950 lines
28 KiB
RPMSpec
950 lines
28 KiB
RPMSpec
#
|
|
# Red Hat BIND9 package .spec file
|
|
#
|
|
# vim:expandtab ts=2:
|
|
|
|
# bcond_without is built by default, unless --without X is passed
|
|
# bcond_with is built only when --with X is passed to build
|
|
%bcond_with SYSTEMTEST
|
|
# Allow net configuration using sudo when SYSTEMTEST is enabled
|
|
%bcond_without SUDO
|
|
%bcond_without GSSTSIG
|
|
%bcond_without JSON
|
|
%bcond_without DLZ
|
|
# New MaxMind GeoLite support
|
|
%bcond_without GEOIP2
|
|
# Disabled temporarily until kyua is fixed on rawhide, bug #1926779
|
|
%bcond_without UNITTEST
|
|
# Do not set CI environment, include more unit tests, even less stable
|
|
%bcond_with UNITTEST_ALL
|
|
%bcond_without DNSTAP
|
|
%bcond_without LMDB
|
|
%bcond_without DOC
|
|
%bcond_with TSAN
|
|
%bcond_without DTRACE
|
|
|
|
%{?!bind_uid: %global bind_uid 25}
|
|
%{?!bind_gid: %global bind_gid 25}
|
|
%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
|
%global bind_dir /var/named
|
|
%global chroot_prefix %{bind_dir}/chroot
|
|
%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
|
|
%{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,pki/tls,named} \\\
|
|
%{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4
|
|
|
|
%global forgeurl0 https://gitlab.isc.org/isc-projects/bind9
|
|
|
|
# libisc-nosym requires to be linked with unresolved symbols
|
|
# When libisc-nosym linking is fixed, it can be defined to 1
|
|
# Visit https://bugzilla.redhat.com/show_bug.cgi?id=1540300
|
|
%undefine _strict_symbol_defs_build
|
|
|
|
# Upstream package name
|
|
%global upname bind
|
|
# Provide only bind-utils on f37+, it has better behaviour
|
|
%define upname_compat() \
|
|
%if "%{name}" != "%{upname}" \
|
|
Provides: %1 = %{version}-%{release} \
|
|
Conflicts: %1 \
|
|
%endif
|
|
|
|
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
|
|
Name: bind9-next
|
|
License: MPL-2.0 AND ISC AND BSD-3-clause AND Expat AND BSD-2-clause
|
|
#
|
|
Version: 9.19.18
|
|
Release: %autorelease
|
|
Epoch: 32
|
|
Url: https://www.isc.org/downloads/bind/
|
|
VCS: git:%{forgeurl0}
|
|
#
|
|
Source0: https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz
|
|
Source1: named.sysconfig
|
|
Source2: https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz.asc
|
|
Source3: named.logrotate
|
|
Source4: https://www.isc.org/docs/isc-keyblock.asc
|
|
Source16: named.conf
|
|
# Refresh by command: dig @a.root-servers.net. +tcp +norec
|
|
# or from URL
|
|
Source17: https://www.internic.net/domain/named.root
|
|
Source18: named.localhost
|
|
Source19: named.loopback
|
|
Source20: named.empty
|
|
Source23: named.rfc1912.zones
|
|
Source25: named.conf.sample
|
|
Source27: named.root.key
|
|
Source35: bind.tmpfiles.d
|
|
Source36: trusted-key.key
|
|
Source37: named.service
|
|
Source38: named-chroot.service
|
|
Source41: setup-named-chroot.sh
|
|
Source42: generate-rndc-key.sh
|
|
Source43: named.rwtab
|
|
Source44: named-chroot-setup.service
|
|
Source46: named-setup-rndc.service
|
|
Source48: setup-named-softhsm.sh
|
|
Source49: named-chroot.files
|
|
|
|
# Common patches
|
|
# Red Hat specific documentation is not relevant to upstream
|
|
Patch1: bind-9.16-redhat_doc.patch
|
|
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8285
|
|
Patch2: bind-9.19-tests-dns-rbtdb-i386.patch
|
|
Patch3: bind-9.19-rbtdb-i686.patch
|
|
|
|
%{?systemd_ordering}
|
|
Requires: coreutils
|
|
Requires(pre): shadow-utils
|
|
Requires(post): shadow-utils
|
|
Requires(post): glibc-common
|
|
Requires(post): grep
|
|
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
|
Recommends: %{name}-utils %{name}-dnssec-utils
|
|
%upname_compat %{upname}
|
|
Obsoletes: %{name}-pkcs11 < 32:9.18.4-2
|
|
Conflicts: bind-dyndb-ldap
|
|
|
|
BuildRequires: gcc, make
|
|
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
|
|
BuildRequires: libidn2-devel, libxml2-devel
|
|
BuildRequires: systemd-rpm-macros
|
