Right now unbound (unlike nsd) runs just fine in chroot,
including managing some stuff (like pid/log files)
outside. The only thing left is the random stuff:
Mar 29 11:54:40 gandalf unbound: [2470:0] notice: openssl has no entropy, seeding with time and pid
This can be solved by two ways:
1) providing /dev/random inside chroot and
2) initializing random number generator before chrooting.
Am I understand it correctly? There MAY be a need to
read more random bytes during runtime, and even open-
read-close /dev/random again, but I don't know if
unbound currently does that.
Is it difficult to lessen this dependency on /dev/random a
bit -- either by doing all init stuff before chrooting or
by keeping /dev/random opened?
Right now unbound (unlike nsd) runs just fine in chroot,
including managing some stuff (like pid/log files)
outside. The only thing left is the random stuff:
Mar 29 11:54:40 gandalf unbound: [2470:0] notice: openssl has no
entropy, seeding with time and pid
This can be solved by two ways:
1) providing /dev/random inside chroot and
2) initializing random number generator before chrooting.
OK, now it does 2). svn trunk r1567.
Am I understand it correctly? There MAY be a need to
read more random bytes during runtime, and even open-
read-close /dev/random again, but I don't know if
unbound currently does that.
I do not really think it is needed, since the seed is for a PRNG, which
is used to seed the arc4random generator. The arc4random generator is
reseeded once in a while, but the (otherwise unused) openssl PRNG should
be fine. If openssl indicates that the PRNG needs re-seeding, unbound
tries to reseed it, first dev/random, then time(NULL), then printing
errors (but continuing operations with 'old' arc4random state).
Is it difficult to lessen this dependency on /dev/random a
bit -- either by doing all init stuff before chrooting or
by keeping /dev/random opened?
I hope this makes it easier to run unbound in chroot.