Maintained by: NLnet Labs

[Unbound-users] Suggested config settings for chrooting unbound

Phil Pennock
Thu Nov 22 11:30:21 CET 2012


On 2012-11-22 at 09:35 +0100, Ilya Bakulin wrote:
> So I'd like to ask what is considered "best practice" for chrooting unbound?

% ls -l /usr/local/etc/unbound/unbound.conf
lrwxr-xr-x  1 root  wheel  29 Jan 19  2011 /usr/local/etc/unbound/unbound.conf -> /var/unbound/etc/unbound.conf

Yes, it's /var/, but only because /var is acting as a container for a
chroot and chroots should be considered as having hier(7) apply _within_
them, not from the outside _into_ them.  Besides, the configuration
should be under revision control and preferably host configuration
management (such as Puppet or other preferred poison).  Just be sure to
set the filesystem ownership up such that only root has write access
down into /var/unbound/etc/.

FreeBSD hier(7) doesn't specify chroot information at all.  If /var
really bothers you for config files, then create a new top-level
directory /chroots/.  I actually have /jails/ instead.

In my setup:

Modify /usr/local/etc/rc.d/unbound to invoke unbound-checkconf with
$unbound_config_file, which you can define in /etc/rc.conf{,.local}.
I have:

unbound_enable="YES"
unbound_pidfile="/var/run/unbound.pid"
unbound_config_file="/var/unbound/etc/unbound.conf"
unbound_flags="-c $unbound_config_file"
unbound_chrootdir="/var/unbound"

Hrm, ideally unbound-checkconf would look to see if the default file is
a symlink and chase that before complaining that it's not inside the
chroot area.

-Phil