|
BuildRequires: selinux-policy
|
|
BuildRequires: findutils sed
|
|
BuildRequires: libnghttp2-devel
|
|
BuildRequires: userspace-rcu-devel
|
|
%if 0%{?fedora}
|
|
BuildRequires: jemalloc-devel
|
|
BuildRequires: gnupg2
|
|
%endif
|
|
BuildRequires: libuv-devel
|
|
%if %{with DLZ}
|
|
BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-devel
|
|
%endif
|
|
%if %{with UNITTEST}
|
|
# make unit dependencies
|
|
BuildRequires: libcmocka-devel
|
|
# Ensure we have lscpu
|
|
BuildRequires: util-linux
|
|
%endif
|
|
%if %{with UNITTEST} || %{with SYSTEMTEST}
|
|
BuildRequires: softhsm
|
|
%endif
|
|
%if %{with SYSTEMTEST}
|
|
# bin/tests/system dependencies
|
|
BuildRequires: perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long)
|
|
BuildRequires: perl(English)
|
|
BuildRequires: python3-pytest
|
|
# manual configuration requires this tool
|
|
BuildRequires: iproute
|
|
%if %{with SUDO}
|
|
BuildRequires: libcap sudo
|
|
%endif
|
|
%endif
|
|
%if %{with GSSTSIG}
|
|
BuildRequires: krb5-devel
|
|
%endif
|
|
%if %{with LMDB}
|
|
BuildRequires: lmdb-devel
|
|
%endif
|
|
%if %{with JSON}
|
|
BuildRequires: json-c-devel
|
|
%endif
|
|
%if %{with GEOIP2}
|
|
BuildRequires: libmaxminddb-devel
|
|
%endif
|
|
%if %{with DNSTAP}
|
|
BuildRequires: fstrm-devel protobuf-c-devel
|
|
%endif
|
|
# Needed to regenerate dig.1 manpage
|
|
%if %{with DOC}
|
|
BuildRequires: python3-sphinx python3-sphinx_rtd_theme
|
|
BuildRequires: doxygen
|
|
%endif
|
|
%if %{with TSAN}
|
|
BuildRequires: libtsan
|
|
%endif
|
|
%if %{with DTRACE}
|
|
# https://gitlab.isc.org/isc-projects/bind9/-/issues/4041
|
|
BuildRequires: systemtap-sdt-devel
|
|
%endif
|
|
|
|
%description
|
|
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
|
|
(Domain Name System) protocols. BIND includes a DNS server (named),
|
|
which resolves host names to IP addresses; a resolver library
|
|
(routines for applications to use when interfacing with DNS); and
|
|
tools for verifying that the DNS server is operating properly.
|
|
|
|
%package libs
|
|
Summary: Libraries used by the BIND DNS packages
|
|
Requires: %{name}-license = %{epoch}:%{version}-%{release}
|
|
Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release}
|
|
Obsoletes: %{name}-libs-lite < 32:9.16.13
|
|
Obsoletes: %{name}-pkcs11-libs < 32:9.18.4-2
|
|
|
|
%description libs
|
|
Contains heavyweight version of BIND suite libraries used by both named DNS
|
|
server and utilities in %{name}-utils package.
|
|
|
|
%package license
|
|
Summary: License of the BIND DNS suite
|
|
BuildArch:noarch
|
|
|
|
%description license
|
|
Contains license of the BIND DNS suite.
|
|
|
|
%package utils
|
|
Summary: Utilities for querying DNS name servers
|
|
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
|
# For compatibility with Debian package
|
|
Provides: dnsutils = %{epoch}:%{version}-%{release}
|
|
Obsoletes: %{name}-pkcs11-utils < 32:9.18.4-2
|
|
%upname_compat %{upname}-utils
|
|
|
|
%description utils
|
|
Bind-utils contains a collection of utilities for querying DNS (Domain
|
|
Name System) name servers to find out information about Internet
|
|
hosts. These tools will provide you with the IP addresses for given
|
|
host names, as well as other information about registered domains and
|
|
network addresses.
|
|
|
|
You should install %{name}-utils if you need to get information from DNS name
|
|
servers.
|
|
|
|
%package dnssec-utils
|
|
Summary: DNSSEC keys and zones management utilities
|
|
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
|
Recommends: %{name}-utils
|
|
Obsoletes: python3-%{name} < 32:9.18.0
|
|
Obsoletes: %{name}-dnssec-doc < 32:9.18.4-2
|
|
%upname_compat %{upname}-dnssec-utils
|
|
|
|
%description dnssec-utils
|
|
%{name}-dnssec-utils contains a collection of utilities for editing
|
|
DNSSEC keys and BIND zone files. These tools provide generation,
|
|
revocation and verification of keys and DNSSEC signatures in zone files.
