Maintained by: NLnet Labs

[Unbound-users] chrooting unbound, again

Paul Wouters
Mon Oct 25 17:59:25 CEST 2010


On Mon, 25 Oct 2010, Michael Tokarev wrote:

> With root dnssec keys being now in place, I decided to
> enable DNSSEC support in our unbound servers.  And
> immediately hit another problem with chrooting.

This is why SElinux is better then chroot(), and you should really
consider using that (if on linux) and not using chroot() at all.
See previous threads on this list before on chroot vs SElinux.

> Yet another way is offered by modern linux - ability
> to "mount" (bind-mount) one file over another,
> similar to symlink but that works across filesystem
> boundaries and chroots - but this too is somewhat
> disgusting.)

yeah, this was done in the past, and it is terrible to maintain as
well. The fedora/rhel packages now fully depend on SElinux, not chroot()

> Why can't it just open everything at startup and
> chroot later?

It needs to write to the key files for RFC5011 support. So in a way
you cannot have /etc/ readonly with that file in there. You might need
to move that into /var/

And yes, the whole signaling and adding /var/unbound/var/unbound symlinks
or equivalent is just a disaster (I remember those awful bind days with
about as much love as my sendmail.cf manual editing days)

Paul