Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
No results found
Show changes
Commits on Source (6924)
---
Checks: |-
bugprone-*,
cert-*,
google-readability-casting,
misc-*,
readability-*,
-bugprone-assignment-in-if-condition,
-bugprone-branch-clone,
-bugprone-easily-swappable-parameters,
-bugprone-inc-dec-in-conditions,
-bugprone-multi-level-implicit-pointer-conversion,
-bugprone-narrowing-conversions,
-bugprone-not-null-terminated-result,
-bugprone-sizeof-expression,
-bugprone-suspicious-string-compare,
-cert-dcl03-c,
-cert-dcl16-c,
-clang-analyzer-deadcode.DeadStores,
-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,
-clang-analyzer-unix.Malloc,
-clang-analyzer-valist.Uninitialized,
-clang-analyzer-optin.core.EnumCastOutOfRange,
-misc-include-cleaner,
-misc-macro-parentheses,
-misc-no-recursion,
-misc-static-assert,
-misc-unused-parameters,
-readability-avoid-nested-conditional-operator,
-readability-avoid-unconditional-preprocessor-if,
-readability-braces-*,
-readability-cognitive-complexity,
-readability-else-after-return,
-readability-function-cognitive-complexity,
-readability-identifier-length,
-readability-isolate-declaration,
-readability-magic-numbers,
-readability-non-const-parameter,
-readability-redundant-declaration,
-readability-uppercase-literal-suffix,
-clang-analyzer-core.UndefinedBinaryOperatorResult
# TODO: remove `-clang-analyzer-core.UndefinedBinaryOperatorResult` when we
# upgrade to Clang >=18 (it's a false positive )
WarningsAsErrors: |-
cert-*,
clang-analyzer-*,
misc-*,
readability-*,
-readability-non-const-parameter,
HeaderFilterRegex: 'contrib/ucw/*.h'
CheckOptions:
- key: readability-identifier-naming
value: 'lower_case'
- key: readability-function-size.StatementThreshold
value: '400'
- key: readability-function-size.LineThreshold
value: '500'
;; emacs local configuration settings for knot-resolver source
;; surmised by dkg on 2016-04-02 23:46:50-0300
;; SPDX-License-Identifier: GPL-3.0-or-later
((c-mode
(indent-tabs-mode . t)
......
*.c diff=cpp
*.cpp diff=cpp
name: macOS
on: push
jobs:
build-test:
name: Build & unit tests & sanity check
runs-on: macOS-latest
strategy:
matrix:
knot-version: ['3.3']
steps:
- name: Checkout resolver code
uses: actions/checkout@v2
with:
submodules: true
- name: Install dependecies from brew
run:
brew install cmocka luajit libuv lmdb meson nghttp2 autoconf automake m4 libtool pkg-config
- name: Install libknot from sources
env:
KNOT_DNS_VERSION: ${{ matrix.knot-version }}
run: |
git clone -b ${KNOT_DNS_VERSION} https://gitlab.nic.cz/knot/knot-dns.git
cd knot-dns
autoreconf -fi
./configure --prefix=${HOME}/.local/usr --disable-static --disable-fastparser --disable-documentation --disable-daemon --disable-utilities --with-lmdb=no
make -j2 install
cd ..
- name: Build resolver
run: |
export PKG_CONFIG_PATH="${PKG_CONFIG_PATH}:${HOME}/.local/usr/lib/pkgconfig"
meson build_darwin --default-library=static --buildtype=debugoptimized --prefix=${HOME}/.local/usr -Dc_args='-fno-omit-frame-pointer'
ninja -C build_darwin -v install
- name: Run unit tests
env:
MALLOC_CHECK_: 3
MALLOC_PERTURB_: 223
run: meson test -C build_darwin --suite unit
- name: Run kresd
env:
MALLOC_CHECK_: 3
MALLOC_PERTURB_: 223
run: |
export DYLD_FALLBACK_LIBRARY_PATH="${DYLD_FALLBACK_LIBRARY_PATH}:${HOME}/.local/usr/lib/"
echo "quit()" | ${HOME}/.local/usr/sbin/kresd -a 127.0.0.1@53535 .