|
|
|
|
You should install %{name}-dnssec-utils if you need to sign a DNS zone
|
|
or maintain keys for it.
|
|
|
|
%package devel
|
|
Summary: Header files and libraries needed for bind-dyndb-ldap
|
|
Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release}
|
|
Obsoletes: %{name}-lite-devel < 32:9.16.6-3
|
|
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
|
Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
|
|
Requires: libcap-devel%{?_isa}
|
|
%upname_compat %{upname}-devel
|
|
%if %{with GSSTSIG}
|
|
Requires: krb5-devel%{?_isa}
|
|
%endif
|
|
%if %{with LMDB}
|
|
Requires: lmdb-devel%{?_isa}
|
|
%endif
|
|
%if %{with JSON}
|
|
Requires: json-c-devel%{?_isa}
|
|
%endif
|
|
%if %{with DNSTAP}
|
|
Requires: fstrm-devel%{?_isa} protobuf-c-devel%{?_isa}
|
|
%endif
|
|
%if %{with GEOIP2}
|
|
Requires: libmaxminddb-devel%{?_isa}
|
|
%endif
|
|
|
|
%description devel
|
|
The %{name}-devel package contains full version of the header files and libraries
|
|
required for building bind-dyndb-ldap. Upstream no longer supports nor recommends
|
|
bind libraries for third party applications.
|
|
|
|
%package chroot
|
|
Summary: A chroot runtime environment for the ISC BIND DNS server, named(8)
|
|
Prefix: %{chroot_prefix}
|
|
# grep is required due to setup-named-chroot.sh script
|
|
Requires: grep
|
|
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
|
|
|
%description chroot
|
|
This package contains a tree of files which can be used as a
|
|
chroot(2) jail for the named(8) program from the BIND package.
|
|
Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
|
|
|
|
|
|
%if %{with DLZ}
|
|
%package dlz-filesystem
|
|
Summary: BIND server filesystem DLZ module
|
|
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
|
|
|
%description dlz-filesystem
|
|
Dynamic Loadable Zones filesystem module for BIND server.
|
|
|
|
%package dlz-ldap
|
|
Summary: BIND server ldap DLZ module
|
|
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
|
|
|
%description dlz-ldap
|
|
Dynamic Loadable Zones LDAP module for BIND server.
|
|
|
|
%package dlz-mysql
|
|
Summary: BIND server mysql and mysqldyn DLZ modules
|
|
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
|
Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release}
|
|
Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3
|
|
|
|
%description dlz-mysql
|
|
Dynamic Loadable Zones MySQL module for BIND server.
|
|
Contains also mysqldyn module with dynamic DNS updates (DDNS) support.
|
|
|
|
%package dlz-sqlite3
|
|
Summary: BIND server sqlite3 DLZ module
|
|
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
|
|
|
%description dlz-sqlite3
|
|
Dynamic Loadable Zones sqlite3 module for BIND server.
|
|
%endif
|
|
|
|
%if %{with DOC}
|
|
%package doc
|
|
Summary: BIND 9 Administrator Reference Manual
|
|
Requires: %{name}-license = %{epoch}:%{version}-%{release}
|
|
Requires: python3-sphinx_rtd_theme
|
|
BuildArch: noarch
|
|
|
|
%description doc
|
|
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
|
|
(Domain Name System) protocols. BIND includes a DNS server (named),
|
|
which resolves host names to IP addresses; a resolver library
|
|
(routines for applications to use when interfacing with DNS); and
|
|
tools for verifying that the DNS server is operating properly.
|
|
|
|
This package contains BIND 9 Administrator Reference Manual
|
|
in HTML and PDF format.
