about unbound and systemd units
Paul Wouters
paul at nohats.ca
Tue Nov 20 15:22:25 UTC 2018
On Mon, 19 Nov 2018, Rubén Torrero Marijnissen via Unbound-users wrote:
> I see now that it's also relevant to have unbound-anchor timer running
> even if unbound service is not running.
Note that this means that your unbound-libs / libunbound package needs
to have the unbound-anchor binary tool. We had to move it from our
unbound package to our unbound-libs package when we did this.
> About the ExecStartPre, it wasn't really a leftover: I was thinking
> (and this is also relevant even if the timer is enabled by default)
> that unbound-anchor.timer doesn't give any guaranties that unbound-
> anchor.service will have been run at least once before unbound.service
> starts. But it does feel kinda hacky to do it this way...
If you make it Type=oneshot then it should only get run after the first
ever start of the unbound service. Although that does cover the scenario
where someone manually deletes the file generated by unbound-anchor, so
on fedora we run it in the unbound daemon service file as ExecStartPre=
as well.
So we have:
/usr/lib/systemd/system/unbound-anchor.service
[Unit]
Description=update of the root trust anchor for DNSSEC validation in
unbound
Documentation=man:unbound-anchor(8)
[Service]
Type=oneshot
User=unbound
ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c
/etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
SuccessExitStatus=1
/usr/lib/systemd/system/unbound-anchor.timer
[Unit]
Description=daily update of the root trust anchor for DNSSEC
Documentation=man:unbound-anchor(8)
[Timer]
# Current DNSKEY TTL in root zone is 172800 seconds, i.e.
# 172800/60/60/24 = 2 days.
# It means that unboud-anchor should be run at least once a day.
OnCalendar=daily
Persistent=true
AccuracySec=24h
[Install]
/usr/lib/systemd/system/unbound.service
[Unit]
Description=daily update of the root trust anchor for DNSSEC
Documentation=man:unbound-anchor(8)
[Timer]
# Current DNSKEY TTL in root zone is 172800 seconds, i.e.
# 172800/60/60/24 = 2 days.
# It means that unboud-anchor should be run at least once a day.
OnCalendar=daily
Persistent=true
AccuracySec=24h
[Install]
WantedBy=timers.target
[paul at thinkpad tmp]$ cat /usr/lib/systemd/system/unbound.service
[Unit]
Description=Unbound recursive Domain Name Server
After=network.target
After=unbound-keygen.service
Wants=unbound-keygen.service
Wants=unbound-anchor.timer
Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c
/etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
ExecReload=/usr/sbin/unbound-control reload
[Install]
WantedBy=multi-user.target
(and we still have /usr/lib/systemd/system/unbound-keygen.service but
would like to move that per default to unix domain sockets so it is
no longer needed)
Paul
More information about the Unbound-users
mailing list