[Unbound-users] Suggested config settings for chrooting unbound
Phil Pennock
unbound-users+phil at spodhuis.org
Thu Nov 22 10:30:21 UTC 2012
On 2012-11-22 at 09:35 +0100, Ilya Bakulin wrote:
> So I'd like to ask what is considered "best practice" for chrooting unbound?
% ls -l /usr/local/etc/unbound/unbound.conf
lrwxr-xr-x 1 root wheel 29 Jan 19 2011 /usr/local/etc/unbound/unbound.conf -> /var/unbound/etc/unbound.conf
Yes, it's /var/, but only because /var is acting as a container for a
chroot and chroots should be considered as having hier(7) apply _within_
them, not from the outside _into_ them. Besides, the configuration
should be under revision control and preferably host configuration
management (such as Puppet or other preferred poison). Just be sure to
set the filesystem ownership up such that only root has write access
down into /var/unbound/etc/.
FreeBSD hier(7) doesn't specify chroot information at all. If /var
really bothers you for config files, then create a new top-level
directory /chroots/. I actually have /jails/ instead.
In my setup:
Modify /usr/local/etc/rc.d/unbound to invoke unbound-checkconf with
$unbound_config_file, which you can define in /etc/rc.conf{,.local}.
I have:
unbound_enable="YES"
unbound_pidfile="/var/run/unbound.pid"
unbound_config_file="/var/unbound/etc/unbound.conf"
unbound_flags="-c $unbound_config_file"
unbound_chrootdir="/var/unbound"
Hrm, ideally unbound-checkconf would look to see if the default file is
a symlink and chase that before complaining that it's not inside the
chroot area.
-Phil
More information about the Unbound-users
mailing list