From: Arne Fitzenreiter <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. b3bc092dad71cf4034d6f0d59708cfa47e8a3404
Date: Thu, 05 Mar 2020 11:59:49 +0000 [thread overview]
Message-ID: <48Y8SQ3LJZz2y1T@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 14639 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via b3bc092dad71cf4034d6f0d59708cfa47e8a3404 (commit)
via 233141c6c9983b39a2d385f781e0d787b8f315de (commit)
via 9700617aeb4051f845e3f261da2829201a2b6fe9 (commit)
via 0f0f3ae7dc5da502c1aaf4bb295778d7657a0af5 (commit)
via e737776db5edaca90a22c7aaeb11e8fbb7c0d9fa (commit)
via 80bed5817d176e728cca6077dcefa7821f5c16ef (commit)
via 0bdb63924b13d4e47db7cd03c6714cdfdd9280a9 (commit)
via a344d3c902417a21b619c6e4f2a1aaf38e3044fe (commit)
from e53c38aea14132da0fff15655735f673aab33c4a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b3bc092dad71cf4034d6f0d59708cfa47e8a3404
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Thu Mar 5 05:54:09 2020 +0000
core142: start suricata before unbound after update
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 233141c6c9983b39a2d385f781e0d787b8f315de
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Mar 4 21:49:05 2020 +0000
core142: add unbound.conf to updater
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 9700617aeb4051f845e3f261da2829201a2b6fe9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Mar 4 21:11:53 2020 +0000
unbound: Disable using mixed case for DNS queries
This seems to cause that some resolvers do not respond
to queries any more until unbound falls back.
To ensure better DNS performance, we disabled this.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 0f0f3ae7dc5da502c1aaf4bb295778d7657a0af5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Mar 4 21:11:52 2020 +0000
unbound: Only launch one process
When unbound is running multiple threads, we have observed
that queries where sent for each thread.
Since no user should have so much DNS traffic that more than
one processor core is being saturated, this is a safe change.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit e737776db5edaca90a22c7aaeb11e8fbb7c0d9fa
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Jan 20 19:36:00 2020 +0000
unbound.conf: Do not set defaults explicitly
In order to keep configuration files small and easy to review/audit,
omitting defaults makes more sense than configure them explicitly (have
changed my mind here).
Unbound comes with a good default confiuration, and we should only make
changes when they are necessary. In addition, this patch updates the
documentation's URL to the current one.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 80bed5817d176e728cca6077dcefa7821f5c16ef
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Mar 4 21:38:24 2020 +0000
dns.cgi: restart suricata before unbound reload
if unbound is reloaded it start a bunch of dns queries
so suricata needs to now which servers should used.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 0bdb63924b13d4e47db7cd03c6714cdfdd9280a9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Mar 4 10:44:50 2020 +0000
backup: Fix saving DNS settings
There was a typo in /var/ipfire/dns/servers and the settings
file was not explicitely included in the backup.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit a344d3c902417a21b619c6e4f2a1aaf38e3044fe
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Mar 4 08:52:56 2020 +0100
unbound/red.up: run unbound update-forwarders after suricata init.
The old suricata instance blocks dns requests if the red ip has changed.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/backup/include | 2 +-
config/rootfiles/common/aarch64/initscripts | 2 +-
config/rootfiles/common/armv5tel/initscripts | 2 +-
config/rootfiles/common/i586/initscripts | 2 +-
config/rootfiles/common/x86_64/initscripts | 2 +-
config/rootfiles/core/142/filelists/files | 1 +
config/rootfiles/core/142/update.sh | 8 ++++----
config/unbound/unbound.conf | 23 ++--------------------
html/cgi-bin/dns.cgi | 5 ++---
...ate-dns-forwarders => 25-update-dns-forwarders} | 0
src/initscripts/system/unbound | 19 ------------------
11 files changed, 14 insertions(+), 52 deletions(-)
rename src/initscripts/networking/red.up/{22-update-dns-forwarders => 25-update-dns-forwarders} (100%)
Difference in files:
diff --git a/config/backup/include b/config/backup/include
index d33dcf099..0153272f7 100644
--- a/config/backup/include
+++ b/config/backup/include
@@ -31,7 +31,7 @@
/var/ipfire/*/*.conf
/var/ipfire/*/config
/var/ipfire/dhcp/*
-/var/ipfire/dns/server
+/var/ipfire/dns
/var/ipfire/dnsforward/*
/var/ipfire/*/enable
/var/ipfire/*/*enable*
diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 3c8dfc70a..4f7465791 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -54,9 +54,9 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/23-suricata
etc/rc.d/init.d/networking/red.up/24-RS-qos
+etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/rc.d/init.d/networking/red.up/30-ddns
#etc/rc.d/init.d/networking/red.up/35-guardian
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 3c8dfc70a..4f7465791 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -54,9 +54,9 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/23-suricata
etc/rc.d/init.d/networking/red.up/24-RS-qos
+etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/rc.d/init.d/networking/red.up/30-ddns
#etc/rc.d/init.d/networking/red.up/35-guardian
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 3f56c49cc..9db445a69 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -54,9 +54,9 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/23-suricata
