Open ousatov-ua opened 5 months ago
https://manpages.debian.org/bookworm/unbound/unbound.conf.5.en.html#chroot:
Quoted below from the last paragraph in the link:
If given a chroot is done to the given directory. By default chroot is enabled and the default is "".
Using default configuration in the distribution provided unbound pkg the configs in this guide work fine for log and socket paths. The compiled version of Unbound provided at unbound-redis is using the same default config for chroot.
Majority of the people use the default config for chroot, the provided configs in this documentation made sure it should work for them. Anyone using a custom config has to make the appropriate changes not just in this scenario but in other cases as well to meet their specific requirement.
You changed the chroot in your personal config from default to point to some dir. That is why you got the errors and has to give permission within apparmor. So you can either comment out the chroot line in your config to keep it default or make the apparmor change.
What is the value of chroot in your unbound.conf?
Hi!
I have installed Unbound using apt
.
I did not specify chroot in config, so it has "default" value.
So, having default installation of Unbound, without specifying chroot, I have exception about write permissions to both unbound.log
and unbound.sock
Debian 12.
Hello, Please paste the output of these 2 cmds:
unbound-checkconf -f -o chroot
unbound -V
sudo unbound-checkconf -f -o chroot
gives empty string.
I did not specify any chroot additionally, so this is the default behavior.
unbound -V
Version 1.17.1
Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.11 19 Sep 2023
Linked modules: dns64 python subnetcache respip validator iterator
TCP Fastopen feature available
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
So this is the expected, --with-chroot-dir=
is empty.
cat /lib/systemd/system/unbound.service
[Unit]
Description=Unbound DNS server
Documentation=man:unbound(8)
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=notify
Restart=on-failure
EnvironmentFile=-/etc/default/unbound
ExecStartPre=-/usr/libexec/unbound-helper chroot_setup
ExecStartPre=-/usr/libexec/unbound-helper root_trust_anchor_update
ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS
ExecStopPost=-/usr/libexec/unbound-helper chroot_teardown
ExecReload=+/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
Thanks for the update.
Distro is setting the chroot dir somewhere outside the unbound build and config, most probably using the distro specific apparmor unbound config along with distro specific unbound-helper script.
This dashboard and the unbound build setup is targeted at the compiled version of unbound. Compiled version works fine, I am using it.
I will look into the distro based pkg of unbound and update the documentation at the appropriate place, linking to this pull request.
Hi! Sure, I just wanted to make it easier to setup for other people, no needs to link any further changes in README to this PR Thanks again for your repo :)
@ar51an BTW, please setup a link to Buy me a Coffee or something else - I would donate for your work, and I believe others would like too
Hi @ar51an ! There will be errors about lack of permissions for
unbound.log
andunbound.sock
if Unbound is running under chroot. By default, it will run in this mode on Debian if installed byapt
.I did not check compiled locally version of Unbound, so my changes are only for Unbound installed from repository.
Tested on Debian 12.
And thank you for your work! Brilliant!