*.o
**/__pycache__/
*.6
*.Plo
*.a
*.so
*.so.*
*.db
*.dylib
*.dylib.*
*.lo
*.gcda
*.gcno
*.gcov
*.info
*.junit.xml
*.la
*.Plo
*.swp
*~
*.d
*.db
*.out
*.6
*.lo
*.log
/daemon/lua/*.inc
*.mdb
*.gcno
*.gcda
*.gcov
*.o
*.out
*.so
*.so.*
*.swp
*~
.coverage
.deps
.dirstamp
.libs
.deps
_obj
.mypy_cache
.pytest_cache
/.build*/
/.cache
/.install_dev
/aclocal.m4
/ar-lib
/autom4te.cache/*
/config.log
/bench/bench_lru
/build*/
/compile
/compile_commands.json
/config.guess
/config.h
/config.log
/config.status
/config.guess
/config.sub
/configure
/ar-lib
/libtool
/missing
/compile
/control
/coverage
/coverage.stats
/daemon/kresd
/daemon/lua/*.inc
/daemon/lua/trust_anchors.lua
/depcomp
/dist
/distro/tests/*/.vagrant
/doc/**/.doctrees
/doc/**/doxyxml
/doc/html
/doc/kresd.8
/doc/texinfo
/doc/_static/schema_doc*
/doc/config-schema-body.md
/ephemeral_key.pem
/install-sh
/stamp-h1
/aclocal.m4
/libkres.pc
/libtool
/ltmain.sh
/ylwrap
/doc/doxyxml
/doc/html
/daemon/kresd
/missing
/modules/dnstap/dnstap.pb-c.d
/pkg
/self.crt
/self.key
/stamp-h1
/tags
/tests/dnstap/src/dnstap-test/go.sum
/tests/pytests/*/tcproxy
/tests/pytests/*/tlsproxy
/tests/pytests/pytests.*.html
/tests/pytests/*.junit.xml
/tests/test_array
/tests/test_lru
/tests/test_map
......@@ -51,8 +83,9 @@ _obj
/tests/test_set
/tests/test_utils
/tests/test_zonecut
/ylwrap
_obj
kresd.amalg.c
libkres.amalg.c
/doc/kresd.8
/libkres.pc
/modules/version/version.lua
luacov.*.out
poetry.lock
stages:
- check
default:
image: $IMAGE_PREFIX/manager:$IMAGE_TAG
before_script:
- poetry --version
- poetry env use $PYTHON_INTERPRETER
tags:
- docker
- linux
- amd64
examples:py3.12:
stage: check
script:
- poetry install --all-extras --only main,dev
- poe examples
variables:
PYTHON_INTERPRETER: python3.12
check:py3.12:
stage: check
script:
- poetry install --all-extras --only main,dev,lint
- poe check
variables:
PYTHON_INTERPRETER: python3.12
format:py3.12:
stage: check
script:
- poetry install --all-extras --only main,dev,lint
- poe format
variables:
PYTHON_INTERPRETER: python3.12
lint:py3.12:
stage: check
script:
- poetry install --all-extras --only main,dev,lint
- poe lint
variables:
PYTHON_INTERPRETER: python3.12
.unit: &unit
stage: check
script:
- poetry install --all-extras --only main,dev,test
- poe test
# the following command makes sure that the source root of the coverage file is at $gitroot
- poetry run bash -c "coverage combine .coverage; coverage xml"
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage.xml
junit: unit.junit.xml
paths:
- unit.junit.xml
unit:py3.8:
<<: *unit
variables:
PYTHON_INTERPRETER: python3.8
unit:py3.9:
<<: *unit
variables:
PYTHON_INTERPRETER: python3.9
unit:py3.10:
<<: *unit
variables:
PYTHON_INTERPRETER: python3.10
unit:py3.11:
<<: *unit
variables:
PYTHON_INTERPRETER: python3.11
unit:py3.12:
<<: *unit
variables:
PYTHON_INTERPRETER: python3.12
unit:py3.13:
<<: *unit
variables:
PYTHON_INTERPRETER: python3.13
This diff is collapsed.
