From: Tomas Krizek Date: Thu, 11 Apr 2019 15:40:48 +0000 (+0200) Subject: systemd: integrate http module with systemd X-Git-Tag: v4.0.0~1^2~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d18fc01d52bbaa2e63a6a97c0cf5ea0d20211ea8;p=thirdparty%2Fknot-resolver.git systemd: integrate http module with systemd --- diff --git a/distro/arch/PKGBUILD b/distro/arch/PKGBUILD index 919ee87ab..94080fddd 100644 --- a/distro/arch/PKGBUILD +++ b/distro/arch/PKGBUILD @@ -62,9 +62,14 @@ package() { DESTDIR=${pkgdir} ninja -C build_arch install # add kresd.target to multi-user.target.wants to support enabling kresd services - install -dm 0755 "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants" + install -d -m 0755 "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants" ln -s ../kresd.target "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants/kresd.target" + # mask kresd-doh.socket, kresd-webmgmt.socket by default (unmask if using http module) + install -d -m 0755 "${pkgdir}/etc/systemd/system" + ln -s /dev/null "${pkgdir}/etc/systemd/system/kresd-doh.socket" + ln -s /dev/null "${pkgdir}/etc/systemd/system/kresd-webmgmt.socket" + # remove modules with missing dependencies rm "${pkgdir}/usr/lib/knot-resolver/kres_modules/etcd.lua" } diff --git a/distro/deb/control b/distro/deb/control index 7640d3d5b..3120d375d 100644 --- a/distro/deb/control +++ b/distro/deb/control @@ -62,11 +62,13 @@ Description: caching, DNSSEC-validating DNS resolver Package: knot-resolver-module-http Architecture: all Depends: + knot-resolver, libjs-bootstrap, libjs-d3, libjs-jquery, lua-http, lua-mmdb, + systemd, ${misc:Depends}, ${shlibs:Depends}, Breaks: diff --git a/distro/deb/knot-resolver-module-http.install b/distro/deb/knot-resolver-module-http.install index ffa04d01a..75cb9f40f 100644 --- a/distro/deb/knot-resolver-module-http.install +++ b/distro/deb/knot-resolver-module-http.install @@ -1,3 +1,6 @@ +usr/lib/systemd/system/kresd@.service.d/module-http.conf lib/systemd/system/kresd@.service.d/ +usr/lib/systemd/system/kresd-doh.socket lib/systemd/system/ +usr/lib/systemd/system/kresd-webmgmt.socket lib/systemd/system/ usr/lib/knot-resolver/kres_modules/http*.lua usr/lib/knot-resolver/kres_modules/prometheus.lua usr/lib/knot-resolver/kres_modules/http/*.css diff --git a/distro/deb/knot-resolver-module-http.links b/distro/deb/knot-resolver-module-http.links index 4963c5cb9..bf86610c2 100644 --- a/distro/deb/knot-resolver-module-http.links +++ b/distro/deb/knot-resolver-module-http.links @@ -1,3 +1,4 @@ +dev/null etc/systemd/system/kresd-doh.socket usr/share/javascript/bootstrap/css/bootstrap-theme.min.css usr/lib/knot-resolver/kres_modules/http/bootstrap-theme.min.css usr/share/javascript/bootstrap/css/bootstrap.min.css usr/lib/knot-resolver/kres_modules/http/bootstrap.min.css usr/share/javascript/bootstrap/js/bootstrap.min.js usr/lib/knot-resolver/kres_modules/http/bootstrap.min.js diff --git a/distro/deb/knot-resolver.dirs b/distro/deb/knot-resolver.dirs index bb5a4f1f6..975e769fe 100644 --- a/distro/deb/knot-resolver.dirs +++ b/distro/deb/knot-resolver.dirs @@ -1 +1,2 @@ +/lib/systemd/system/kresd@.service.d /var/lib/knot-resolver diff --git a/distro/deb/knot-resolver.install b/distro/deb/knot-resolver.install index db72f30b8..88bfff2af 100644 --- a/distro/deb/knot-resolver.install +++ b/distro/deb/knot-resolver.install @@ -1,5 +1,9 @@ etc/knot-resolver/kresd.conf -usr/lib/systemd/system/* lib/systemd/system/ +usr/lib/systemd/system/kresd@.service lib/systemd/system/ +usr/lib/systemd/system/kresd.target lib/systemd/system/ +usr/lib/systemd/system/kresd.socket lib/systemd/system/ +usr/lib/systemd/system/kresd-tls.socket lib/systemd/system/ +usr/lib/systemd/system/kresd-control@.socket lib/systemd/system/ usr/lib/*.so.