Skip to content
Jump to bottom

Update Unbound from 1.11.0 to 1.13.1 #2133

Merged
merged 5 commits into from May 31, 2021
Merged

Update Unbound from 1.11.0 to 1.13.1 #2133

merged 5 commits into from May 31, 2021

Conversation

pmenzel
Copy link
Collaborator

@pmenzel pmenzel commented May 4, 2021
edited

Built with fakeroot:

BEE_TMP_TMPDIR=/dev/shm BEE_TMP_BUILDROOT=/dev/shm/bee-pmenzel BEE_MAKEFLAGS='-j80' fakeroot ./unbound.be0 -c

Tested on serotimor with the commands below.

$ sudo bee update unbound-1.13.1-0
$ sudo systemctl daemon-reload
$ sudo systemctl restart unbound
$ host keineahnung

@donald
Copy link
Collaborator

donald commented May 4, 2021

Built with fakeroot and setting BEE_REPOSITORY_PREFIX, as bee check UID = 0, which is still the unprivileged user

Works for me without BEE_REPOSITORY_PREFIX, unless I try #2125. Did you try that on your system?

buczek@theinternet:~/git/bee-files (master)$ fakeroot bash
root@theinternet:~/git/bee-files (master)# echo $UID
0
root@theinternet:~/git/bee-files (master)# 
exit
buczek@theinternet:~/git/bee-files (update-unbound-from-1.11.0-to-1.13.1)$ fakeroot ./unbound.be0 
BEE v1.2.24 2009-2016
  by  Marius Tolzmann <marius@mariux.de>
      Matthias Ruester <ruester@molgen.mpg.de>
      Tobias Dreyer <dreyer@molgen.mpg.de>

[BEE]   BEE_SKIPLIST           /etc/bee/skiplist
[BEE]   BEE_REPOSITORY_PREFIX  /src/mariux/beeroot
[...]

buczek@theinternet:~/git/bee-files (update-unbound-from-1.11.0-to-1.13.1)$ sudo bee update bash
Password (for buczek) : 
installing /src/mariux/beeroot/packages/bash-5.1_p4-2.x86_64.bee.tar.bz2 ..
adding bash.info to /usr/share/info/dir
removing bash-5.1_p4-1.x86_64 ..
removing bash.info from /usr/share/info/dir
buczek@theinternet:~/git/bee-files (update-unbound-from-1.11.0-to-1.13.1)$ fakeroot bash
buczek@theinternet:~/git/bee-files (update-unbound-from-1.11.0-to-1.13.1)$ echo $UID
125
buczek@theinternet:~/git/bee-files (update-unbound-from-1.11.0-to-1.13.1)$ 
exit
buczek@theinternet:~/git/bee-files (update-unbound-from-1.11.0-to-1.13.1)$ fakeroot ./unbound.be0 
BEE v1.2.24 2009-2016
  by  Marius Tolzmann <marius@mariux.de>
      Matthias Ruester <ruester@molgen.mpg.de>
      Tobias Dreyer <dreyer@molgen.mpg.de>

[BEE]   BEE_SKIPLIST           /etc/bee/skiplist
[BEE]   BEE_REPOSITORY_PREFIX  /home/buczek/.local/src/bee
[...]

@pmenzel
Copy link
Collaborator Author

pmenzel commented May 4, 2021

Built with fakeroot and setting BEE_REPOSITORY_PREFIX, as bee check UID = 0, which is still the unprivileged user

Works for me without BEE_REPOSITORY_PREFIX, unless I try #2125. Did you try that on your system?

Good find. I thought that it worked yesterday. The new bash package was installed on invidia. Maybe it’s related to the static linking, so certain methods cannot be override with LD_PRELOAD?

@donald donald mentioned this pull request May 5, 2021
Merged
@donald
Copy link
Collaborator

donald commented May 5, 2021

When the statically linked bash idea came up, bee/fakeroot was the very first concern I had. But then I dismissed it, because I thought, that all uid queries and manipulations are done by external commands anyway (chown, stat, tar, ....). Didn't think about $UID. But if we continue the static road, and, for example, tar is next, fakeroot would fail in other ways.

@donald
Copy link
Collaborator

donald commented May 5, 2021

ptrace or seccomp based fakeroot might work, but would be much slower and needed to be written.

@donald
Copy link
Collaborator

donald commented May 5, 2021

Oh, there is also the test builtin with -O, -G (-r ?).

@wwwutz
Copy link
Collaborator

wwwutz commented May 5, 2021

PSA; The last update of unbound already broke gnutls ( see #2132 ).

