Feature #9251
closed
DNS Resolver (Unbound) Python Integration
100%
Description
Add the python module integration to the DNS Resolver (Unbound)
The only remaining function, would be to mount the /bin and /lib folders to the /var/unbound folder.
mkdir -p /var/unbound/usr/local/bin mkdir -p /var/unbound/usr/local/lib mount_nullfs -o ro /usr/local/bin/ /var/unbound/usr/local/bin mount_nullfs -o ro /usr/local/lib/ /var/unbound/usr/local/lib
I have coded the following for pfBlockerNG for testing purposes, but this will need to be adapted for pfSense and called at bootup before Unbound starts or it will fail to load without the mounts. It will also need notices/log info message code added.
https://gist.github.com/BBcan177/b5d9506f9d1ca1ff2457f62bbaaaf878
Files
Updated by BBcan177 . almost 6 years ago
The final code for mounting the /bin and /lib folders has been submitted for review (Services.inc):
https://github.com/pfsense/pfsense/pull/4029/commits/a4ca3a94fe7dbbed2177bcb3eccbd667bc6ca993
Updated by
Updated by Renato Botelho over 5 years ago
- Category set to DNS Resolver
- Status changed from New to Feedback
- Assignee set to Renato Botelho
- Target version set to 2.5.0
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Renato Botelho almost 5 years ago
PR 4155 has been merged to RELENG_2_4_5. Thanks
Updated by Renato Botelho almost 5 years ago
- Target version changed from 2.5.0 to 2.4.5
Updated by Jim Pingle almost 5 years ago
- File netflix-no-aaaa.py netflix-no-aaaa.py added
- Status changed from Feedback to New
This doesn't appear to be working on 2.4.5.
On 2.5.0 I can copy over netflix-no-aaaa.py (attached) and enable the module, select the script, and it works as expected (resolving netflix.com only returns A records. Without the script, both A and AAAA records are returned).
On 2.4.5, using the same actions, unbound fails to run. Unbound quits without logging any errors. Starting it manually in the foreground results in an error:
/usr/local/sbin/unbound -d -c /var/unbound/unbound.conf Fatal Python error: _Py_HashRandomization_Init: failed to get random numbers to initialize Python
Updated by BBcan177 . almost 5 years ago
For my python PHP include files, I added a mount to address random number generation:
/sbin/mount -t devfs devfs /var/unbound/devdevfs on /var/unbound/dev (devfs, local)
Updated by Jim Pingle almost 5 years ago
If it's a required action, it should be done when setting up the environment. I'm mostly curious about why that isn't necessary on 2.5.0 but seems to be necessary on 2.4.5, though it may be a FreeBSD 11 vs 12 environment issue.
Updated by Jim Pingle almost 5 years ago
- Assignee changed from Renato Botelho to Jim Pingle
Mounting devfs does fix the problem. I added some code to set that up as needed when the module is enabled.
Updated by Jim Pingle almost 5 years ago
- Status changed from New to Feedback
Applied in changeset 741892ee23a9085b71fa94fcfb8375044fec6ee2.
Updated by Jim Pingle almost 5 years ago
- Status changed from Feedback to Resolved
Appears to work fine now on 2.4.5.a.20200114.0923 and 2.5.0.a.20200113.1543
Updated by DRago_Angel [InV@DER] over 4 years ago
@Jim maybe cool idea to add option to paste python files to unbound chroot like it done in HAproxy package from GUI so all users script will be written to confix.xml and will remain in users backups files?
Updated by DRago_Angel [InV@DER] over 4 years ago
About python module and python files, suggestion "option two":
add Notice *(i) to Python Module Script about:
1. If you want to add Python Modules and backup them install Filer Plugin
2. Put Python Modules in /var/unbound folder with 644 permissions with root:root owner
3. In case of usage Filer Plugin you can reload Unbound with Shell command in Filer on update/sync of file:
unbound-control -c /var/unbound/unbound.conf reload
Updated by Carsten Grafflage over 4 years ago
It's nice that there is the added option in the web config, but there is no hint whatsoever where to put these Python scripts. And also from reading this feature request it's not clear to me.