* usr/lib/tmpfiles.d/knot-resolver.conf usr/lib/knot-resolver/*.so diff --git a/distro/rpm/knot-resolver.spec b/distro/rpm/knot-resolver.spec index 90f9cd494..5c4bc3c46 100644 --- a/distro/rpm/knot-resolver.spec +++ b/distro/rpm/knot-resolver.spec @@ -117,6 +117,7 @@ Documentation for Knot Resolver %if "x%{?suse_version}" == "x" %package module-http Summary: HTTP/2 module for Knot Resolver +Requires: knot-resolver %if 0%{?fedora} Requires: compat-lua-http Requires: compat-lua-mmdb @@ -180,11 +181,21 @@ install -m 0750 -d %{buildroot}/run/%{name} # remove modules with missing dependencies rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/etcd.lua + %if 0%{?suse_version} rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/experimental_dot_auth.lua rm -r %{buildroot}%{_libdir}/knot-resolver/kres_modules/http rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/http*.lua rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/prometheus.lua +rm %{buildroot}%{_unitdir}/kresd@.service.d/module-http.conf +rm %{buildroot}%{_unitdir}/kresd-doh.socket +rm %{buildroot}%{_unitdir}/kresd-webmgmt.socket +%endif + +%if 0%{?fedora} +# mask kresd-doh.socket by default +install -d -m 0755 %{buildroot}%{_sysconfdir}/systemd/system +ln -s /dev/null %{buildroot}%{_sysconfdir}/systemd/system/kresd-doh.socket %endif # rename doc directory for centos, opensuse @@ -228,12 +239,15 @@ getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysc %attr(664,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.keys %attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.hints %attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/icann-ca.pem -%{_unitdir}/kresd*.service +%{_unitdir}/kresd@.service %{_unitdir}/kresd.target %dir %{_unitdir}/multi-user.target.wants %{_unitdir}/multi-user.target.wants/kresd.target %if "x%{?rhel}" == "x" -%{_unitdir}/kresd*.socket +%dir %{_unitdir}/kresd@.service.d +%{_unitdir}/kresd.socket +%{_unitdir}/kresd-tls.socket +%{_unitdir}/kresd-control@.socket %ghost /run/%{name}/ %{_mandir}/man7/kresd.systemd.7.gz %else @@ -285,6 +299,12 @@ getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysc %if "x%{?suse_version}" == "x" %files module-http +%if 0%{?fedora} +%{_unitdir}/kresd@.service.d/module-http.conf +%{_unitdir}/kresd-doh.socket +%{_sysconfdir}/systemd/system/kresd-doh.socket +%{_unitdir}/kresd-webmgmt.socket +%endif %{_libdir}/knot-resolver/kres_modules/http %{_libdir}/knot-resolver/kres_modules/http*.lua %{_libdir}/knot-resolver/kres_modules/prometheus.lua diff --git a/systemd/kresd-doh.socket b/systemd/kresd-doh.socket new file mode 100644 index 000000000..ec0dde5db --- /dev/null +++ b/systemd/kresd-doh.socket @@ -0,0 +1,17 @@ +[Unit] +Description=Knot Resolver DNS-over-HTTPS socket +Documentation=man:kresd.systemd(7) +Documentation=man:kresd(8) +Before=sockets.target + +[Socket] +FreeBind=true +BindIPv6Only=both +FileDescriptorName=doh +ListenStream=[::1]:443 +ListenStream=127.0.0.1:443 +Service=kresd@1.service +Slice=system-kresd.slice + +[Install] +WantedBy=sockets.target diff --git a/systemd/kresd-doh.socket.d/all-interfaces.conf b/systemd/kresd-doh.socket.d/all-interfaces.conf new file mode 100644 index 000000000..3a02aaf5f --- /dev/null +++ b/systemd/kresd-doh.socket.d/all-interfaces.conf @@ -0,0 +1,11 @@ +# /etc/systemd/system/kresd-doh.socket.d/override.conf + +# Configure kresd-doh.socket to listen on all IPv4 and IPv6 interfaces. + +# Empty ListenStream= directive is required to avoid port clash with default +# localhost. If you've disabled IPv6 support in kernel, use 0.0.0.0 instead of +# [::] + +[Socket] +ListenStream= +ListenStream=[::]:44353 diff --git a/systemd/kresd-doh.socket.d/specific-interfaces.conf b/systemd/kresd-doh.socket.d/specific-interfaces.conf new file mode 100644 index 000000000..d4dab85e8 --- /dev/null +++ b/systemd/kresd-doh.socket.d/specific-interfaces.conf @@ -0,0 +1,9 @@ +# /etc/systemd/system/kresd-doh.socket.d/override.conf + +# Configure which interfaces should kresd-doh.socket listen on. + +# ListenStream can be added multiple times. + +[Socket] +ListenStream=192.0.2.115:44353 +ListenStream=[2001:db8::115]:44353 diff --git a/systemd/kresd-tls.socket b/systemd/kresd-tls.socket index 2847a1f2e..22cddcd8f 100644 --- a/systemd/kresd-tls.socket +++ b/systemd/kresd-tls.socket @@ -1,5 +1,5 @@ [Unit] -Description=Knot Resolver TLS network listener +Description=Knot Resolver DNS-over-TLS socket Documentation=man:kresd.systemd(7) Documentation=man:kresd(8) Before=sockets.target diff --git a/systemd/kresd-webmgmt.socket b/systemd/kresd-webmgmt.socket new file mode 100644 index 000000000..1106bb993 --- /dev/null +++ b/systemd/kresd-webmgmt.socket @@ -0,0 +1,17 @@ +[Unit] +Description=Knot Resolver web management and API socket +Documentation=man:kresd.systemd(7) +Documentation=man:kresd(8) +Before=sockets.target + +[Socket] +FreeBind=true +BindIPv6Only=both +FileDescriptorName=webmgmt +ListenStream=[::1]:8453 +ListenStream=127.0.0.1:8453 +Service=kresd@1.service +Slice=system-kresd.slice + +[Install] +WantedBy=sockets.target diff --git a/systemd/kresd.socket b/systemd/kresd.socket index 8f263ef9e..cf844b733 100644 --- a/systemd/kresd.socket +++ b/systemd/kresd.socket @@ -1,5 +1,5 @@ [Unit] -Description=Knot Resolver network listeners +Description=Knot Resolver DNS socket Documentation=man:kresd.systemd(7) Documentation=man:kresd(8) Before=sockets.target @@ -7,6 +7,7 @@ Before=sockets.target [Socket] FreeBind=true BindIPv6Only=both +FileDescriptorName=dns ListenDatagram=[::1]:53 ListenStream=[::1]:53 ListenDatagram=127.0.0.1:53 diff --git a/systemd/kresd.systemd.7.in b/systemd/kresd.systemd.7.in index a3405e7e3..758341864 100644 --- a/systemd/kresd.systemd.7.in +++ b/systemd/kresd.systemd.7.in @@ -17,6 +17,8 @@ kresd@.service kresd.socket kresd-tls.socket kresd-control@.socket +kresd-doh.socket +kresd-webmgmt.socket kresd.target system-kresd.slice .fi @@ -34,14 +36,16 @@ additional capabilities. The network interface sockets are created by systemd and then passed to the daemon. Network configuration has to take place in \fIsystemd.socket(5)\fR, which can -be done using drop-in files. Each instance of \fIkresd@.service\fR has three -systemd sockets associated with it: +be done using drop-in files. Each instance of \fIkresd@.service\fR may have +these systemd sockets associated with it: .nf .RS \fIkresd.socket\fR - UDP/TCP network socket (default: localhost:53) \fIkresd-tls.socket\fR - network socket for DNS-over-TLS (default: localhost:853) \fIkresd-control@.socket\fR - UNIX socket with control terminal +\fIkresd-doh.socket\fR - DNS-over-HTTPS (with http module: localhost:44353) +\fIkresd-webmgmt.socket\fR - web management and APIs (with http module: localhost:8453) .RE .fi @@ -54,6 +58,7 @@ To configure \fBkresd\fR to listen on public interfaces, drop-in files (see .RS 4n .B systemctl edit kresd.socket .B systemctl edit kresd-tls.socket +.B systemctl edit kresd-doh.socket .RE .fi @@ -163,7 +168,8 @@ the sockets: .RE .fi -To disable the TLS socket, you can mask it: +To disable optional sockets, you can mask them. For example, to disable +DNS-over-TLS socket: .RS 4n .B systemctl mask kresd-tls.socket diff --git a/systemd/kresd@.service.d/module-http.conf b/systemd/kresd@.service.d/module-http.conf new file mode 100644 index 000000000..9534400bd --- /dev/null +++ b/systemd/kresd@.service.d/module-http.conf @@ -0,0 +1,3 @@ +[Service] +Sockets=kresd-doh.socket +Sockets=kresd-webmgmt.socket diff --git a/systemd/meson.build b/systemd/meson.build index d013ae291..662a3ec29 100644 --- a/systemd/meson.build +++ b/systemd/meson.build @@ -34,10 +34,18 @@ if systemd_files == 'enabled' sources: [ 'kresd.socket', 'kresd-tls.socket', + 'kresd-doh.socket', + 'kresd-webmgmt.socket', 'kresd.target', ], install_dir: systemd_unit_dir, ) + install_data( + sources: [ + 'kresd@.service.d/module-http.conf', + ], + install_dir: join_paths(systemd_unit_dir, 'kresd@.service.d'), + ) ## man page kresd_systemd_man = configure_file( @@ -70,6 +78,13 @@ if systemd_files == 'enabled' ], install_dir: join_paths(examples_dir, 'kresd-tls.socket.d'), ) + install_data( + sources: [ + 'kresd-doh.socket.d/all-interfaces.conf', + 'kresd-doh.socket.d/specific-interfaces.conf', + ], + install_dir: join_paths(examples_dir, 'kresd-doh.socket.d'), + ) elif systemd_files == 'nosocket' subdir('nosocket') endif