[nsd-users] systemd unit files for NSD launch in chroot?

Paul Wouters paul at nohats.ca
Thu Mar 7 02:50:25 UTC 2013


On Wed, 6 Mar 2013, darx at sent.com wrote:

> I'm starting to migrate a number of authoritative nameservers on small
> VMs from bind9 to NSD.
>
> At the same time, I'm switching all inits from sysvinit to systemd.
>
> Cribbing systemd unit files from Fedora for NSD
> (http://pkgs.fedoraproject.org/cgit/nsd.git/tree/), they're
> straightforward enough -- but seem to ignore proper chroot
> setup/startup.
>
> I've poked in current NSD 3x source, as well as 4x from trunk, and so
> far see no example/doc of systemd init for NSD.

We ship them in Fedora, but they're pretty straightforward. We do not
use chroot() as it offers nothing over SElinux, and does not come with
the chroot maintenance nightmare hackery.

IMHO, chroot() for security is pretty much dead. Even without SElinux,
the cost of putting up a VM with only your single daemon makes chroot
basically obsolete. In Fedora you can even use "linux containers", which
uses CGROUPS to run your daemon in isolation.

Paul



More information about the nsd-users mailing list