From 92757314e75c800192f7573eedbcd78549a3be45 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 15 Nov 2024 17:06:47 +0100
Subject: [PATCH] overlay coreos/config: Shrink net-dns/bind installation

---
 .../coreos/config/env/net-dns/bind            | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind
new file mode 100644
index 0000000000..0cb2bea848
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind
@@ -0,0 +1,62 @@
+# Keep only tool binaries and libraries those binaries need.
+ndb_install_mask="
+        /etc
+        /var
+        /usr/bin/arpaname
+        /usr/bin/named-*
+        /usr/bin/nsec3hash
+        /usr/lib/systemd
+        /usr/lib/tmpfiles.d
+        /usr/lib64/bind
+        /usr/lib64/libisccc*
+        /usr/libexec
+        /usr/sbin
+"
+
+INSTALL_MASK+="${ndb_install_mask}"
+PKG_INSTALL_MASK+="${ndb_install_mask}"
+
+unset ndb_install_mask
+
+# Override fowners to ignore changing owner or group to named. The
+# only files that this happens for are files that we have put into
+# {PKG_,}INSTALL_MASK. This will help us avoid installing
+# acct-user/named and acct-user/group.
+fowners_script=$(command -v fowners)
+fowners() {
+    if [[ ${#} -gt 0 && ( ${1} = named:* || ${1} = *:named ) ]]; then
+        return 0
+    fi
+    "${fowners_script}" "${@}"
+}
+
+# The pkg_postinst phase function wants to generate an rndc.key file
+# with /usr/sbin/rndc-confgen script if the key file is missing, then
+# change the ownership to the named group. We don't need the key file
+# at all as it's presumably for named. Also, we masked the installtion
+# of the script. Thus we fool the phase function by putting an empty
+# key file there, so the function won't trigger the generation. We
+# drop the key file later too.
+#
+# TODO: The paths ought to be prefixed with ${EROOT}, but the
+# 9.18.29-r2 ebuild is botched in this regard. This was fixed in
+# 9.18.31-r1, so when we update to that version, the ${EROOT} prefix
+# will need to be added.
+cros_pre_pkg_postinst_add_fake_rndc_key() {
+    local dir='/etc/bind'
+    if [[ ! -d "${dir}" ]]; then
+        mkdir "${dir}" || die
+    fi
+    touch "${dir}/rndc.key" || die
+}
+# TODO: This function should just do:
+#
+# rm -rf "${EROOT}/etc/bind" || die
+cros_post_pkg_postinst_drop_fake_rndc_key() {
+    # Remove the file only if it exists and is empty.
+    local dir='/etc/bind' file="${dir}/rndc.key"
+    if [[ -f "${file}" && ! -s "${file}" ]]; then
+       rm -f "${file}" || die
+    fi
+    rmdir "${dir}" # it's fine if it fails
+}