Package: unbound Version: 1.9.0-2+deb10u1 Severity: normal Tags: patch At startup the daemon creates its pidfile (/run/unbound.pid) while running as root, chown()s it to unbound:unbound, then drops privileges and runs as user unbound. At shutdown, the pidfile is successfully truncated, but the following unlink() call fails because /run is owned by root.
In a subsequent start the daemon is prevented by the apparmor profile from updating the pidfile (AFAICT, because it runs as root, but the file exists and is owned by unbound), and as a result the pidfile is left empty, and the daemon cannot be managed anymore. Of course, under systemd-sysv the problem does not exist. I'm not proficient in apparmor enough to amend the profile, and I guess the proper solution should mimic the one for bind9 (i.e. a directory /run/named owned by root:bind), but in the meantime the following patch solved the problem for me and might be useful to other users. Best regards, g.b. ===================== patch begin --- /etc/init.d/unbound.orig 2019-10-13 02:40:17.000000000 +0200 +++ /etc/init.d/unbound 2019-12-30 14:31:48.463876228 +0100 @@ -44,6 +44,7 @@ log_daemon_msg "Stopping $DESC" "$NAME" if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME --retry 5; then $HELPER resolvconf_stop + rm -f $PIDFILE log_end_msg 0 else log_end_msg 1 @@ -51,16 +52,8 @@ ;; restart|force-reload) - log_daemon_msg "Restarting $DESC" "$NAME" - start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5 - $HELPER resolvconf_stop - if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then - $HELPER chroot_setup - $HELPER resolvconf_start - log_end_msg 0 - else - log_end_msg 1 - fi + $0 stop + $0 start ;; reload) ===================== patch end -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.19.0-6-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages unbound depends on: ii adduser 3.118 ii dns-root-data 2019031302 ii libc6 2.28-10 ii libevent-2.1-6 2.1.8-stable-4 ii libfstrm0 0.4.0-1 ii libprotobuf-c1 1.3.1-1+b1 ii libpython3.7 3.7.3-2 ii libssl1.1 1.1.1d-0+deb10u2 ii libsystemd0 241-7~deb10u2 ii lsb-base 10.2019051400 ii openssl 1.1.1d-0+deb10u2 ii unbound-anchor 1.9.0-2+deb10u1 unbound recommends no packages. Versions of packages unbound suggests: ii apparmor 2.13.2-10 -- Configuration Files: /etc/init.d/unbound changed [not included] -- no debconf information