Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added information for Unbound running under chroot. #9

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added information for Unbound running under chroot. #9

wants to merge 1 commit into from

Conversation

ousatov-ua
Copy link

No description provided.

@ousatov-ua
Copy link
Author

ousatov-ua commented Mar 24, 2024
edited
Loading

Hi @ar51an !
There will be errors about lack of permissions for unbound.log and unbound.sock if Unbound is running under chroot. By default, it will run in this mode on Debian if installed by apt.

I did not check compiled locally version of Unbound, so my changes are only for Unbound installed from repository.

Tested on Debian 12.

And thank you for your work! Brilliant!

@ar51an
Copy link
Owner

ar51an commented Mar 26, 2024

https://manpages.debian.org/bookworm/unbound/unbound.conf.5.en.html#chroot:

Quoted below from the last paragraph in the link:

If given a chroot is done to the given directory. By default chroot is enabled and the default is "".

Using default configuration in the distribution provided unbound pkg the configs in this guide work fine for log and socket paths. The compiled version of Unbound provided at unbound-redis is using the same default config for chroot.

Majority of the people use the default config for chroot, the provided configs in this documentation made sure it should work for them. Anyone using a custom config has to make the appropriate changes not just in this scenario but in other cases as well to meet their specific requirement.

You changed the chroot in your personal config from default to point to some dir. That is why you got the errors and has to give permission within apparmor. So you can either comment out the chroot line in your config to keep it default or make the apparmor change.

What is the value of chroot in your unbound.conf?

@ousatov-ua
Copy link
Author

ousatov-ua commented Mar 26, 2024
edited
Loading

Hi!
I have installed Unbound using apt.
I did not specify chroot in config, so it has "default" value.
So, having default installation of Unbound, without specifying chroot, I have exception about write permissions to both unbound.log and unbound.sock

Debian 12.

@ar51an
Copy link
Owner

ar51an commented Mar 26, 2024

Hello,
Please paste the output of these 2 cmds:

unbound-checkconf -f -o chroot
unbound -V

@ousatov-ua
Copy link
Author

ousatov-ua commented Mar 26, 2024
edited
Loading

sudo unbound-checkconf -f -o chroot gives empty string.

I did not specify any chroot additionally, so this is the default behavior.

unbound -V

Version 1.17.1

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.11 19 Sep 2023
Linked modules: dns64 python subnetcache respip validator iterator
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues

So this is the expected, --with-chroot-dir= is empty.

@ousatov-ua
Copy link
Author

ousatov-ua commented Mar 26, 2024
edited
Loading 

cat /lib/systemd/system/unbound.service

[Unit]
Description=Unbound DNS server
Documentation=man:unbound(8)
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
Type=notify
Restart=on-failure
EnvironmentFile=-/etc/default/unbound
ExecStartPre=-/usr/libexec/unbound-helper chroot_setup
ExecStartPre=-/usr/libexec/unbound-helper root_trust_anchor_update
ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS
ExecStopPost=-/usr/libexec/unbound-helper chroot_teardown
ExecReload=+/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

@ar51an
Copy link
Owner

ar51an commented Mar 27, 2024

Thanks for the update.

Distro is setting the chroot dir somewhere outside the unbound build and config, most probably using the distro specific apparmor unbound config along with distro specific unbound-helper script.

This dashboard and the unbound build setup is targeted at the compiled version of unbound. Compiled version works fine, I am using it.

I will look into the distro based pkg of unbound and update the documentation at the appropriate place, linking to this pull request.

@ousatov-ua
Copy link
Author

Hi!
Sure, I just wanted to make it easier to setup for other people, no needs to link any further changes in README to this PR
Thanks again for your repo :)

@ousatov-ua
Copy link
Author

ousatov-ua commented Mar 27, 2024
edited
Loading

@ar51an BTW, please setup a link to Buy me a Coffee or something else - I would donate for your work, and I believe others would like too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ousatov-ua @ar51an