|
|
%end
|
|
|
|
%endif
|
|
|
|
%prep
|
|
%if 0%{?fedora}
|
|
# RHEL does not yet support this verification
|
|
%{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}'
|
|
%endif
|
|
%autosetup -n %{upname}-%{version} -p1
|
|
|
|
# Sparc and s390 arches need to use -fPIE
|
|
%ifarch sparcv9 sparc64 s390 s390x
|
|
for i in bin/named/Makefile.am; do
|
|
sed -i 's|fpie|fPIE|g' $i
|
|
done
|
|
%endif
|
|
|
|
:;
|
|
|
|
|
|
%build
|
|
## We use out of tree configure/build for export libs
|
|
%define _configure "../configure"
|
|
|
|
# normal and pkcs11 unit tests
|
|
%define unit_prepare_build() \
|
|
find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \
|
|
find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
|
|
find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
|
|
|
|
%define systemtest_prepare_build() \
|
|
cp -Tuav bin/tests "%{1}/bin/tests/" \
|
|
|
|
CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
|
|
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100"
|
|
%if %{with TSAN}
|
|
CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
|
|
%endif
|
|
export CFLAGS CPPFLAGS
|
|
export STD_CDEFINES="$CPPFLAGS"
|
|
|
|
sed -i -e \
|
|
's/([bind_VERSION_EXTRA],\s*\([^)]*\))/([bind_VERSION_EXTRA], \1-RH)/' \
|
|
configure.ac
|
|
|
|
%if 0%{?rhel} && 0%{?rhel} < 9
|
|
# disable Sphinx warnings as errors, epel8 does not pass cleanly
|
|
sed -e 's/-W\s//' -i Makefile.docs
|
|
%endif
|
|
|
|
autoreconf --force --install
|
|
|
|
mkdir build
|
|
|
|
%if %{with DLZ}
|
|
# DLZ modules do not support oot builds. Copy files into build
|
|
mkdir -p build/contrib/dlz
|
|
cp -frp contrib/dlz/modules build/contrib/dlz/modules
|
|
%endif
|
|
|
|
pushd build
|
|
LIBDIR_SUFFIX=
|
|
export LIBDIR_SUFFIX
|
|
%configure \
|
|
--with-pic \
|
|
--disable-static \
|
|
--includedir=%{_includedir}/bind9 \
|
|
--with-libidn2 \
|
|
%if %{with GEOIP2}
|
|
--with-maxminddb \
|
|
%endif
|
|
%if %{with GSSTSIG}
|
|
--with-gssapi=yes \
|
|
%endif
|
|
%if %{with LMDB}
|
|
--with-lmdb=yes \
|
|
%else
|
|
--with-lmdb=no \
|
|
%endif
|
|
%if %{with JSON}
|
|
--with-json-c \
|
|
%endif
|
|
%if %{with DNSTAP}
|
|
--enable-dnstap \
|
|
%endif
|
|
%if %{with UNITTEST}
|
|
--with-cmocka \
|
|
%endif
|
|
--enable-full-report \
|
|
;
|
|
%if %{with DNSTAP}
|
|
pushd lib
|
|
SRCLIB="../../../lib"
|
|
(cd dns && ln -s ${SRCLIB}/dns/dnstap.proto)
|
|
popd
|
|
%endif
|
|
|
|
%make_build SPHINX_W=''
|
|
|
|
%if %{with DOC}
|
|
%make_build doc SPHINX_W=''
|
|
%endif
|
|
|
|
%if %{with DLZ}
|
|
pushd contrib/dlz/modules
|
|
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
|
|
%make_build -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS -DPTHREADS=1" LDFLAGS="$LDFLAGS"
|
|
done
|
|
popd
|
|
%endif
|
|
popd # build
|
|
|
|
%unit_prepare_build build
|
|
%systemtest_prepare_build build
|
|
|
|
%check
|
|
%if %{with UNITTEST} || %{with SYSTEMTEST}
|
|
# Tests require initialization of pkcs11 token
|
|
eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")"
|
|
%endif
|
|
|
|
%if %{with TSAN}
|
|
export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
|
|
%endif
|
|
|
|
%if %{with UNITTEST}
|
|
pushd build
|
|
CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l)
|
|
THREADS="$CPUS"
|
|
%if %{without UNITTEST_ALL}
|
|
export CI=true
|
|
%endif
|
|
if [ "$CPUS" -gt 16 ]; then
|
|
ORIGFILES=$(ulimit -n)
|
|
THREADS=16
|
|
ulimit -n 8092 || : # Requires on some machines with many cores
|
|
fi
|
|
e=0
|
|
%make_build unit -j${THREADS} || e=$?
|
|
# Display details of failure
|
|
cat tests/*/test-suite.log
|
|
if [ "$e" -ne 0 ]; then
|
|
echo "ERROR: this build of BIND failed 'make unit'. Aborting."
|
|
exit $e;
|
|
fi;
|
|
[ "$CPUS" -gt 16 ] && ulimit -n $ORIGFILES || :
|
|
popd
|
|
## End of UNITTEST
|
|
%endif
|
|
|
|
%if %{with SYSTEMTEST}
|
|
# Runs system test if ip addresses are already configured
|
|
# or it is able to configure them
|
|
SUDO=
|
|
pushd build/bin/tests/system/
|
|
if perl ./testsock.pl
|
|
then
|
|
CONFIGURED=already
|
|
else
|
|
%if %{with SUDO}
|
|
if [ -x /usr/sbin/capsh ] && ! /usr/sbin/capsh --has-p=cap_net_admin; then
|
|
echo "Not running as privileged user, using sudo"
|
|
SUDO=sudo
|
|
fi
|
|
%endif
|
|
|
|
CONFIGURED=
|
|
$SUDO sh ./ifconfig.sh up
|
|
perl ./testsock.pl && CONFIGURED=build
|
|
fi
|
|
popd
|
|
|
|
if [ -n "$CONFIGURED" ]
|
|
then
|
|
set -e
|
|
pushd build/bin/tests
|
|
export CI_SYSTEM=yes # allow running tests as root
|
|
chown -R ${USER} . # Can be unknown user
|
|
%make_build test 2>&1 | tee test.log
|
|
e=$?
