-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Michael, Michael Tokarev wrote: > Right now unbound (unlike nsd) runs just fine in chroot, > including managing some stuff (like pid/log files) > outside. The only thing left is the random stuff: > > Mar 29 11:54:40 gandalf unbound: [2470:0] notice: openssl has no > entropy, seeding with time and pid > > This can be solved by two ways: > 1) providing /dev/random inside chroot and > 2) initializing random number generator before chrooting. OK, now it does 2). svn trunk r1567. > > Am I understand it correctly? There MAY be a need to > read more random bytes during runtime, and even open- > read-close /dev/random again, but I don't know if > unbound currently does that. I do not really think it is needed, since the seed is for a PRNG, which is used to seed the arc4random generator. The arc4random generator is reseeded once in a while, but the (otherwise unused) openssl PRNG should be fine. If openssl indicates that the PRNG needs re-seeding, unbound tries to reseed it, first dev/random, then time(NULL), then printing errors (but continuing operations with 'old' arc4random state). > Is it difficult to lessen this dependency on /dev/random a > bit -- either by doing all init stuff before chrooting or > by keeping /dev/random opened? I hope this makes it easier to run unbound in chroot. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknQulQACgkQkDLqNwOhpPiW1wCfaxUUw9qR1BS3PMgcYKtO/Ga5 MtAAn2YSBE86ZZ6mgJ1rhn3wg6wxMnBu =CI+p -----END PGP SIGNATURE-----