@pmenzel
Copy link
Collaborator Author

pmenzel commented May 5, 2021

Thank you for the heads-up. No idea, why sousage.pl libunbound does not find it in /usr/bin/danetool.

$ sousage.pl libunbound

# '/usr/lib/libunbound.so.8' dependencies:
# -------------------------------------------------------------------
  /usr/sbin/unbound-anchor   unbound-1.11.0-0.x86_64
  /usr/sbin/unbound-host     unbound-1.11.0-0.x86_64
# 2 hit(s)

$ sousage.pl libunbound.so.2
# NOTE: 'libunbound.so.2' is unknown.

$ ldd /usr/bin/danetool
	linux-vdso.so.1 (0x00007ffeb1196000)
	libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f6476466000)
	libz.so.1 => /lib/libz.so.1 (0x00007f6476446000)
	libp11-kit.so.0 => /usr/lib/libp11-kit.so.0 (0x00007f64763e3000)
	libidn.so.11 => /usr/lib/libidn.so.11 (0x00007f64761b0000)
	libtasn1.so.6 => /usr/lib/libtasn1.so.6 (0x00007f6475f9e000)
	libnettle.so.6 => /usr/lib/libnettle.so.6 (0x00007f6475d68000)
	libhogweed.so.4 => /usr/lib/libhogweed.so.4 (0x00007f6475b33000)
	libgmp.so.10 => /usr/lib/libgmp.so.10 (0x00007f6475abc000)
	libgnutls-dane.so.0 => /usr/lib/libgnutls-dane.so.0 (0x00007f64758b4000)
	libc.so.6 => /lib/libc.so.6 (0x00007f64756ed000)
	libffi.so.5 => /usr/lib/libffi.so.5 (0x00007f64754e5000)
	libdl.so.2 => /lib/libdl.so.2 (0x00007f64754e0000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x00007f64754be000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f64767b5000)
	libunbound.so.2 => not found

So shared library version /usr/lib/libunbound.so.8.1.12 from Unbound 1.13.1 is compatible with /usr/lib/libunbound.so.8.1.9 from Unbound 1.11.0. So, no rebuild of GnuTLS is needed once the merge/pull request #2132 is merged. Thank you for noticing the problem from the earlier updates.

@pmenzel
Copy link
Collaborator Author

pmenzel commented May 5, 2021

I rebuilt the package on a system with GNU bash, version 4.3.46(1)-release.

@pmenzel
unbound: Update version from 1.11.0 to 1.13.1
dd7ddbe 
[Change-log](https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-1)
@pmenzel
unbound: Create /var/unbound
238b0e3 
`/usr/sbin/unbound-startup` also takes care of this, but as the location
is defined in the package, create the directory here too.
@pmenzel
unbound: Store PID file on ephemeral /run
2b2d21e 
The PID is not needed after a reboot, so store it on `/run` where it
gets removed, once the system shuts down.
@pmenzel
unbound: Enable systemd support and install systemd units
8ed314a 
Install systemd socket and service unit.

`--enable-systemd` is needed, as otherwise [the service unit times
out][1].

Also, as we do not store the trust anchor in `/etc/unbound`, RUNDIR in
Unbound’s terms, add `/var/unbound` to the unit’s read/write path.

This does not have an effect yet, as mxtools installs
`/etc/systemd/system/unbound.service`.

For socket activation `use-systemd: yes` has to be set in the
configuration file.

[1]: https://github.com/NLnetLabs/unbound/issues/56
@pmenzel
unbound: Install auto-trust-anchor-file in /var/lib/unbound
c9508b7 
This matches Debian and Ubuntu.

It does not take any effect yet, as we configure the path in the
configuration file installed by mxtools.
@pmenzel pmenzel force-pushed the update-unbound-from-1.11.0-to-1.13.1 branch from 779f8a5 to c9508b7 Compare May 28, 2021 08:42
@pmenzel
Copy link
Collaborator Author

pmenzel commented May 28, 2021

Rebuilt again with GNU bash, version 5.1.4(1)-release (x86_64-pc-linux-gnu).

Should be good to go.

@donald
Copy link
Collaborator

donald commented May 28, 2021

Why did you try different bash versions? Anway, if unbound is working, go ahead.

@pmenzel
Copy link
Collaborator Author

pmenzel commented May 28, 2021

Why did you try different bash versions?

Well it was updated independently while working on this merge/pull request.

Anway, if unbound is working, go ahead.

Thanks. I am going to do that next week.

@pmenzel pmenzel merged commit e0cf14c into master May 31, 2021
Sign in to join this conversation on GitHub.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pmenzel @donald @wwwutz