[submodule "tests/deckard"]
path = tests/deckard
url = https://gitlab.labs.nic.cz/knot/deckard.git
[submodule "tests/integration/deckard"]
path = tests/integration/deckard
url = https://gitlab.nic.cz/knot/deckard.git
[submodule "modules/policy/lua-aho-corasick"]
path = modules/policy/lua-aho-corasick
url = https://gitlab.nic.cz/knot/3rdparty/lua-aho-corasick.git
[submodule "tests/config/tapered"]
path = tests/config/tapered
url = https://gitlab.nic.cz/knot/3rdparty/lua-tapered.git
-- SPDX-License-Identifier: GPL-3.0-or-later
std = 'luajit'
new_read_globals = {
'cache',
'eval_cmd',
'event',
'help',
'_hint_root_file',
'hostname',
'map',
'modules',
'net',
'package_version',
'quit',
'resolve',
'ta_update',
'fromjson',
'todname',
'tojson',
'user',
'worker',
'kluautil_list_dir',
-- Sandbox declarations
'kB',
'MB',
'GB',
'sec',
'second',
'minute',
'min',
'hour',
'day',
'panic',
'log',
'log_error',
'log_warn',
'log_info',
'log_debug',
'log_fmt',
'log_qry',
'log_req',
'log_level',
'log_target',
'log_groups',
'LOG_CRIT',
'LOG_ERR',
'LOG_WARNING',
'LOG_NOTICE',
'LOG_INFO',
'LOG_DEBUG',
'mode',
'reorder_RR',
'option',
'env',
'debugging',
'kres',
'libknot_SONAME',
'libzscanner_SONAME',
'table_print',
'_ENV',
}
new_globals = {
-- Modules are allowed to be set and accessed from global namespace
'policy',
'view',
'stats',
'http',
'trust_anchors',
'bogus_log',
}
-- Luacheck < 0.18 doesn't support new_read_globals
for _, v in ipairs(new_read_globals) do
table.insert(new_globals, v)
end
exclude_files = {
'modules/policy/lua-aho-corasick', -- Vendored
'tests/config/tapered',
'build*/**', -- build outputs
'pkg/**', -- packaging outputs
}
-- Ignore some pedantic checks
ignore = {
'4.1/err', -- Shadowing err
'4.1/.', -- Shadowing one letter variables
}
-- Sandbox can set global variables
files['**/daemon/lua'].ignore = {'111', '121', '122'}
files['**/daemon/lua/kres-gen-*.lua'].ignore = {'631'} -- Allow overly long lines
-- Tests and scripts can use global variables
files['scripts'].ignore = {'111', '112', '113'}
files['tests'].ignore = {'111', '112', '113'}
files['**/utils/upgrade'].ignore = {'111', '112', '113'}
files['**/modules/**/*.test.lua'].ignore = {'111', '112', '113', '121', '122'}
files['**/daemon/**/*.test.lua'].ignore = {'111', '112', '113', '121', '122'}
Aleš Mrázek <ales.mrazek@nic.cz>
Alex Forster <aforster@cloudflare.com>
Ali Asad Lotia <ali.asad.lotia@gmail.com>
Anbang Wen <anbang@cloudflare.com> <xofyarg@gmail.com>
Anbang Wen <anbang@cloudflare.com> <anb@dev.null>
Andreas Rammhold <andreas@rammhold.de>
Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Salzman <daniel.salzman@nic.cz>
daurnimator <quae@daurnimator.com>
David Beitey <david@davidjb.com>
Grigorii Demidov <grigorii.demidov@nic.cz>
Hasnat <hasnat.ullah@gmail.com>
Jiří Helebrant <jiri.helebrant@nic.cz> <helb@helb.cz>
Ivana Krumlová <ivana.krumlova@nic.cz>
Jakub Ružička <jakub.ruzicka@nic.cz>
Jan Hák <jan.hak@nic.cz>
Jan Holuša <jan.holusa@nic.cz>
Jan Pavlinec <jan.pavlinec@nic.cz>
Jan Včelák <jan.vcelak@nic.cz> <jv@fcelda.cz>
Jan Včelák <jan.vcelak@nic.cz>
Jayson Reis <santosdosreis@gmail.com>
Jonathan Coetzee <jon@thancoetzee.com>
Josh Soref <jsoref@users.noreply.github.com>
Karel Slaný <karel.slany@nic.cz>
Libor Peltan <libor.peltan@nic.cz>
Lukáš Ježek <lukas.jezek@nic.cz>
Manu Bretelle <chantr4@gmail.com>
Marek Vavruša <mvavrusa@cloudflare.com> Marek Vavrusa <marek@vavrusa.com>
Marek Vavruša <mvavrusa@cloudflare.com> Marek Vavruša <mvavrusa@cloudflare.com>
Marek Vavruša <mvavrusa@cloudflare.com> Marek Vavruša <marek.vavrusa@nic.cz>
Marek Vavruša <mvavrusa@cloudflare.com> <marek@vavrusa.com>
Marek Vavruša <mvavrusa@cloudflare.com> <marek.vavrusa@nic.cz>
Michal Karm Babáček <karm@email.cz>
Michal Lupečka <mlupecka@nic.cz>
Ondřej Surý <ondrej.sury@nic.cz> <ondrej@sury.org>
Oto Šťáva <oto.stava@nic.cz> <oto.stava@gmail.com>
Paul Hoffman <paul.hoffman@icann.org> <phoffman@proper.com>
Paul Hoffman <paul.hoffman@icann.org>
Pavel Doležal <pavel.dolezal@nic.cz>
Pavel Valach <valach.pavel@gmail.com>
Petr Špaček <petr.spacek@nic.cz>
rickhg12hs <rickhg12hs@users.noreply.github.com>
Robert Šefr <robert.sefr@outlook.com>
SH <sh@analogic.cz>
