getting Unbound started, keeping it going
Michael Ströder
michael at stroeder.com
Tue May 22 10:36:52 UTC 2018
Anand Buddhdev via Unbound-users wrote:
> On 20/05/2018 23:16, Adam Gold via Unbound-users wrote:
>> Here's my systemd:
>>
>> [Unit]
>> Description=Unbound DNS server
>> Documentation=man:unbound(8)
>> After=network.target
>>
>> [Service]
>> LimitNOFILE = 65536
>> ExecStart = /usr/local/sbin/unbound -c /etc/unbound/unbound.conf
>> ExecReload = /bin/kill -HUP $MAINPID
>> User = unbound
>
> ^^^
>
> This makes systemd switch to user "unbound" (non-privileged user)
> *before* starting unbound, and so it cannot bind to port 53. Remove this
> line so that systemd can start unbound can start as root and bind to
> port 53. After that, unbound drops privileges by itself (as directed by
> the "username" option in unbound.conf).
One could also start unbound service with User=unbound but let systemd
assign capability CAP_NET_BIND_SERVICE to the unbound process.
See CapabilityBoundingSet= and AmbientCapabilities= in systemd.exec(5).
Ciao, Michael.
More information about the Unbound-users
mailing list