[nsd-users] systemd unit files for NSD launch in chroot?
Paul Wouters
paul at nohats.ca
Thu Mar 7 02:50:25 UTC 2013
On Wed, 6 Mar 2013, darx at sent.com wrote:
> I'm starting to migrate a number of authoritative nameservers on small
> VMs from bind9 to NSD.
>
> At the same time, I'm switching all inits from sysvinit to systemd.
>
> Cribbing systemd unit files from Fedora for NSD
> (http://pkgs.fedoraproject.org/cgit/nsd.git/tree/), they're
> straightforward enough -- but seem to ignore proper chroot
> setup/startup.
>
> I've poked in current NSD 3x source, as well as 4x from trunk, and so
> far see no example/doc of systemd init for NSD.
We ship them in Fedora, but they're pretty straightforward. We do not
use chroot() as it offers nothing over SElinux, and does not come with
the chroot maintenance nightmare hackery.
IMHO, chroot() for security is pretty much dead. Even without SElinux,
the cost of putting up a VM with only your single daemon makes chroot
basically obsolete. In Fedora you can even use "linux containers", which
uses CGROUPS to run your daemon in isolation.
Paul
More information about the nsd-users
mailing list