Simon South <simon@simonsouth.net>
Štěpán Balážik <stepan@balazik.cz> <stepan.balazik@nic.cz>
Štěpán Kotek <stepan.kotek@nic.cz> Stepan Kotek <stepan.kotek@nic.cz>
Štěpán Kotek <stepan.kotek@nic.cz> <stepan.kotek@gmail.com>
The Gitter Badger <badger@gitter.im>
Tomáš Hozza <thozza@redhat.com>
Tomáš Křížek <tomas.krizek@nic.cz>
Ulrich Wisser <ulrich.wisser@iis.se>
Leo Vandewoestijne <github@unicycle.net>
<vaclav.sraier@nic.cz> <git@vakabus.cz>
Václav Šraier <vaclav.sraier@nic.cz>
Vicky Shrestha <vicky@cloudflare.com> <vicky@geeks.net.np>
Vítězslav Kříž <vitezslav.kriz@nic.cz>
Vladimír Čunát <vladimir.cunat@nic.cz> <vcunat@gmail.com>
3.8.20
3.9.20
3.10.15
3.11.10
3.12.6
3.13.0
version: 2
build:
os: ubuntu-22.04
tools:
python: "3.11"
sphinx:
configuration: doc/conf.py
python:
install:
- requirements: doc/requirements.txt
formats:
- pdf
- epub
language: c
os:
- osx
compiler:
- clang
notifications:
email:
on_success: change
on_failure: change
slack:
rooms: cznic:xNJmvHU2xu2aGtN7Y2eqHKoD
on_success: change
on_failure: change
webhooks:
urls: https://webhooks.gitter.im/e/66485d8f591942052faa
on_success: always
on_failure: always
matrix:
fast_finish: true
env:
global:
- PKG_CONFIG_PATH="${HOME}/.local/lib/pkgconfig"
- PATH="${HOME}/.local/bin:/usr/local/bin:${PATH}"
- LD_LIBRARY_PATH="${HOME}/.local/lib"
- DYLD_LIBRARY_PATH="${HOME}/.local/lib"
- MALLOC_CHECK_=3
- MALLOC_PERTURB_=223
before_script:
- echo $CFLAGS
- BOOTSTRAP_CLEANUP=1 ./scripts/bootstrap-depends.sh ${HOME}/.local
script:
- CFLAGS="-O2 -g -fno-omit-frame-pointer -DDEBUG" make -j2 install check V=1 COVERAGE=1 PREFIX=${HOME}/.local DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}
- ./daemon/kresd -h
- ./daemon/kresd -V
- echo "quit()" | ./daemon/kresd -a 127.0.0.1#53535 .
- CFLAGS="-O2 -g -fno-omit-frame-pointer -DDEBUG" make -j2 check-integration COVERAGE=1 PREFIX=${HOME}/.local DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}
after_success:
- if test $TRAVIS_OS_NAME = linux; then coveralls -i lib -i daemon -x ".c" --gcov-options '\-lp'; fi
sudo: false
cache:
directories:
- ${HOME}/.local
- ${HOME}/.cache/pip
before_cache:
- rm -f ${HOME}/.local/sbin/kresd
- rm -f ${HOME}/.local/lib/libkres.*
- rm -rf ${HOME}/.local/include/libkres
- rm -rf ${HOME}/.local/lib/kdns_modules
# Inner architecture of the manager
![architecture diagram](docs/img/manager_architecture_diagram.svg)
## API
The API server is implemented using [`aiohttp`](https://docs.aiohttp.org/en/stable/). This framework provides the application skeleton and manages application runtime. The manager is actually a normal web application with the slight difference that we don't save the data in a database but rather modify systems state.
## Data processing
From the web framework, we receive data as simple strings. After this step, we return a fully typed object with valid configuration (or an exception with an error).
### Parsing
We currently support YAML and JSON and decide based on `Content-Type` header (JSON being the default if no `Content-Type` header is provided). We use the Python's [build-in JSON parser](https://docs.python.org/3/library/json.html) and [`PyYAML`](https://pyyaml.org/).
### Schema and type validation
The parsing step returns a dict-like object, which does not provide any guarantees about it's content. We map the values from this object to a proper class object based on Python's native type annotations. The code to do this is custom made, no libraries needed.
### Normalization
After we move the configuration to the typed objects, we need to normalize its values for further use. For example, all `auto` values should be replaced by real infered values. The result of this step is yet another typed object, but different than the input one so that we can statically distinguish between normalized and not-normalized config data.
## Actual manager
The actual core of the whole application is originally named the manager. It keeps a high-level view of the systems state and performs all necessary operations to change the state to the desired one. It does not interact with the system directly, majority of interactions are hidden behing abstract backends.
