fix: Block unbound from starting up on install

- On an IPv4-only system, if unbound is started but not configured, it causes subsequent steps to fail to resolve hosts. - Revised UnboundDeployer.install_impl() to use policy-rc.d to prevent the service from starting when installed. This is the same mechanism used to keep nginx from starting on install.
2026-05-10 16:04:37 +00:00 · 2025-10-27 13:51:57 -05:00
parent 32534251bf
commit 27b72039c8
1 changed files with 20 additions and 0 deletions
--- a/cmdeploy/src/cmdeploy/init.py
+++ b/cmdeploy/src/cmdeploy/init.py
@@ -325,11 +325,31 @@ class UnboundDeployer(Deployer):
        # Run local DNS resolver `unbound`.
        # `resolvconf` takes care of setting up /etc/resolv.conf
        # to use 127.0.0.1 as the resolver.
+
+        #
+        # On an IPv4-only system, if unbound is started but not
+        # configured, it causes subsequent steps to fail to resolve hosts.
+        # Here, we use policy-rc.d to prevent unbound from starting up
+        # on initial install.  Later, we will configure it and start it.
+        #
+        # For documentation about policy-rc.d, see:
+        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
+        #
+        files.put(
+            src=importlib.resources.files(__package__).joinpath("policy-rc.d"),
+            dest="/usr/sbin/policy-rc.d",
+            user="root",
+            group="root",
+            mode="755",
+        )
+
        apt.packages(
            name="Install unbound",
            packages=["unbound", "unbound-anchor", "dnsutils"],
        )

+        files.file("/usr/sbin/policy-rc.d", present=False)
+
    def configure_impl(self):
        server.shell(
            name="Generate root keys for validating DNSSEC",