Maintained by: NLnet Labs

[Unbound-users] unbound & random & chroot

W.C.A. Wijngaards
Mon Mar 30 14:25:56 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

Michael Tokarev wrote:
> Right now unbound (unlike nsd) runs just fine in chroot,
> including managing some stuff (like pid/log files)
> outside.  The only thing left is the random stuff:
> 
> Mar 29 11:54:40 gandalf unbound: [2470:0] notice: openssl has no
> entropy, seeding with time and pid
> 
> This can be solved by two ways:
>  1) providing /dev/random inside chroot and
>  2) initializing random number generator before chrooting.

OK, now it does 2).  svn trunk r1567.

> 
> Am I understand it correctly?  There MAY be a need to
> read more random bytes during runtime, and even open-
> read-close /dev/random again, but I don't know if
> unbound currently does that.

I do not really think it is needed, since the seed is for a PRNG, which
is used to seed the arc4random generator.   The arc4random generator is
reseeded once in a while, but the (otherwise unused) openssl PRNG should
be fine.  If openssl indicates that the PRNG needs re-seeding, unbound
tries to reseed it, first dev/random, then time(NULL), then printing
errors (but continuing operations with 'old' arc4random state).

> Is it difficult to lessen this dependency on /dev/random a
> bit -- either by doing all init stuff before chrooting or
> by keeping /dev/random opened?

I hope this makes it easier to run unbound in chroot.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknQulQACgkQkDLqNwOhpPiW1wCfaxUUw9qR1BS3PMgcYKtO/Ga5
MtAAn2YSBE86ZZ6mgJ1rhn3wg6wxMnBu
=CI+p
-----END PGP SIGNATURE-----