Hi list,
I have a question about chrooting unbound daemon under FreeBSD (although the
same is true on all platforms).
Suppose I'm going to chroot into /var/run/unbound, which seems logical to me,
since unbound is going to write root.key in the current directory (and having
anything application-writable under /usr/local is bad).
But seems I need to place unbound config file also under /var/unbound,
because otherwise the daemon cannot reread its config on SIGHUP.
Placing config file under /var is a bad practice and violates hier(7)
guidelines.
I also cannot make hardlinks, because /usr and /var are on the separate
filesystems (which is a recommended setting).
Normally this problem is solved by having two processes, one with root
privileges which runs unchrooted, and some number of workers. unbound seems
not to use this model, having only single process.
So I'd like to ask what is considered "best practice" for chrooting unbound?
// Ilya
I copy unbound.conf before each unbound start.
Also I created ~chroot/dev/random once.
# grep chroot /etc/unbound/unbound.conf
chroot: /var/lib/unbound
# find /var/lib/unbound
/var/lib/unbound
/var/lib/unbound/etc
/var/lib/unbound/etc/unbound
/var/lib/unbound/etc/unbound/unbound.conf
/var/lib/unbound/dev
/var/lib/unbound/dev/random
22.11.2012 13:14, Andreas Schulze пишет:
% ls -l /usr/local/etc/unbound/unbound.conf
lrwxr-xr-x 1 root wheel 29 Jan 19 2011 /usr/local/etc/unbound/unbound.conf -> /var/unbound/etc/unbound.conf
Yes, it's /var/, but only because /var is acting as a container for a
chroot and chroots should be considered as having hier(7) apply _within_
them, not from the outside _into_ them. Besides, the configuration
should be under revision control and preferably host configuration
management (such as Puppet or other preferred poison). Just be sure to
set the filesystem ownership up such that only root has write access
down into /var/unbound/etc/.
FreeBSD hier(7) doesn't specify chroot information at all. If /var
really bothers you for config files, then create a new top-level
directory /chroots/. I actually have /jails/ instead.
In my setup:
Modify /usr/local/etc/rc.d/unbound to invoke unbound-checkconf with
$unbound_config_file, which you can define in /etc/rc.conf{,.local}.
I have:
unbound_enable="YES"
unbound_pidfile="/var/run/unbound.pid"
unbound_config_file="/var/unbound/etc/unbound.conf"
unbound_flags="-c $unbound_config_file"
unbound_chrootdir="/var/unbound"
Hrm, ideally unbound-checkconf would look to see if the default file is
a symlink and chase that before complaining that it's not inside the
chroot area.
-Phil
> So I'd like to ask what is considered "best practice" for chrooting unbound?
You could take a gander at OpenBSDs setup as they chroot unbound by
default and as they have or are adding unbound to base it will have
received a fair amount of peer review.
> > So I'd like to ask what is considered "best practice" for chrooting unbound?
You could take a gander at OpenBSDs setup as they chroot unbound by
default and as they have or are adding unbound to base it will have
received a fair amount of peer review.
I have already looked at OpenBSD port. Unfortunately if suffers from the same
problem -- they keep unbound config file under /var/unbound, which is also
chroot for it.
Hello,
So I'd like to ask what is considered "best practice" for chrooting unbound?
On Linux I use mount --bind (from unbound initscript) to "mount" unbound
configs to the chroot directory.
Maybe freebsd mount_nullfs can achieve the same thing ?
-Jarno