* unbound-service-type
@ 2022-02-11 11:42 Josua Stingelin
2022-02-12 3:43 ` unbound-service-type jbranso
2022-02-14 21:42 ` unbound-service-type Ludovic Courtès
0 siblings, 2 replies; 4+ messages in thread
From: Josua Stingelin @ 2022-02-11 11:42 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 3277 bytes --]
Hei Guix!
As far as I can see there's no service type to run unbound. A local, recursive,
caching DNS server.
I've tried to create it - but it doesn't quite work.
In order to be pushed upstream I'd like to add the configuration of the options
easily using the unbound-configuration-type.
For now I'd just like to get it up and running to start playing around with
more configuration options.
I'd like unbound to run in a chroot and with the user unbound.
So I started with the user account.
(define %unbound-accounts
(list (user-account
(name "unbound")
(group "nogroup")
(system? #t)
(comment "unbound daemon user")
(home-directory "/etc/unbound")
(shell (file-append shadow "/sbin/nologin")))))
Then I defined the unbound-configuration record type. Later on I want to expand
that. (Allow configuring of the user, group and directly set properties instead
of copying the configuration file)
(define-record-type* <unbound-configuration>
unbound-configuration make-unbound-configuration
unbound-configuration?
(package unbound-configuration-package
(default unbound))
(pid-file unbound-configuration-pid-file
(default "/etc/unbound/unbound.pid")))
Next there is the shepherd-service configuration.
(define unbound-shepherd-service
(match-lambda
(($ <unbound-configuration> package pid-file)
(list (shepherd-service
(provision '(unbound))
(documentation "Run the unbound DNS server.")
(requirement '(networking))
(start #~(make-forkexec-constructor
'(#$(file-append package "/sbin/unbound")
"-d"
"-c" "/etc/unbound/unbound.conf")
#:pid-file #$pid-file))
(stop #~(make-kill-destructor)))))))
Based on these definitions I can now create the unbound-service-type.
(define unbound-service-type
(service-type
(name 'unbound)
(extensions
(list (service-extension shepherd-root-service-type unbound-shepherd-service)
(service-extension account-service-type (const %unbound-accounts))))
(default-value (unbound-configuration))
(description "Run the unbound DNS server")))
However when I add these to my operating-system configuration, and copy the
configuration file using the etc-service-type it doesn't run on start.
(operating-system
...
(services (append (list
(simple-service 'unbound-service
etc-service-type
`(("unbound/unbound.conf", (local-file "unbound/unbound.conf"))
("unbound/root.hints", (local-file "unbound/root.hints"))
("unbound/root.key", (local-file "unbound/root.key"))))
(service unbound-service-type))
%base-services)))
As /etc/unbound is owned by root and a symlink to /etc/static/unbound that
isn't surprising.
How would I configure such a service under Guix (point me to an example maybe?)
and which directory should be used for the chroot? /etc/unbound doesn't feel
quite right.
Kind Regards
Josua a.k.a Joshua/Josh
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: unbound-service-type
2022-02-11 11:42 unbound-service-type Josua Stingelin
@ 2022-02-12 3:43 ` jbranso
2022-02-14 21:42 ` unbound-service-type Ludovic Courtès
1 sibling, 0 replies; 4+ messages in thread
From: jbranso @ 2022-02-12 3:43 UTC (permalink / raw)
To: Josua Stingelin, guix-devel
February 11, 2022 6:43 AM, "Josua Stingelin" <josuast@hotmail.com> wrote:
> Hei Guix!
>
> As far as I can see there's no service type to run unbound. A local, recursive,
> caching DNS server.
>
> I've tried to create it - but it doesn't quite work.
>
> In order to be pushed upstream I'd like to add the configuration of the options
> easily using the unbound-configuration-type.
>
> For now I'd just like to get it up and running to start playing around with
> more configuration options.
>
> I'd like unbound to run in a chroot and with the user unbound.
>
> So I started with the user account.
>
> (define %unbound-accounts
> (list (user-account
> (name "unbound")
> (group "nogroup")
> (system? #t)
> (comment "unbound daemon user")
> (home-directory "/etc/unbound")
> (shell (file-append shadow "/sbin/nologin")))))
>
> Then I defined the unbound-configuration record type. Later on I want to expand
> that. (Allow configuring of the user, group and directly set properties instead
> of copying the configuration file)
>
> (define-record-type* <unbound-configuration>
> unbound-configuration make-unbound-configuration
> unbound-configuration?
> (package unbound-configuration-package
> (default unbound))
> (pid-file unbound-configuration-pid-file
> (default "/etc/unbound/unbound.pid")))
>
> Next there is the shepherd-service configuration.
>
> (define unbound-shepherd-service
> (match-lambda
> (($ <unbound-configuration> package pid-file)
> (list (shepherd-service
> (provision '(unbound))
> (documentation "Run the unbound DNS server.")
