From 27b72039c809ba4dff2e08df708e781fae9713d4 Mon Sep 17 00:00:00 2001 From: cliffmccarthy <16453869+cliffmccarthy@users.noreply.github.com> Date: Mon, 27 Oct 2025 13:51:57 -0500 Subject: [PATCH] fix: Block unbound from starting up on install - On an IPv4-only system, if unbound is started but not configured, it causes subsequent steps to fail to resolve hosts. - Revised UnboundDeployer.install_impl() to use policy-rc.d to prevent the service from starting when installed. This is the same mechanism used to keep nginx from starting on install. --- cmdeploy/src/cmdeploy/__init__.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py index adfbae4e..f7cf2bf6 100644 --- a/cmdeploy/src/cmdeploy/__init__.py +++ b/cmdeploy/src/cmdeploy/__init__.py @@ -325,11 +325,31 @@ class UnboundDeployer(Deployer): # Run local DNS resolver `unbound`. # `resolvconf` takes care of setting up /etc/resolv.conf # to use 127.0.0.1 as the resolver. + + # + # On an IPv4-only system, if unbound is started but not + # configured, it causes subsequent steps to fail to resolve hosts. + # Here, we use policy-rc.d to prevent unbound from starting up + # on initial install. Later, we will configure it and start it. + # + # For documentation about policy-rc.d, see: + # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt + # + files.put( + src=importlib.resources.files(__package__).joinpath("policy-rc.d"), + dest="/usr/sbin/policy-rc.d", + user="root", + group="root", + mode="755", + ) + apt.packages( name="Install unbound", packages=["unbound", "unbound-anchor", "dnsutils"], ) + files.file("/usr/sbin/policy-rc.d", present=False) + def configure_impl(self): server.shell( name="Generate root keys for validating DNSSEC",