|
|
[ "$CONFIGURED" = build ] && $SUDO sh ./ifconfig.sh down
|
|
popd
|
|
if [ "$e" -ne 0 ]; then
|
|
echo "ERROR: this build of BIND failed 'make test'. Aborting."
|
|
exit $e;
|
|
fi;
|
|
else
|
|
echo 'SKIPPED: tests require root, CAP_NET_ADMIN or already configured test addresses.'
|
|
fi
|
|
%endif
|
|
:
|
|
|
|
%install
|
|
# Build directory hierarchy
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/{bind,named}
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named/{slaves,data,dynamic}
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8}
|
|
mkdir -p ${RPM_BUILD_ROOT}/run/named
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log
|
|
|
|
#chroot
|
|
for D in %{chroot_create_directories}
|
|
do
|
|
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}${D}
|
|
done
|
|
|
|
# create symlink as it is on real filesystem
|
|
pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var
|
|
ln -s ../run run
|
|
popd
|
|
|
|
# these are required to prevent them being erased during upgrade of previous
|
|
touch ${RPM_BUILD_ROOT}/%{chroot_prefix}%{_sysconfdir}/named.conf
|
|
#end chroot
|
|
|
|
pushd build
|
|
%make_install
|
|
popd
|
|
|
|
# Remove unwanted files
|
|
rm -f ${RPM_BUILD_ROOT}/etc/bind.keys
|
|
|
|
# Systemd unit files
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_unitdir}
|
|
install -pm 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir}
|
|
install -pm 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
|
|
install -pm 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
|
|
install -pm 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
|
|
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
|
|
install -pm 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
|
|
install -pm 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh
|
|
|
|
install -pm 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh
|
|
|
|
install -pm 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
|
|
install -pm 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named
|
|
install -pm 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files
|
|
|
|
pushd ${RPM_BUILD_ROOT}%{_sbindir}
|
|
# Compatibility with previous major versions, only for selected binaries
|
|
for BIN in named-checkconf named-checkzone named-compilezone
|
|
do
|
|
ln -s ../bin/$BIN $BIN
|
|
done
|
|
popd
|
|
|
|
%if %{with DLZ}
|
|
pushd build
|
|
pushd contrib/dlz/modules
|
|
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
|
|
%make_install -C $DIR libdir=%{_libdir}/bind
|
|
done
|
|
pushd ${RPM_BUILD_ROOT}/%{_libdir}/named
|
|
cp -s ../bind/dlz_*.so .
|
|
popd
|
|
mkdir -p doc/{mysql,mysqldyn}
|
|
cp -p mysqldyn/testing/README doc/mysqldyn/README.testing
|
|
cp -p mysqldyn/testing/* doc/mysqldyn
|
|
cp -p mysql/testing/* doc/mysql
|
|
popd
|
|
popd
|
|
%endif
|
|
|
|
# Remove libtool .la files:
|
|
find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
|
|
|
|
# 9.16.4 installs even manual pages for tools not generated
|
|
%if %{without DNSTAP}
|
|
rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true
|
|
%endif
|
|
%if %{without LMDB}
|
|
rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true
|
|
%endif
|
|
|
|
pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
|
|
ln -s ddns-confgen.8.gz tsig-keygen.8.gz
|
|
popd
|
|
pushd ${RPM_BUILD_ROOT}%{_mandir}/man1
|
|
ln -s named-checkzone.1.gz named-compilezone.1.gz
|
|
popd
|
|
|
|
%if %{with DOC}
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir}
|
|
cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir}
|
|
rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees}
|
|
# Backward compatible link to 9.11 documentation
|
|
(cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html)
|
|
# Share static data from original sphinx package
|
|
for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/*
|
|
do
|
|
BASE=$(basename -- "$DIR")
|
|
BINDTHEMEDIR="${RPM_BUILD_ROOT}%{_pkgdocdir}/html/_static/$BASE"
|
|
if [ -d "$BINDTHEMEDIR" ]; then
|
|
rm -rf "$BINDTHEMEDIR"
|
|
ln -s "$DIR" "$BINDTHEMEDIR"
|
|
fi
|
|
done
|
|
cp -p build/doc/arm/_build/epub/Bv9ARM.epub ${RPM_BUILD_ROOT}%{_pkgdocdir}
|
|
%endif
|
|
|
|
# Ghost config files:
|
|
touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log
|
|
|
|
# configuration files:
|
|
install -m 640 %{SOURCE16} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
|
|
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf}
