Problem with pidfile and permission...

Unbound unbound at tacomawireless.net
Tue Jan 4 00:34:57 UTC 2022


On 2022-01-03 12:46, Dimitri via Unbound-users wrote:
> Hi folks,
> 
> i've installed Unbound from source in another folder, set the unbound.conf 
> and try
> to start it.
> But the start failed with "cannot open pidfile /test/unbound/unbound.pid :
> Permission denied".

is it enough to:

% cd /test/unbound
% sudo chown -Rh unbound:unbound .

Then try to start it again?

FWIW all the systems I run that create pidfiles, either put them in

/var/run

or

/tmp

> 
> The error only comes when i try to start unbound with "sudo systemctl start 
> unbound".
> If i cd to "/test/unbound" and start with "sudo sbin/unbound -d -vvvv", then 
> all works.
> 
> The installation folder is owned by the user "test_unbound" and the content 
> of
> unbound.conf is:
> =========================================
> server:
> auto-trust-anchor-file: "/test/unbound/root.key"
> chroot: "/test/unbound"
> directory: "/test/unbound"
> username: "test_unbound"
> logfile: "/test/unbound/log.log"
> pidfile: "/test/unbound/unbound.pid"
> =========================================
> 
> And the unbound.service:
> =========================================
> [Unit]
> Description=Unbound DNS Resolver
> After=network-online.target
> Before=nss-lookup.target
> Wants=network-online.target nss-lookup.target
> 
> [Install]
> WantedBy=multi-user.target
> 
> [Service]
> ExecReload=+/bin/kill -HUP $MAINPID
> ExecStartPre=+/test/unbound/sbin/unbound-anchor -a "/test/unbound/root.key" 
> -c
> "/test/unbound/icannbundle.pem"
> ExecStart=/test/unbound/sbin/unbound -d -vvvv
> 
> Type=notify
> NotifyAccess=main
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID 
> CAP_SYS_CHROOT
> CAP_SYS_RESOURCE CAP_NET_RAW
> 
> MemoryDenyWriteExecute=true
> 
> NoNewPrivileges=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectHome=true
> ProtectClock=true
> ProtectControlGroups=true
> ProtectKernelLogs=true
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectProc=invisible
> ProtectSystem=strict
> 
> RuntimeDirectory=unbound
> ConfigurationDirectory=unbound
> StateDirectory=unbound
> 
> RestrictAdressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
> RestrictRealtime=true
> SystemCallArchitectures=native
> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount 
> @obsolete @resources
> RestrictNamespaces=yes
> LockPersonality=yes
> RestrictSUIDSGID=yes
> ReadWritePaths=/test/unbound /test/unbound
> 
> TemporaryFileSystem=/test/unbound/dev:ro
> TemporaryFileSystem=/test/unbound/run:ro
> BindReadOnlyPaths=-/run/systemd/notify:/test/unbound/run/systemd/notify
> BindReadOnlyPaths=-/dev/urandom:/test/unbound/dev/urandom
> BindPaths=-/dev/log:/test/unbound/dev/log
> =========================================
> 
> My System:
> Ubuntu 21.04
> Unbound 1.14.0
> 
> Can anyone please tell me, where is the problem? THANKS!


More information about the Unbound-users mailing list