> (requirement '(networking))
> (start #~(make-forkexec-constructor
> '(#$(file-append package "/sbin/unbound")
> "-d"
> "-c" "/etc/unbound/unbound.conf")
> #:pid-file #$pid-file))
> (stop #~(make-kill-destructor)))))))
>
> Based on these definitions I can now create the unbound-service-type.
>
> (define unbound-service-type
> (service-type
> (name 'unbound)
> (extensions
> (list (service-extension shepherd-root-service-type unbound-shepherd-service)
> (service-extension account-service-type (const %unbound-accounts))))
> (default-value (unbound-configuration))
> (description "Run the unbound DNS server")))
>
> However when I add these to my operating-system configuration, and copy the
> configuration file using the etc-service-type it doesn't run on start.
>
> (operating-system
> ...
> (services (append (list
> (simple-service 'unbound-service
> etc-service-type
> `(("unbound/unbound.conf", (local-file "unbound/unbound.conf"))
> ("unbound/root.hints", (local-file "unbound/root.hints"))
> ("unbound/root.key", (local-file "unbound/root.key"))))
> (service unbound-service-type))
> %base-services)))
>
> As /etc/unbound is owned by root and a symlink to /etc/static/unbound that
> isn't surprising.
>
> How would I configure such a service under Guix (point me to an example maybe?)
> and which directory should be used for the chroot? /etc/unbound doesn't feel
> quite right.
I made some online videos of me a while ago trying to compliment the existing opensmtpd-service
that guix has. It might not be a specific answer to your problem but perhaps you could get some
ideas workflow suggestions:
the videos are here: https://video.hardlimit.com/w/p/bmbYAkQ84BBfF4aAZNAPcR
>
> Kind Regards
> Josua a.k.a Joshua/Josh
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: unbound-service-type
2022-02-11 11:42 unbound-service-type Josua Stingelin
2022-02-12 3:43 ` unbound-service-type jbranso
@ 2022-02-14 21:42 ` Ludovic Courtès
2022-02-20 17:06 ` unbound-service-type Josua Stingelin
1 sibling, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2022-02-14 21:42 UTC (permalink / raw)
To: Josua Stingelin; +Cc: guix-devel
Hi,
Josua Stingelin <josuast@hotmail.com> skribis:
> (define unbound-shepherd-service
> (match-lambda
> (($ <unbound-configuration> package pid-file)
> (list (shepherd-service
> (provision '(unbound))
> (documentation "Run the unbound DNS server.")
> (requirement '(networking))
> (start #~(make-forkexec-constructor
> '(#$(file-append package "/sbin/unbound")
> "-d"
> "-c" "/etc/unbound/unbound.conf")
I’d recommend passing the config file directly, as in:
"-c" #$(local-file "unbound.conf")
instead of storing it in /etc. It’s “cleaner” in that you can tell
precisely which config file unbound loaded.
> However when I add these to my operating-system configuration, and copy the
> configuration file using the etc-service-type it doesn't run on start.
Do you have additional info as to why it doesn’t start? Perhaps error
messages in /var/log/messages or something?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: unbound-service-type
2022-02-14 21:42 ` unbound-service-type Ludovic Courtès
@ 2022-02-20 17:06 ` Josua Stingelin
0 siblings, 0 replies; 4+ messages in thread
From: Josua Stingelin @ 2022-02-20 17:06 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Hi Ludo,
Thank you for your reply!
> I’d recommend passing the config file directly, as in:
>
> "-c" #$(local-file "unbound.conf")
Doing that now.
> > However when I add these to my operating-system configuration, and copy the
> > configuration file using the etc-service-type it doesn't run on start.
>
> Do you have additional info as to why it doesn’t start? Perhaps error
> messages in /var/log/messages or something?
Turns out unbound segfaults when chrooting to a read-only directory. And if one
doesn't explicitly turn off the chroot it tries to chroot to
"<binary directory>/../etc" (or something similar).
unbound[1407]: segfault at ffffffffffffffb8 ip 00007fd6498ecd67 sp 00007fffa4366550 error 5 in libc-2.33.so[7fd64984f000+141000]
Should I report this upstream - or is this considered a configuration issue?
I've gotten the service up and running. Going to try and generate the
configuration file based on the scheme configuration next.
Thank you for your help and sorry for posting pre-maturely. I suppose searching
a bit longer would have gotten me on track anyway.
Kind Regards,
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-02-20 17:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-02-11 11:42 unbound-service-type Josua Stingelin
2022-02-12 3:43 ` unbound-service-type jbranso
2022-02-14 21:42 ` unbound-service-type Ludovic Courtès
2022-02-20 17:06 ` unbound-service-type Josua Stingelin
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).