Running unbound in a chroot: Which files need to be accessible?

[Timo Sigurdsson]

Hi,

I'm currently running unbound 1.8.0 on Linux (Debian) and wonder how to properly set up the chroot environment – especially which files need to be accessible from within the chroot.

1) I'm using the tls-cert-bundle option in order to forward requests to upstream servers that support DNS over TLS. The certificate bundle is outside of unbound's configuration directory and chroot directory. In a quick test, I'm able to run unbound in a chroot, without making the certificate bundle available from within the chroot. So, I'm assuming the certificate bundle is read before unbound enters the chroot and not accessed anymore afterwards. But is this always true? Will unbound at some point need access to the tls-cert-bundle from within the chroot?

2) On Debian with systemd, unbound is a service of the type "notify". A bug report suggests that the socket /run/systemd/notify should be made accessible from within the chroot[1]. Is this needed? During my little testing, it didn't seem to make a difference whether the socket was bind mounted to the chroot or not.

3) The man page mentions that /dev/random should be accessible. Since I don't run into errors when I set up the chroot without a bind mount for /dev/random, I'm wondering whether access to /dev/random is only needed in certain configurations? The same goes for /dev/log. But is this really needed regardless of whether a log file or syslog is used for logging?

4) Are there any other files/locations that should be made accessible inside the chroot in order to ensure reliable operation, aside from the configuration files and the auto-trust-anchor-file? If I look at the apparmor profile for unbound, it seems a lot more files might be accessed, but of course that might only be the case before chroot is entered.


I'd appreciate any clarification someone might give on this.

Thanks!


Kind regards,

Timo


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867187