Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 927551 - net-dns/knot: some OpenRC service script improvements
Summary: net-dns/knot: some OpenRC service script improvements
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Pierre-Olivier Mercier
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-22 18:09 UTC by Michael Orlitzky
Modified: 2024-03-22 18:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2024-03-22 18:09:30 UTC 
I'm in the market for a new DNS server, and was poking around in net-dns/knot. I noticed a few things in the OpenRC init script that could probably be improved. Some are covered in the OpenRC service script guide: https://github.com/OpenRC/openrc/blob/master/service-script-guide.md

I'll start with the easy ones:

0. /var/run should be /run these days.

1. "need net" is probably not right (see the service script guide).

2. The permissions on /var/lib/knot/ should be set in the ebuild and not using checkpath since that location is persistent.

3. The "checkpath" can go in start_pre() to avoid having to copy/paste the start-stop-daemon call.

The hard one has to do with the PID file. There are two potential sources for a PID file:

1. start-stop-daemon, which runs as root:root and creates the PID file as root:root when either --make-pidfile is used, or command_background=true is set. Neither of those is true at the moment, so all you get is the PID file from...

2. knotd, which runs as knot:knot and creates the PID file as knot:knot in /var/run/knot, which is writable by the "knot" user anyway.

The second one (i.e. what you're currently using) poses a risk if start-stop-daemon is used to kill the process. Specifically, if the "knot" user can write to the PID file and if root is stopping the daemon with start-stop-daemon, then "knot" can put "1" into the PID file and cause the server to reboot, something only root should be able to do.

There are a few ways to sort this out that I see. First would be to eliminate the fallback to start-stop-daemon when stopping the daemon. Then you'll never try to stop it as root. Second would be to use a separate pid file for start-stop-daemon, at /run/knot.pid, via --make-pidfile. They would both contain the same information, but one would be safe to kill as root. Finally, the best option is probably to let OpenRC put the daemon into the background so that knotd never tries to create its own PID file. Something like the following -- only lightly tested, since I first tried knot about half an hour ago:

#!/sbin/openrc-run
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

command=/usr/sbin/knotd
command_background=true
pidfile="/run/${SVCNAME}.pid"
required_files=/etc/knot/knot.conf
extra_started_commands="reload"
description_reload="Reload configuration and changed zones."

start_pre() {
    	checkpath -d -m 0750 -o knot:knot /var/run/knot
}

reload() {
    checkconfig || return $?
    ebegin "Reloading ${SVCNAME}"
    start-stop-daemon --signal HUP --pidfile "${pidfile}"
    eend $?
}