[Dnssec-trigger] unbound in chroot

Petr Spacek pspacek at redhat.com
Fri Jun 27 07:28:24 UTC 2014

On 27.6.2014 09:11, Tomas Hozza wrote:
> ----- Original Message -----
>>     Hello Pavel,
>>> On Tuesday, 24 June 2014 11:41 AM, P J P wrote:
>>> And over wi-fi, even internet domains could not be resolved. I'll continue
>>> testing with the latest build above.
>> Please see -> http://fpaste.org/113693/51627140/
>> I'm testing the latest build of dnssec-trigger-0.12.11.f20.x86_64. It seems
>> to work quite well so far. It received the local forwarders list via DHCP
>> and uses the same to resolve domains. It's able to resolve internal domains
>> and it seems to work seamlessly across ethernet and wi-fi networks too.
>> One glithc though, if I set chroot="/var/lib/unbound" in
>> /etc/unbound/unbound.conf, the unbound service fails to start citing missing
>> configuration files error. IMO, it'd be better to start unbound service
>> under chroot(2) jail by default.
> I think this is expected since the configuration is not present in the chroot.
> Although we could provide a new systemd service file unbound-chroot.service,
> like we do for BIND. It would prepare the chroot before starting (bind-mount
> all necessary configuration files into the chroot), start unbound in chroot
> and when stopping, unmount all files from the chroot.
> It would be better for this purpose if unbound could take the chroot dir as
> a command line argument. But we can drop a config file into /etc/unbound/conf.d/
> when starting unbound and then remove it when stopping unbound.
> What do you think?

Is it worth? Chroot on Linux is notoriously broken/leaky. I'm not entirely 
sure that it adds more than false sense of security...

Petr^2 Spacek

More information about the dnssec-trigger mailing list