Bug 244600 - dns/knot-resolver: [patch] fix critical cache space pre-allocation failure bug and add rc scripts
Summary: dns/knot-resolver: [patch] fix critical cache space pre-allocation failure bu...
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-ports-bugs mailing list
URL: https://GitLab.Labs.NIC.cz/knot/knot-...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-04 21:47 UTC by yds
Modified: 2020-03-05 14:40 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (freebsd)


Attachments
[patch] fix critical cache space pre-allocation failure bug and add rc scripts (8.49 KB, patch)
2020-03-04 21:47 UTC, yds
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description yds 2020-03-04 21:47:15 UTC
Created attachment 212149 [details]
[patch] fix critical cache space pre-allocation failure bug and add rc scripts

1. add rc service scripts for `kresd` and `kres-cache-gc`
2. change dependency back to `dns/knot2` otherwise both ports cannot be installed at the same time. `dns/knot2` needs to be fixed to also depend on `dns/knot2-lib`
3. add creation of RUNDIR with fixed perms at install time
4. add proper PORTEXAMPLES installation
5. prevent `kresd.conf` from getting deleted or overwritten on reinstall [bug]
6. move `root.keys` to RUNDIR to fix the following error:
```
PANIC: unprotected error in call to Lua API (/usr/local/lib/knot-resolver/trust_anchors.lua:186: /usr/local/etc/knot-resolver/root.keys.lock.35621: Permission denied)
```
7. added patch to fix the following critical bug:
   <https://GitLab.Labs.NIC.cz/knot/knot-resolver/issues/549>
Comment 1 Vladimír Čunát 2020-03-05 12:42:56 UTC
Trust anchors (say root.keys): there are two main approaches, with this file being either read-only or read-write.  The error you were getting (before this patch) was due to the default appearing to be a mix between the two.  Docs: https://knot-resolver.readthedocs.io/en/stable/build.html#trust-anchors

If you update the package at least once a year (and thus the root.keys), I'd say the read-only way is more practical, so you may want to re-consider this.


I see the lua dependencies can be tweaked more after 5.0.0 (from NEWS):
- lua: remove dependency on lua-socket and lua-sec, used lua-http and cqueues (#512, #521, !894)

(Note: my FreeBSD/ports knowledge is minimial.)
Comment 2 Vladimír Čunát 2020-03-05 12:52:18 UTC
Oh and nitpick: the second link in files/pkg-message.in has been broken for a few months, but it's not unclear to me what kind of information you want in "To run as daemon".  Perhaps [config-overview]?  But given the previous link it doesn't seem very useful to add this one.

[config-overview] https://knot-resolver.readthedocs.io/en/stable/config-overview.html

BTW, our documentation URLs can be conditioned by version, e.g. using /v5.0.1/ instead of /stable/, in case that's supported and desirable in pkgs-message.in
Comment 3 yds 2020-03-05 14:00:50 UTC
(In reply to Vladimír Čunát from comment #2)

Vladimír, first of all, thank you so much for fixing the "cache space pre-allocation" bug so quick and taking your time to look over this patch.
  
probably best to remove pkg-message at this point if the links are stale. there's nothing very useful there considering that with the new rc scripts from this patch, to run as daemon, all that needs to be done is setting /etc/rc.conf:

    kresd_enable="YES"
    krescachegc_enable="YES"

FWIW, I'm already running kresd with this patch, it works but (as the first comment points out) the Lua dependencies have to be revised for full functionality. Some of the new Lua dependencies need to be ported to FreeBSD first. 

Re: managed TA: This patch satisfies this requirement from the docs:

> In case you want to have automatically managed DNSSEC trust anchors
> instead, set -Dmanaged_ta=enabled and make sure both keyfile_default
> file and its parent directories are writable by kresd process
> (after package installation!).

if the end user wants to disable managed_ta it's much easier and more secure to simply make root.keys not writable by the kresd user in the RUNDIR rather than requiring the end user to make ETCDIR writable by the kresd user. It also looks better to not be throwing errors upon startup, IMHO.

FWIW, the Unbound port updates its TA via rc script upon startup as well.
Comment 4 Vladimír Čunát 2020-03-05 14:40:21 UTC
> probably best to remove pkg-message at this point if the links are stale.

The other two links should be very stable, but I don't know FreeBSD conventions.