Every other part of the processing pipeline is fully concurrent. The manager is a place where synchronization happens.
## Backends
The Knot Resolver Manager supports several backends, more specifically several service managers that can run our workers. The main one being `systemd` has several variants, so that it can run even without privileges. The other currently supported option is `supervisord`.
The used backend is chosen automatically on startup based on available privileges and other running software. This decision can be overriden manually using a command line option.
# Partial config updates
The pipeline described above works well when the user provides full configuration through the API. However, some users might want to make only partial changes as it allows several independent client applications to change different parts of the config independently without explicit synchronization on their part.
When a user submits a partial config, we parse it and change the last used config accordingly. The change happens before the normalization step as that is the first step modifing provided data.
\ No newline at end of file
Marek Vavrusa <marek@vavrusa.com>
Ondřej Surý <ondrej.sury@nic.cz>
Jan Vcelak <jan.vcelak@nic.cz>
Grigorii Demidov <grigorii.demidov@nic.cz>
Karel Slany <karel.slany@nic.cz>
Knot Resolver was conceived and is being developed
by research department of CZ.NIC, the CZ TLD operator.
Over the years many organizations and individuals contributed to the project.
Special thanks belongs to following organizations:
- Comcast
- Cloudflare
- ICANN
People who contributed commits to our Git repo are:
Aleš Mrázek <ales.mrazek@nic.cz>
Alex Forster <aforster@cloudflare.com>
Ali Asad Lotia <ali.asad.lotia@gmail.com>
Anbang Wen <anbang@cloudflare.com>
Andreas Rammhold <andreas@rammhold.de>
Christophe Nowicki <cscm@csquad.org>
Christopher Ng <facboy@gmail.com>
cronfy <cronfy@gmail.com>
Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Salzman <daniel.salzman@nic.cz>
daurnimator <quae@daurnimator.com>
David Beitey <david@davidjb.com>
Felix Yan <felixonmars@archlinux.org>
Frantisek Tobias <frantisek.tobias@nic.cz>
Grigorii Demidov <grigorii.demidov@nic.cz>
Hasnat <hasnat.ullah@gmail.com>
Héctor Molinero Fernández <hector@molinero.dev>
Ivana Krumlová <ivana.krumlova@nic.cz>
Jakub Jirutka <jakub@jirutka.cz>
Jakub Ružička <jakub.ruzicka@nic.cz>
Jan Hák <jan.hak@nic.cz>
Jan Holuša <jan.holusa@nic.cz>
Jan Pavlinec <jan.pavlinec@nic.cz>
Jan Včelák <jan.vcelak@nic.cz>
Jayson Reis <santosdosreis@gmail.com>
Jiří Helebrant <jiri.helebrant@nic.cz>
Jonathan Coetzee <jon@thancoetzee.com>
Josh Soref <jsoref@users.noreply.github.com>
Karel Slaný <karel.slany@nic.cz>
Kirill A. Korinsky <kirill@korins.ky>
Konstantin Amelichev <kostya.amelichev@gmail.com>
Ladislav Lhotka <ladislav.lhotka@nic.cz>
Leo Vandewoestijne <github@unicycle.net>
Libor Peltan <libor.peltan@nic.cz>
Lukáš Ježek <lukas.jezek@nic.cz>
Lukáš Ondráček <lukas.ondracek@nic.cz>
Manu Bretelle <chantr4@gmail.com>
Marek Vavruša <mvavrusa@cloudflare.com>
menakite <29005531+menakite@users.noreply.github.com>
Michal Karm Babáček <karm@email.cz>
Michal Lupečka <mlupecka@nic.cz>
Ondřej Surý <ondrej.sury@nic.cz>
Oto Šťáva <oto.stava@nic.cz>
Paul Hoffman <paul.hoffman@icann.org>
Pavel Doležal <pavel.dolezal@nic.cz>
Pavel Valach <valach.pavel@gmail.com>
Tomas Hozza <thozza@redhat.com>
Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Vladimír Čunát <vladimir.cunat@nic.cz>
Štěpán Balážik <stepan.balazik@nic.cz>
Peter Keresztes Schmidt <carbenium@outlook.com>
Petr Špaček <petr.spacek@nic.cz>
realPy <t3sla@v-ip.fr>
rickhg12hs <rickhg12hs@users.noreply.github.com>
Robert Šefr <robert.sefr@outlook.com>
SH <sh@analogic.cz>
Simon South <simon@simonsouth.net>
Štěpán Balážik <stepan@balazik.cz>
Štěpán Kotek <stepan.kotek@nic.cz>
The Gitter Badger <badger@gitter.im>
Tomáš Hozza <thozza@redhat.com>
Tomáš Křížek <tomas.krizek@nic.cz>
Tom Herbers <mail@tomherbers.de>
Ulrich Wisser <ulrich.wisser@iis.se>
Václav Šraier <vaclav.sraier@nic.cz>
Vicky Shrestha <vicky@cloudflare.com>
Vítězslav Kříž <vitezslav.kriz@nic.cz>
Vladimír Čunát <vladimir.cunat@nic.cz>
Knot Resolver source tree also bundles code and content published by:
Austin Appleby <aappleby@gmail.com>
Dan Vanderkam <danvdk@gmail.com>
Jonathan Allard <jonathan@allard.io>
Joseph A. Adams <joeyadams3.14159@gmail.com>
Mark DiMarco <mark.dimarco@gmail.com>
Michael Bostock <mike@ocks.org>
Rusty Russell <rusty@rustcorp.com.au>
Thomas Park <thomas@thomaspark.co>
Vincent Bernat <vincent@bernat.im>
Fastly
jQuery Foundation
Knot DNS contributors
Twitter
United Computer Wizards
Thanks to everyone who knowingly or unknowingly contributed!
