Problem with pidfile and permission...

Dimitri dimitri_emich at protonmail.com
Mon Jan 3 20:46:55 UTC 2022 

Hi folks,

i've installed Unbound from source in another folder, set the unbound.conf and try to start it.
But the start failed with "cannot open pidfile /test/unbound/unbound.pid : Permission denied".

The error only comes when i try to start unbound with "sudo systemctl start unbound".
If i cd to "/test/unbound" and start with "sudo sbin/unbound -d -vvvv", then all works.

The installation folder is owned by the user "test_unbound" and the content of unbound.conf is:
=========================================
server:
auto-trust-anchor-file: "/test/unbound/root.key"
chroot: "/test/unbound"
directory: "/test/unbound"
username: "test_unbound"
logfile: "/test/unbound/log.log"
pidfile: "/test/unbound/unbound.pid"
=========================================

And the unbound.service:
=========================================
[Unit]
Description=Unbound DNS Resolver
After=network-online.target
Before=nss-lookup.target
Wants=network-online.target nss-lookup.target

[Install]
WantedBy=multi-user.target

[Service]
ExecReload=+/bin/kill -HUP $MAINPID
ExecStartPre=+/test/unbound/sbin/unbound-anchor -a "/test/unbound/root.key" -c "/test/unbound/icannbundle.pem"
ExecStart=/test/unbound/sbin/unbound -d -vvvv

Type=notify
NotifyAccess=main
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW

MemoryDenyWriteExecute=true

NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict

RuntimeDirectory=unbound
ConfigurationDirectory=unbound
StateDirectory=unbound

RestrictAdressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes
ReadWritePaths=/test/unbound /test/unbound

TemporaryFileSystem=/test/unbound/dev:ro
TemporaryFileSystem=/test/unbound/run:ro
BindReadOnlyPaths=-/run/systemd/notify:/test/unbound/run/systemd/notify
BindReadOnlyPaths=-/dev/urandom:/test/unbound/dev/urandom
BindPaths=-/dev/log:/test/unbound/dev/log
=========================================

My System:
Ubuntu 21.04
Unbound 1.14.0

Can anyone please tell me, where is the problem? THANKS!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220103/dca36b05/attachment.htm>

More information about the Unbound-users mailing list