Verbose logging should be used for debugging purposes, as it generates a
lot of output. It shouldn't be turned on by default for normal mode of
operation.

ci: respdiff - use ipv4, increase timeout, collect kresd.log

See merge request !473

This reverts threshold that was bumped in
commit de7a4a96.

This decreases the amount of timeouts, which become SERVFAILs instead.
Overall, this results in more valid answers.

IPv6 isn't currently supported in our Docker image and using
it during resolution leads to a larger amount of timeouts.

To be able to use development version tarballs for creating distro
packages for Fedora/CentOS, the pre-release name can't contain
hyphens.

systemd: fixes for unit files

See merge request !476

The Service directives belong to the Socket section. Otherwise,
systemd fails to find the associated service and the socket can't start.

tls_client: fix error message logging

See merge request !478

tls_client: compatibility for older gnutls version

See merge request !475

Tomas Krizek authored 7 years ago and Grigorii Demidov committed 7 years ago

When older gnutls version is used, make sure not to use undeclared
symbols or functions.

drop world-executable permissions on /run/knot-resolver

See merge request !477

It's not clear why anyone other that the superuser needs to be able to
descend into /run/knot-resolver, so we should drop this extra
permission.

it appears to have been added
e0f33604, but the log message for that
commit doesn't explain why the permission needs to be loosened.

The main situation that calls for executable but not readable
directories is when a directory contains something at a known location
that everyone must be able to reach, but also contains some sensitive
file with a name that itself is unguessable (i.e. high entropy
string).  That doesn't appear to be the case here.

By principle of least privilege, we should leave it locked down unless
there's a clear justification for opening it up.

The version restricion has remained way too long, apparently.

Decision function is separated out.

Let's allow 4 UDP + 4 TCP attempts, within 2+2 seconds,
and then start also using stale cache.

Some parts were hand-written, apparently.

ci: respdiff - update config

See merge request !469

Since we've added the `timeout` metric to respdiff, it uncovered
an issue when running in Docker, where a large amount of queries
(~2% / resolver) end with a timeout.

Until the issue is investigated and fixed, temporarily bump the CI's
tolerance for the test to pass to 3%.

systemd: enable multiple processes with socket activation

See merge request !464

In order to be able to spawn multiple processes with socket activation,
systemd template (see systemd.unit(5)) is used. This allows the user to
create any amount of instances by simply providing a unique name for
each of them. The most sensible instance identifiers are natural
numbers, but any convention could be used.

The default recommended service name becomes kresd@1.service, replacing
the older kresd.service. Sockets are renamed in a similar way. Users are
able to take advantage of bash expansion to spawn/control multiple
processes, e.g. "systemctl start kresd@{1..16}.service"

The socket-activated service can now be launched directly with
"systemctl start kresd@1.service", which will request the associated
sockets without the need for any extra priviledges or capabilities.

Stopping the kresd service now also stops the associated sockets.
Stopping any individual socket is an isolated opration now (stopping
kresd@1.socket no longer stop kresd-tls@1.socket and
kresd-control@1.socket).

Users and packagers are also encouraged to use drop-in files for extra
configuration or modifications to ensure compatibility with their
distribution.

It's not for NSEC3, etc.  We'll fill NEWS soon.