Contributing
============
Please file issues and merge requests against the upstream repository:
[https://gitlab.nic.cz/knot/knot-resolver](https://gitlab.nic.cz/knot/knot-resolver)
Opening a merge request on gitlab.nic.cz
----------------------------------------
Unfortunately, due to administrative policy, forking is disabled by default. To
be able to fork, please send us an e-mail with your username to knot-resolver@labs.nic.cz
We apologize for the inconvenience and if you can't be bothered, please
consider alternate ways of contributing, such as:
- Opening a pull request on [github.com](https://github.com/CZ-NIC/knot-resolver).
We'll take care of it and move it to our upstream.
- Sending a patch to the users list: knot-resolver-users@lists.nic.cz
Unless specifically indicated otherwise in a file or directory,
files are licensed under GNU GPL license either version 3, or
(at your option) any later version.
SPDX-License-Identifier: GPL-3.0-or-later
SPDX-URL: https://spdx.org/licenses/GPL-3.0-or-later.html
License-Text:
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
......
# SPDX-License-Identifier: GPL-3.0-or-later
# Intermediate container for build
FROM debian:12 AS build
ENV OBS_REPO=knot-resolver-latest
ENV DISTROTEST_REPO=Debian_12
RUN apt-get update -qq && \
apt-get -qqq -y install \
apt-transport-https ca-certificates wget \
pipx devscripts && \
pipx install apkg
RUN wget -O /usr/share/keyrings/cznic-labs-pkg.gpg https://pkg.labs.nic.cz/gpg && \
echo "deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-resolver bookworm main" \
> /etc/apt/sources.list.d/cznic-labs-knot-resolver.list && \
apt-get update -qq
COPY . /source
RUN cd /source && \
export PATH="$PATH:/root/.local/bin" && \
git submodule update --init --recursive && \
git config --global user.name "Docker Build" && \
git config --global user.email docker-build@knot-resolver && \
\
# Replace 'knot-resolver' user and group with 'root'
# in meson_options.tx and python/knot_resolver/constants.py.
# This is needed for the file/directory permissions validation
# and then for the proper functioning of the resolver.
sed s/knot-resolver/root/g -i meson_options.txt && \
sed 's/USER.*/USER = "root"/g' -i python/knot_resolver/constants.py && \
sed 's/GROUP.*/GROUP = "root"/g' -i python/knot_resolver/constants.py && \
git commit -a -m TMP && \
\
/root/.local/bin/apkg build-dep -y && \
/root/.local/bin/apkg build
# Real container
FROM debian:12-slim AS runtime
ENV OBS_REPO=knot-resolver-latest
ENV DISTROTEST_REPO=Debian_12
RUN apt-get update -qq && \
apt-get -qqq -y install apt-transport-https ca-certificates
COPY --from=build \
/usr/share/keyrings/cznic-labs-pkg.gpg \
/usr/share/keyrings/cznic-labs-pkg.gpg
COPY --from=build \
/etc/apt/sources.list.d/cznic-labs-knot-resolver.list \
/etc/apt/sources.list.d/cznic-labs-knot-resolver.list
RUN apt-get update -qq && \
apt-get upgrade -qq
COPY --from=build /source/pkg/pkgs/debian-12 /pkg
# install resolver, minimize image and prepare config directory
RUN apt-get install -y /pkg/*/*.deb && \
rm -r /pkg && \
apt-get remove -y -qq curl gnupg2 && \
apt-get autoremove -y && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
COPY etc/config/config.example.docker.yaml /etc/knot-resolver/config.yaml
LABEL cz.knot-resolver.vendor="CZ.NIC"
LABEL maintainer="knot-resolver-users@lists.nic.cz"
# Export plain DNS, DoT, DoH and management interface
EXPOSE 53/UDP 53/TCP 443/TCP 853/TCP 5000/TCP
# Prepare shared config
VOLUME /etc/knot-resolver
# Prepare shared cache
VOLUME /var/cache/knot-resolver
ENTRYPOINT ["/usr/bin/knot-resolver"]
CMD ["-c", "/etc/knot-resolver/config.yaml"]
# Assumptions
Our main design goal is, that **the manager MUST NOT BE a required component.** Domains must be resolveable even in the absense of the manager. We want this, because of backwards compatibility with the way `kresd` has worked before. But another good reason is that `kresd` has been battle tested and is reasonably reliable. We can't say the same about manager as we do not have practical experiences with it at the time of writing.
