Am 05.11.18 um 16:19 schrieb Timo Sigurdsson via Unbound-users:
> Hi,
Hello Timo,
> I'm currently running unbound 1.8.0 on Linux (Debian) and wonder how to
> properly set up the chroot environment – especially which files need to be
> accessible from within the chroot.
I have "dev/random" and a copy of "etc/unbound/unbound.conf"
> 1) I'm using the tls-cert-bundle option in order to forward requests to
> upstream servers that support DNS over TLS. The certificate bundle is outside
> of unbound's configuration directory and chroot directory. In a quick test,
> I'm able to run unbound in a chroot, without making the certificate bundle
> available from within the chroot. So, I'm assuming the certificate bundle is
> read before unbound enters the chroot and not accessed anymore afterwards.
> But is this always true? Will unbound at some point need access to the
> tls-cert-bundle from within the chroot?
try something like "unbound-control reload" or "killall -HUP unbound".
See if the PID is still the same and check if something break.
To make remote control work, I set
remote-control:
control-enable: yes
control-interface: /run/unbound-control.socket
control-use-cert: no
This socket is setup as root in a directory (/run) only writeable by root.
Later unbound change the permissions to 0660, user unbound, group unbound (at
least here)
There is no need to access that socket from inside chroot.
> 2) On Debian with systemd, unbound is a service of the type "notify". A bug
> report suggests that the socket /run/systemd/notify should be made accessible
> from within the chroot[1]. Is this needed? During my little testing, it
> didn't seem to make a difference whether the socket was bind mounted to the
> chroot or not.
unbound works fine without systemd, too :-)
> 3) The man page mentions that /dev/random should be accessible. Since I don't
> run into errors when I set up the chroot without a bind mount for
> /dev/random, I'm wondering whether access to /dev/random is only needed in
> certain configurations? The same goes for /dev/log. But is this really needed
> regardless of whether a log file or syslog is used for logging?
I don't use bind mounts but simply run "mknod --mode 0666 $(CHROOT)/dev/random
c 1 8"
I've no syslog at all but logging to STDOUT
> 4) Are there any other files/locations that should be made accessible inside
> the chroot in order to ensure reliable operation, aside from the
> configuration files and the auto-trust-anchor-file? If I look at the apparmor
> profile for unbound, it seems a lot more files might be accessed, but of
> course that might only be the case before chroot is entered.
If you configure auto-trust-anchor-file, these file are also required inside
chroot.
Normally unbound.conf define a directory statement with a value "/etc/unbound/"
as default.
That way you may use relative pathnames for auto-trust-anchor-file:
auto-trust-anchor-file: trust/root-rfc5011.anchor
without chroot (chroot: "") that refer /etc/unbound/trust/root-rfc5011.anchor
with chroot (chroot: "/chroot/unbound/") the same entry refer
"/chroot/unbound/etc/unbound/trust/root-rfc5011.anchor
same for root-hints which I normally don't use: A recent unbound come with
recent root-hint data ...
Andreas
Re: Running unbound in a chroot: Which files need to be accessible?
A. Schulze via Unbound-users Mon, 05 Nov 2018 09:17:20 -0800
- Running unbound in a chroot: Which files... Timo Sigurdsson via Unbound-users
- Re: Running unbound in a chroot: Wh... A. Schulze via Unbound-users
- Re: Running unbound in a chroot: Wh... Timo Sigurdsson via Unbound-users