|
|
install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key
|
|
install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named
|
|
|
|
# data files:
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named
|
|
install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
|
|
install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
|
|
install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
|
|
install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
|
|
install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
|
|
|
|
# sample bind configuration files for %%doc:
|
|
mkdir -p sample/etc sample/var/named/{data,slaves}
|
|
install -m 644 %{SOURCE25} sample/etc/named.conf
|
|
# Copy default configuration to %%doc to make it usable from system-config-bind
|
|
install -m 644 %{SOURCE16} named.conf.default
|
|
install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones
|
|
install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20} sample/var/named
|
|
install -m 644 %{SOURCE17} sample/var/named/named.ca
|
|
for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do
|
|
echo '@ in soa localhost. root 1 3H 15M 1W 1D
|
|
ns localhost.' > sample/var/named/$f;
|
|
done
|
|
:;
|
|
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
|
|
install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf
|
|
|
|
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d
|
|
install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
|
|
|
|
%pre
|
|
if [ "$1" -eq 1 ]; then
|
|
/usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
|
|
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
|
|
fi;
|
|
:;
|
|
|
|
%post
|
|
%?ldconfig
|
|
if [ "$1" -eq 1 ]; then
|
|
# Initial installation
|
|
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
|
|
# rndc.key has to have correct perms and ownership, CVE-2007-6283
|
|
[ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
|
|
[ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
|
|
else
|
|
# Upgrade, use invalid shell
|
|
if getent passwd named | grep ':/bin/false$' >/dev/null; then
|
|
/sbin/usermod -s /sbin/nologin named
|
|
fi
|
|
# Checkconf will parse out comments
|
|
if /usr/bin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key
|
|
then
|
|
echo "Replacing obsolete named.iscdlv.key with named.root.key..."
|
|
if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then
|
|
sed -e 's/named\.iscdlv\.key/named.root.key/' \
|
|
/etc/named.conf.rpmbackup > /etc/named.conf || \
|
|
mv /etc/named.conf.rpmbackup /etc/named.conf
|
|
fi
|
|
fi
|
|
fi
|
|
%systemd_post named.service
|
|
:;
|
|
|
|
%preun
|
|
# Package removal, not upgrade
|
|
%systemd_preun named.service
|
|
|
|
%postun
|
|
%?ldconfig
|
|
# Package upgrade, not uninstall
|
|
%systemd_postun_with_restart named.service
|
|
|
|
# Fix permissions on existing device files on upgrade
|
|
%define chroot_fix_devices() \
|
|
if [ $1 -gt 1 ]; then \
|
|
for DEV in "%{1}/dev"/{null,random,zero}; do \
|
|
if [ -e "$DEV" -a "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; \
|
|
then \
|
|
/bin/chmod 0664 "$DEV" \
|
|
/bin/chgrp named "$DEV" \
|
|
fi \
|
|
done \
|
|
fi
|
|
|
|
%triggerun -- bind < 32:9.9.0-0.6.rc1
|
|
/sbin/chkconfig --del named >/dev/null 2>&1 || :
|
|
/bin/systemctl try-restart named.service >/dev/null 2>&1 || :
|
|
|
|
%triggerpostun -- bind < 32:9.18.4-2, selinux-policy, policycoreutils
|
|
if [ -x %{_sbindir}/selinuxenabled ] && [ -x %{_sbindir}/getsebool ] && [ -x %{_sbindir}/setsebool ] \
|
|
&& %{_sbindir}/selinuxenabled && [ -x %{_sbindir}/named ]; then
|
|
# Return master zones after upgrade from selinux_booleans version
|
|
WRITEBOOL="$(LC_ALL=C %{_sbindir}/getsebool named_write_master_zones)"
|
|
if [ "echo ${WRITEBOOL#named_write_master_zones --> }" = "off" ]; then
|
|
echo "Restoring new sebool default of named_write_master_zones..."
|
|
%{_sbindir}/setsebool -P named_write_master_zones=1 || :
|
|
fi
|
|
fi
|
|
|
|
%ldconfig_scriptlets libs
|
|
|
|
%post chroot
|
|
%systemd_post named-chroot.service
|
|
%chroot_fix_devices %{chroot_prefix}
|
|
:;
|
|
|
|
%posttrans chroot
|
|
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
|
|
[ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1;
|
|
fi;
|
|
|
|
%preun chroot
|
|
# wait for stop of both named-chroot and named-chroot-setup services
|
|
# on uninstall
|
|
%systemd_preun named-chroot.service named-chroot-setup.service
|
|
:;