This goal leads to usage of external service managers like systemd. Manager is therefore "just" a tool for configuring service managers. If we crash, the `kresd`'s will keep running.
# When can we expect errors
Majority of errors can meaningfully happen only when changing configuration which we do at different lifecycle stages of manager. We are changing configuration of the service managers on manager's startup and shutdown, and when change of configuration is requested (by a signal or HTTP request). Each of these situations can have a different error handling mechanisms to match user's expectations.
Additional to the errors mentioned above, we can sometimes detect, that future configuration changes will fail. Manager has a periodic watchdog monitoring health of the system and detecting failures before they actually happen.
To sum it up, errors can be raised:
* on configuration changes
* during startup
* in response to a config change request
* on shutdown
* proactively from our periodic watchdog
# How should we handle errors
## Errors on startup
**All errors should be fatal.** If something goes wrong, it's better to stop immediately before we make anything worse. Also, if we fail to start, the user will more likely notice.
## Error handling after config change requests
**All errors, that stem from the configuration change, should be reported and the manager should keep running.** Before the actual change though, watchdog should be manually invoked.
## Error handling during shutdown
**All errors should be fatal.** It does not make sense to try to correct any problems at that point.
## Error handling from watchdog
```
error_counter = 0
on error:
if error_counter > ERROR_COUNTER_THRESHOLD:
raise a fatal error
error_counter += 1
try to fix the situation
if unsucessful, fatal error
every ERROR_COUNTER_DECREASE_INTERVAL:
if error_counter > 0:
error_counter -= 1
```
Reasonable constants are probably:
```
ERROR_COUNTER_THRESHOLD = 2
ERROR_COUNTER_DECREASE_INTERVAL = 30min
```
include config.mk
include platform.mk
# Targets
all: info lib daemon client modules
install: lib-install daemon-install client-install modules-install etc-install
check: all tests
clean: contrib-clean lib-clean daemon-clean client-clean modules-clean \
tests-clean doc-clean bench-clean
doc: doc-html
.PHONY: all install check clean doc info
# Options
ifdef COVERAGE
BUILD_CFLAGS += --coverage
endif
# Dependencies
$(eval $(call find_lib,libknot,2.3.1,yes))
$(eval $(call find_lib,libdnssec,2.3.1,yes))
$(eval $(call find_lib,libzscanner,2.3.1,yes))
$(eval $(call find_lib,lmdb))
$(eval $(call find_lib,libuv,1.0,yes))
$(eval $(call find_lib,nettle,,yes))
$(eval $(call find_alt,lua,luajit))
$(eval $(call find_luapkg,ltn12))
$(eval $(call find_luapkg,ssl.https))
$(eval $(call find_lib,cmocka))
$(eval $(call find_bin,doxygen))
$(eval $(call find_bin,sphinx-build))
$(eval $(call find_pythonpkg,breathe))
$(eval $(call find_lib,libmemcached,1.0))
$(eval $(call find_lib,hiredis,,yes))
$(eval $(call find_lib,socket_wrapper))
$(eval $(call find_lib,libsystemd,227))
$(eval $(call find_lib,gnutls))
$(eval $(call find_lib,libedit))
# Lookup SONAME
$(eval $(call find_soname,libknot))
$(eval $(call find_soname,libzscanner))
ifeq ($(libknot_SONAME),)
$(error "Unable to resolve libknot_SONAME, update find_soname in platform.mk")
endif
ifeq ($(libzscanner_SONAME),)
$(error "Unable to resolve libzscanner_SONAME, update find_some in platform.mk")
endif
# Find Go version and platform
GO_VERSION := $(shell $(GO) version 2>/dev/null)
ifeq ($(GO_VERSION),)
GO_VERSION := 0
else
GO_PLATFORM := $(word 2,$(subst /, ,$(word 4,$(GO_VERSION))))
GO_VERSION := $(subst .,,$(subst go,,$(word 3,$(GO_VERSION))))
endif
$(eval $(call find_ver,go,$(GO_VERSION),16))
# Check if Go is able to build shared libraries
ifeq ($(HAS_go),yes)
ifneq ($(GO_PLATFORM),$(filter $(GO_PLATFORM),amd64 386 arm arm64))
HAS_go := no
endif
else
$(eval $(call find_ver,go,$(GO_VERSION),15))
ifeq ($HAS_go,yes)
ifneq ($(GO_PLATFORM),$(filter $(GO_PLATFORM),arm amd64))
HAS_go := no
endif
endif
endif
# Overview
info:
$(info Target: Knot DNS Resolver $(VERSION)-$(PLATFORM))
$(info Compiler: $(CC) $(BUILD_CFLAGS))
$(info )
$(info Variables)
$(info ---------)
$(info HARDENING: $(HARDENING))
$(info BUILDMODE: $(BUILDMODE))
$(info PREFIX: $(PREFIX))
$(info PREFIX: $(PREFIX))
$(info DESTDIR: $(DESTDIR))
$(info BINDIR: $(BINDIR))
$(info SBINDIR: $(SBINDIR))
$(info LIBDIR: $(LIBDIR))
$(info ETCDIR: $(ETCDIR))
$(info INCLUDEDIR: $(INCLUDEDIR))
$(info MODULEDIR: $(MODULEDIR))
$(info )
$(info Core Dependencies)
$(info ------------)
$(info [$(HAS_libknot)] libknot (lib))
$(info [yes] $(if $(filter $(HAS_lmdb),yes),system,embedded) lmdb (lib))
$(info [$(HAS_lua)] luajit (daemon))
$(info [$(HAS_libuv)] libuv (daemon))
$(info [$(HAS_gnutls)] libgnutls (daemon))
$(info )
$(info Optional)
$(info --------)
$(info [$(HAS_doxygen)] doxygen (doc))
$(info [$(HAS_sphinx-build)] sphinx-build (doc))
$(info [$(HAS_breathe)] python-breathe (doc))
$(info [$(HAS_go)] go (modules/go, Go buildmode=c-shared support))
$(info [$(HAS_libmemcached)] libmemcached (modules/memcached))
$(info [$(HAS_hiredis)] hiredis (modules/redis))
$(info [$(HAS_cmocka)] cmocka (tests/unit))
$(info [$(HAS_libsystemd)] systemd (daemon))
$(info [$(HAS_nettle)] nettle (modules/cookies))
$(info [$(HAS_ltn12)] Lua socket ltn12 (trust anchor bootstrapping))
$(info [$(HAS_ssl.https)] Lua ssl.https (trust anchor bootstrapping))
$(info [$(HAS_libedit)] libedit (client))
$(info )
# Verify required dependencies are met, as listed above
ifeq ($(HAS_libknot),no)
$(error libknot >= 2.3.1 required)
endif
ifeq ($(HAS_libzscanner),no)
$(error libzscanner >= 2.3.1 required)
endif
ifeq ($(HAS_libdnssec),no)
$(error libdnssec >= 2.3.1 required)
endif
ifeq ($(HAS_lua),no)
$(error luajit required)
endif
ifeq ($(HAS_libuv),no)
$(error libuv >= 1.0 required)
endif
ifeq ($(HAS_gnutls),no)
$(error gnutls required)
endif
BUILD_CFLAGS += $(libknot_CFLAGS) $(libuv_CFLAGS) $(nettle_CFLAGS) $(cmocka_CFLAGS) $(lua_CFLAGS) $(libdnssec_CFLAGS) $(libsystemd_CFLAGS)
BUILD_CFLAGS += $(addprefix -I,$(wildcard contrib/ccan/*) contrib/murmurhash3)
# Work around luajit on OS X
ifeq ($(PLATFORM), Darwin)
ifneq (,$(findstring luajit, $(lua_LIBS)))
lua_LIBS += -pagezero_size 10000 -image_base 100000000
endif
endif
# Check if it has libknot 2.3.0 and nettle to support DNS cookies
$(eval $(call find_alt,knot230,libknot,2.3))
ifeq ($(HAS_nettle)|$(HAS_knot230),yes|yes)
BUILD_CFLAGS += -DENABLE_COOKIES
ENABLE_COOKIES := yes
endif
# Installation directories
$(DESTDIR)$(MODULEDIR):
$(INSTALL) -d $@
$(DESTDIR)$(ETCDIR):
$(INSTALL) -m 0750 -d $@
# Sub-targets
include contrib/contrib.mk
include lib/lib.mk
include daemon/daemon.mk
include modules/modules.mk
include tests/tests.mk
include doc/doc.mk
include etc/etc.mk
include bench/bench.mk