I'm in the market for a new DNS server, and was poking around in net-dns/knot. I noticed a few things in the OpenRC init script that could probably be improved. Some are covered in the OpenRC service script guide: https://github.com/OpenRC/openrc/blob/master/service-script-guide.md I'll start with the easy ones: 0. /var/run should be /run these days. 1. "need net" is probably not right (see the service script guide). 2. The permissions on /var/lib/knot/ should be set in the ebuild and not using checkpath since that location is persistent. 3. The "checkpath" can go in start_pre() to avoid having to copy/paste the start-stop-daemon call. The hard one has to do with the PID file. There are two potential sources for a PID file: 1. start-stop-daemon, which runs as root:root and creates the PID file as root:root when either --make-pidfile is used, or command_background=true is set. Neither of those is true at the moment, so all you get is the PID file from... 2. knotd, which runs as knot:knot and creates the PID file as knot:knot in /var/run/knot, which is writable by the "knot" user anyway. The second one (i.e. what you're currently using) poses a risk if start-stop-daemon is used to kill the process. Specifically, if the "knot" user can write to the PID file and if root is stopping the daemon with start-stop-daemon, then "knot" can put "1" into the PID file and cause the server to reboot, something only root should be able to do. There are a few ways to sort this out that I see. First would be to eliminate the fallback to start-stop-daemon when stopping the daemon. Then you'll never try to stop it as root. Second would be to use a separate pid file for start-stop-daemon, at /run/knot.pid, via --make-pidfile. They would both contain the same information, but one would be safe to kill as root. Finally, the best option is probably to let OpenRC put the daemon into the background so that knotd never tries to create its own PID file. Something like the following -- only lightly tested, since I first tried knot about half an hour ago: #!/sbin/openrc-run # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 command=/usr/sbin/knotd command_background=true pidfile="/run/${SVCNAME}.pid" required_files=/etc/knot/knot.conf extra_started_commands="reload" description_reload="Reload configuration and changed zones." start_pre() { checkpath -d -m 0750 -o knot:knot /var/run/knot } reload() { checkconfig || return $? ebegin "Reloading ${SVCNAME}" start-stop-daemon --signal HUP --pidfile "${pidfile}" eend $? }
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcca5763b643aa91a8d05f7529beaf98c34db11c commit bcca5763b643aa91a8d05f7529beaf98c34db11c Author: PPN-SD <nicolas.parlant@parhuet.fr> AuthorDate: 2024-09-07 22:39:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-12-01 14:28:11 +0000 net-dns/knot: add 3.4.2 new module: authsignal useflag: * dbus: useflag added to support libdbus including when systemd is installed * +doc: useflag enabled by default because pregenerated manpages are no longer provided by upstream * idn1: useflag removed, deprecated * pkcs#11: useflag added scripts: * use upstream service for systemd * new openrc init script (knot-1.init): use background to create a root-owned pid file add checkconfig * use knot.tmpfile for permissions: /run/knot (pidfile created by knotd) /var/lib/knot (default database, template ...) Bug: https://bugs.gentoo.org/927551 Closes: https://bugs.gentoo.org/920681 Signed-off-by: PPN-SD <nicolas.parlant@parhuet.fr> Closes: https://github.com/gentoo/gentoo/pull/39066 Signed-off-by: Sam James <sam@gentoo.org> net-dns/knot/Manifest | 1 + net-dns/knot/files/knot-1.init | 42 ++++++++++ net-dns/knot/files/knot.tmpfile | 2 + net-dns/knot/knot-3.4.2.ebuild | 166 ++++++++++++++++++++++++++++++++++++++++ net-dns/knot/metadata.xml | 9 +++ 5 files changed, 220 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8229050b30cca4eb144a99b5b83db7078fba8d02 commit 8229050b30cca4eb144a99b5b83db7078fba8d02 Author: Nicolas PARLANT <nicolas.parlant@parhuet.fr> AuthorDate: 2025-03-01 18:45:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-03-10 02:48:03 +0000 net-dns/knot: clean old drop: * 3.2.9-r1 as 3.2.X is no more active * 3.4.3-r2 after 3.4.4 got stabilized useflags desc: * remove libidn2 (3.2.9 only) * switch geoip to global Closes: https://bugs.gentoo.org/927551 Closes: https://bugs.gentoo.org/913202 Signed-off-by: Nicolas PARLANT <nicolas.parlant@parhuet.fr> Closes: https://github.com/gentoo/gentoo/pull/40838 Signed-off-by: Sam James <sam@gentoo.org> net-dns/knot/Manifest | 2 - net-dns/knot/files/knot-1.service | 17 ---- net-dns/knot/files/knot.init | 41 -------- net-dns/knot/knot-3.2.9-r1.ebuild | 126 ----------------------- net-dns/knot/knot-3.4.3-r2.ebuild | 204 -------------------------------------- net-dns/knot/metadata.xml | 7 -- 6 files changed, 397 deletions(-)