|
|
|
|
%postun chroot
|
|
# Package upgrade, not uninstall
|
|
%systemd_postun_with_restart named-chroot.service
|
|
|
|
|
|
%files
|
|
# TODO: Move from lib/bind to lib/named, as used by upstream
|
|
# FIXME: current build targets filters into %%_libdir/bind again?
|
|
%dir %{_libdir}/bind
|
|
%{_libdir}/bind/filter*.so
|
|
%dir %{_libdir}/named
|
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
|
|
%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/named
|
|
%{_tmpfilesdir}/named.conf
|
|
%{_sysconfdir}/rwtab.d/named
|
|
%{_unitdir}/named.service
|
|
%{_unitdir}/named-setup-rndc.service
|
|
%{_bindir}/named-journalprint
|
|
%{_bindir}/named-checkconf
|
|
%{_bindir}/named-rrchecker
|
|
%{_bindir}/mdig
|
|
%{_sbindir}/named
|
|
%{_sbindir}/rndc*
|
|
%{_sbindir}/named-checkconf
|
|
%{_libexecdir}/generate-rndc-key.sh
|
|
%{_libexecdir}/setup-named-softhsm.sh
|
|
%{_mandir}/man1/mdig.1*
|
|
%{_mandir}/man1/named-rrchecker.1*
|
|
%{_mandir}/man5/named.conf.5*
|
|
%{_mandir}/man5/rndc.conf.5*
|
|
%{_mandir}/man8/rndc.8*
|
|
%{_mandir}/man8/named.8*
|
|
%{_mandir}/man1/named-checkconf.1*
|
|
%{_mandir}/man8/rndc-confgen.8*
|
|
%{_mandir}/man1/named-journalprint.1*
|
|
%{_mandir}/man8/filter-*.8.gz
|
|
%doc CHANGES README.md named.conf.default
|
|
%doc sample/
|
|
|
|
# Hide configuration
|
|
%defattr(0640,root,named,0750)
|
|
%dir %{_sysconfdir}/named
|
|
%config(noreplace) %verify(not link) %{_sysconfdir}/named.conf
|
|
%config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones
|
|
%defattr(0660,root,named,01770)
|
|
%dir %{_localstatedir}/named
|
|
%defattr(0660,named,named,0770)
|
|
%dir %{_localstatedir}/named/slaves
|
|
%dir %{_localstatedir}/named/data
|
|
%dir %{_localstatedir}/named/dynamic
|
|
%ghost %{_localstatedir}/log/named.log
|
|
%defattr(0640,root,named,0750)
|
|
%config %verify(not link) %{_localstatedir}/named/named.ca
|
|
%config %verify(not link) %{_localstatedir}/named/named.localhost
|
|
%config %verify(not link) %{_localstatedir}/named/named.loopback
|
|
%config %verify(not link) %{_localstatedir}/named/named.empty
|
|
%ghost %config(noreplace) %{_sysconfdir}/rndc.key
|
|
# ^- rndc.key now created on first install only if it does not exist
|
|
%ghost %config(noreplace) %{_sysconfdir}/rndc.conf
|
|
# ^- The default rndc.conf which uses rndc.key is in named's default internal config -
|
|
# so rndc.conf is not necessary.
|
|
%defattr(-,named,named,-)
|
|
%dir /run/named
|
|
|
|
%files libs
|
|
%{_libdir}/libisccc-%{version}*.so
|
|
%{_libdir}/libns-%{version}*.so
|
|
%{_libdir}/libdns-%{version}*.so
|
|
%{_libdir}/libisc-%{version}*.so
|
|
%{_libdir}/libisccfg-%{version}*.so
|
|
|
|
%files license
|
|
%{!?_licensedir:%global license %%doc}
|
|
%license COPYRIGHT
|
|
|
|
%files utils
|
|
%{_bindir}/dig
|
|
%{_bindir}/delv
|
|
%{_bindir}/host
|
|
%{_bindir}/nslookup
|
|
%{_bindir}/nsupdate
|
|
%{_bindir}/arpaname
|
|
%{_sbindir}/ddns-confgen
|
|
%{_sbindir}/tsig-keygen
|
|
%{_bindir}/nsec3hash
|
|
%{_bindir}/named-checkzone
|
|
%{_bindir}/named-compilezone
|
|
%{_sbindir}/named-checkzone
|
|
%{_sbindir}/named-compilezone
|
|
%if %{with DNSTAP}
|
|
%{_bindir}/dnstap-read
|
|
%{_mandir}/man1/dnstap-read.1*
|
|
%endif
|
|
%if %{with LMDB}
|
|
%{_bindir}/named-nzd2nzf
|
|
%{_mandir}/man1/named-nzd2nzf.1*
|
|
%endif
|
|
%{_mandir}/man1/host.1*
|
|
%{_mandir}/man1/nsupdate.1*
|
|
%{_mandir}/man1/dig.1*
|
|
%{_mandir}/man1/delv.1*
|
|
%{_mandir}/man1/nslookup.1*
|
|
%{_mandir}/man1/arpaname.1*
|
|
%{_mandir}/man8/ddns-confgen.8*
|
|
%{_mandir}/man8/tsig-keygen.8*
|
|
%{_mandir}/man1/nsec3hash.1*
|
|
%{_mandir}/man1/named-checkzone.1*
|
|
%{_mandir}/man1/named-compilezone.1*
|
|
%{_sysconfdir}/trusted-key.key
|
|
|
|
%files dnssec-utils
|
|
%{_bindir}/dnssec*
|
|
%{_mandir}/man1/dnssec*.1*
|
|
|
|
%files devel
|
|
%{_libdir}/libisccc.so
|
|
%{_libdir}/libns.so
|
|
%{_libdir}/libdns.so
|
|
%{_libdir}/libisc.so
|
|
%{_libdir}/libisccfg.so
|
|
%dir %{_includedir}/bind9
|
|
%{_includedir}/bind9/isccc
|
|
%{_includedir}/bind9/ns
|
|
%{_includedir}/bind9/dns
|
|
%{_includedir}/bind9/dst
|
|
%{_includedir}/bind9/irs
|
|
%{_includedir}/bind9/isc
|
|
%{_includedir}/bind9/isccfg
|
|
|
|
%files chroot
|
|
%config(noreplace) %{_sysconfdir}/named-chroot.files
|
|
%{_unitdir}/named-chroot.service
|
|
%{_unitdir}/named-chroot-setup.service
|
|
%{_libexecdir}/setup-named-chroot.sh
|
|
%defattr(0664,root,named,-)
|
|
%ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null
|
|
%ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random
|
|
%ghost %dev(c,1,9) %verify(not mtime) %{chroot_prefix}/dev/urandom
|
|
%ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero
|
|
%defattr(0640,root,named,0750)
|
|
%dir %{chroot_prefix}
|
|
%dir %{chroot_prefix}/dev
|
|
%dir %{chroot_prefix}%{_sysconfdir}
|
|
%dir %{chroot_prefix}%{_sysconfdir}/named
|
|
%dir %{chroot_prefix}%{_sysconfdir}/pki
|
|
%dir %{chroot_prefix}%{_sysconfdir}/pki/dnssec-keys
|
|
%dir %{chroot_prefix}%{_sysconfdir}/pki/tls
|
|
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies
|
|
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies/back-ends
|
|
%dir %{chroot_prefix}%{_localstatedir}
|
|
%dir %{chroot_prefix}/run
|
|
%ghost %config(noreplace) %{chroot_prefix}%{_sysconfdir}/named.conf
|
|
%defattr(-,root,root,-)
|
|
%dir %{chroot_prefix}/usr
|
|
%dir %{chroot_prefix}/%{_libdir}
|
|
%dir %{chroot_prefix}/%{_libdir}/bind
|
|
%dir %{chroot_prefix}/%{_datadir}
|
|
%dir %{chroot_prefix}/%{_datadir}/GeoIP
|
|
%{chroot_prefix}/proc
|
|
%defattr(0660,root,named,01770)
|
|
%dir %{chroot_prefix}%{_localstatedir}/named
|
|
%defattr(0660,named,named,0770)
|
|
%dir %{chroot_prefix}%{_localstatedir}/tmp
|
|
%dir %{chroot_prefix}%{_localstatedir}/log
|
|
%defattr(-,named,named,-)
|
|
%dir %{chroot_prefix}/run/named
|
|
%{chroot_prefix}%{_localstatedir}/run
|
|
|
|
%if %{with DLZ}
|
|
%files dlz-filesystem
|
|
%{_libdir}/{named,bind}/dlz_filesystem_dynamic.so
|
|
|
|
%files dlz-mysql
|
|
%{_libdir}/{named,bind}/dlz_mysql_dynamic.so
|
|
%doc build/contrib/dlz/modules/doc/mysql
|
|
%{_libdir}/{named,bind}/dlz_mysqldyn_mod.so
|
|
%doc build/contrib/dlz/modules/doc/mysqldyn
|
|
|
|
%files dlz-ldap
|
|
%{_libdir}/{named,bind}/dlz_ldap_dynamic.so
|
|
%doc contrib/dlz/modules/ldap/testing/*
|
|
|
|
%files dlz-sqlite3
|
|
%{_libdir}/{named,bind}/dlz_sqlite3_dynamic.so
|
|
%doc contrib/dlz/modules/sqlite3/testing/*
|
|
|
|
%endif
|
|
|
|
%if %{with DOC}
|
|
%files doc
|
|
%dir %{_pkgdocdir}
|
|
%doc %{_pkgdocdir}/html
|
|
%doc %{_pkgdocdir}/Bv9ARM.html
|
|
%doc %{_pkgdocdir}/Bv9ARM.epub
|
|
%endif
|
|
|
|
%changelog
|
|
%autochangelog
|