate --no-strict $example;
+    python3 -m knot_resolver.client validate $example;
 done