Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#52920 - [unbound] Use pacman hook to update trusted-key.key

Attached to Project: Community Packages
Opened by Jean (rfnx) - Saturday, 11 February 2017, 05:25 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 16 March 2017, 17:36 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:

Hello,

I have a suggestion for the unbound package : use a pacman hook to update trusted-key.key instead of the "ExecStartPre" line in the systemd service file.
I think it looks cleaner and it makes more sense.

How to do it :

1) Remove ExecStartPre line in the systemd service file.
2) Now, create the file /etc/pacman.d/hooks/unbound-dnssec.hook (you can change the name, but not the extension) with this content :

# Update unbound with new trusted-key
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = dnssec-anchors

[Action]
Description = Updating trusted-key.key for unbound...
Depends = unbound
When = PostTransaction
Exec = /bin/cp -f /etc/trusted-key.key /etc/unbound/

# End of file

3) ???
4) Profit!

I hope you like my suggestion :)
I needed this solution because I added isolation options provided by systemd recently, and the ExecStartPre line caused issues with ProtectSystem=full.


Additional info:
* package version(s) : 1.6.0-1
This task depends upon

Closed by  Gaetan Bisson (vesath)
Thursday, 16 March 2017, 17:36 GMT
Reason for closing:  Fixed
Additional comments about closing:  unbound-1.6.1-3 in [community]
Comment by Jean (rfnx) - Saturday, 11 February 2017, 06:20 GMT
I forgot to add that /usr/share/libalpm/hooks/ is the system hook directory used for packages.
Comment by Gaetan Bisson (vesath) - Monday, 13 February 2017, 08:38 GMT
I don't see why not...

Thanks!
Comment by Jean (rfnx) - Monday, 13 February 2017, 17:32 GMT
Thanks for implementing it :) !

But after testing the new change, I realized it also needs to be done once, in the install script, for the initial setup.

You should add this in the post_install function :
/bin/cp -f /etc/trusted-key.key /etc/unbound/
Comment by Gaetan Bisson (vesath) - Monday, 13 February 2017, 18:08 GMT
Oh, right. Cheers.
Comment by Jean (rfnx) - Monday, 13 February 2017, 18:33 GMT
Thank you for your work on this package, and sorry for wasting time reopening this issue but I completely forgot the install script part :/
Comment by Jean (rfnx) - Thursday, 16 March 2017, 15:01 GMT
Hello,

After the new dnssec-anchors update I realized the hook provided does not work. I think it is because "Type = File" is used. With the version of the hook I provided in the original post, it works. You should probably use "Type = Package" and "Target = dnssec-anchors" instead of "Type = File" and "Target = /etc/trusted-key.key".
Comment by Doug Newgard (Scimmia) - Thursday, 16 March 2017, 15:03 GMT
Pretty sure the only problem is the leading slash on the target.
Comment by Gaetan Bisson (vesath) - Thursday, 16 March 2017, 17:19 GMT
My bad. Will fix right away.

Loading...