etc/rc.d/init.d/networking/red.up/24-RS-qos
+etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/rc.d/init.d/networking/red.up/30-ddns
#etc/rc.d/init.d/networking/red.up/35-guardian
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 3f56c49cc..9db445a69 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -54,9 +54,9 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/23-suricata
etc/rc.d/init.d/networking/red.up/24-RS-qos
+etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/rc.d/init.d/networking/red.up/30-ddns
#etc/rc.d/init.d/networking/red.up/35-guardian
diff --git a/config/rootfiles/core/142/filelists/files b/config/rootfiles/core/142/filelists/files
index 0ac4861cd..11daea4b5 100644
--- a/config/rootfiles/core/142/filelists/files
+++ b/config/rootfiles/core/142/filelists/files
@@ -2,6 +2,7 @@ etc/system-release
etc/issue
srv/web/ipfire/cgi-bin/credits.cgi
var/ipfire/langs
+etc/unbound/unbound.conf
etc/rc.d/helper/aws-setup
etc/rc.d/helper/azure-setup
etc/rc.d/init.d/unbound
diff --git a/config/rootfiles/core/142/update.sh b/config/rootfiles/core/142/update.sh
index dd1377c1c..e46bdf2ea 100644
--- a/config/rootfiles/core/142/update.sh
+++ b/config/rootfiles/core/142/update.sh
@@ -97,9 +97,9 @@ rm -f /etc/rc.d/init.d/networking/red.down/05-*-dns-forwarders
# Extract files
extract_files
-# move update forwarders below firewall
-mv -f /etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders \
- /etc/rc.d/init.d/networking/red.up/22-update-dns-forwarders
+# move update forwarders below suricata
+mv -f /etc/rc.d/init.d/networking/red.up/*-update-dns-forwarders \
+ /etc/rc.d/init.d/networking/red.up/25-update-dns-forwarders
# update linker config
ldconfig
@@ -126,8 +126,8 @@ done
/usr/local/bin/filesystem-cleanup
# Start services
-/etc/init.d/unbound restart
/etc/init.d/suricata start
+/etc/init.d/unbound restart
/etc/init.d/squid start
# remove lm_sensor config after collectd was started
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 24822ee67..3aab6ea46 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -2,7 +2,7 @@
# Unbound configuration file for IPFire
#
# The full documentation is available at:
-# https://www.unbound.net/documentation/unbound.conf.html
+# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#
server:
@@ -10,26 +10,17 @@ server:
chroot: ""
directory: "/etc/unbound"
username: "nobody"
- port: 53
- do-ip4: yes
do-ip6: no
- do-udp: yes
- do-tcp: yes
- so-reuseport: yes
- do-not-query-localhost: yes
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
- verbosity: 1
use-syslog: yes
log-time-ascii: yes
- log-queries: no
# Unbound Statistics
statistics-interval: 86400
- statistics-cumulative: yes
extended-statistics: yes
# Prefetching
@@ -42,26 +33,16 @@ server:
# Privacy Options
hide-identity: yes
hide-version: yes
- qname-minimisation: yes
- minimal-responses: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
- val-permissive-mode: no
- val-clean-additional: yes
val-log-level: 1
+ log-servfail: yes
# Hardening Options
- harden-glue: yes
- harden-short-bufsize: no
harden-large-queries: yes
- harden-dnssec-stripped: yes
- harden-below-nxdomain: yes
harden-referral-path: yes
- harden-algo-downgrade: no
- use-caps-for-id: yes
aggressive-nsec: yes
- qname-minimisation: yes
# TLS
tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
index 09fd50206..676d95f8a 100755
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -815,9 +815,6 @@ END
# Private function to handle the restart of unbound and more.
sub _handle_unbound_and_more () {
- # Restart unbound
- system('/usr/local/bin/unboundctrl reload >/dev/null');
-
# Check if the IDS is running.
if(&IDS::ids_is_running()) {
# Re-generate the file which contains the DNS Server
@@ -827,6 +824,8 @@ sub _handle_unbound_and_more () {
# Call suricatactrl to perform a reload.
&IDS::call_suricatactrl("restart");
}
+ # Restart unbound
+ system('/usr/local/bin/unboundctrl reload >/dev/null');
}
# Check if the system is online (RED is connected).
diff --git a/src/initscripts/networking/red.up/22-update-dns-forwarders b/src/initscripts/networking/red.up/25-update-dns-forwarders
similarity index 100%
rename from src/initscripts/networking/red.up/22-update-dns-forwarders
rename to src/initscripts/networking/red.up/25-update-dns-forwarders
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index c845c436f..1cf26ec0e 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -191,15 +191,6 @@ write_forward_conf() {
write_tuning_conf() {
# https://www.unbound.net/documentation/howto_optimise.html
- # Determine number of online processors
- local processors=$(getconf _NPROCESSORS_ONLN)
-
- # Determine number of slabs
- local slabs=1
- while [ ${slabs} -lt ${processors} ]; do
- slabs=$(( ${slabs} * 2 ))
- done
-
# Determine amount of system memory
local mem=$(get_memory_amount)
@@ -234,16 +225,6 @@ write_tuning_conf() {
(
config_header
- # We run one thread per processor
- echo "num-threads: ${processors}"
- echo "so-reuseport: yes"
-
- # Adjust number of slabs
- echo "infra-cache-slabs: ${slabs}"
- echo "key-cache-slabs: ${slabs}"
- echo "msg-cache-slabs: ${slabs}"
- echo "rrset-cache-slabs: ${slabs}"
-
# Slice up the cache
echo "rrset-cache-size: $(( ${mem} / 2 ))m"
echo "msg-cache-size: $(( ${mem} / 4 ))m"
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2020-03-05 11:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48Y8SQ3LJZz2y1T@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox