[Opendnssec-develop] Packing and OpenDNSSEC User Account

Jakob Schlyter jakob at kirei.se
Fri Jun 19 18:55:52 UTC 2009

On 19 jun 2009, at 18.33, Stephen.Morris at nominet.org.uk wrote:

> Packaging
> Although we will provide source, installing at least three pre- 
> requisites (ldns, libxml2 and Botan) and building OpenDNSSEC from  
> scratch (we definitely need a single Makefile!) is not a five-minute  
> task.  When we come around to releasing the software as a product,  
> we should think of statically linking everything and supplying pre- 
> built packages for at least one or two of the supported operating  
> systems.

A top makefile is absolutely useful, but only people building  
OpenDNSSEC themselves. Package maintainers will most likely want to  
build the different components separately and distribute them as  
separate packages to ease maintenance. I believe we've already decided  
that we (post-alpha) will create packages for Ubuntu and possibly  
Solaris. Those packages will depend on any external packages, so  
linking statically is not needed.

Also, distributing anything linking statically will force us to re- 
release software as soon as any vulnerabilities has emerged in the  
linked components. With dynamic linking, we do not have to care about  
this at all.

> User Account and Working Directory
> I notice that both the enforcer and the signer create a "var"  
> subdirectory in the installation directory.  I'm not sure this is a  
> good idea - I generally put software in a read-only area (which may  
> be on a partition of limited size).  Although it is possible to  
> subsequently move the "var" directory to another area and add a  
> symbolic link to it in the installation directory, I think we should  
> look at another solution.  A question related to this is "under what  
> username does OpenDNSSEC run?".

If configure is run correctly (see regression/ for examples), all  
OpenDNSSEC binaries is installed under $PREFIX, all user configurable  
data in /etc/opendnssec and all variable data in /var/opendnssec -  
just as one would expect.

What user the OpenDNSSEC components run under will be user definable  
and I suggest we discuss this next week together with chroot  
directories et al. My plan is that all such parameters should be  
commonly configured in the main configuration file (/etc/opendnssec/ 

> I would suggest that the recommended configuration be to create a  
> user account under which all the OpenDNSSEC software runs, and that  
> the working area for OpenDNSSEC be located in that user's home.  
> There would need to be some way of specifying the username at  
> startup, but for the moment, it could default to "opendnssec".

putting the working area in the users home is generally not  
recommended as the location of home directories varies among the  
operating systems, but we will make sure all components cwd (and in  
some cases chroot) into /var/opendssec as soon as possible.


More information about the Opendnssec-develop mailing list