Problem with pidfile and permission...

Paul Wouters paul at nohats.ca
Tue Jan 4 03:54:25 UTC 2022 

On Jan 3, 2022, at 20:07, Unbound via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> 
> On 2022-01-03 12:46, Dimitri via Unbound-users wrote:
>> Hi folks,
>> i've installed Unbound from source in another folder, set the unbound.conf and try
>> to start it.
>> But the start failed with "cannot open pidfile /test/unbound/unbound.pid :
>> Permission denied".
> 
> is it enough to:
> 
> % cd /test/unbound
> % sudo chown -Rh unbound:unbound .
> 
> Then try to start it again?
> 
> FWIW all the systems I run that create pidfiles, either put them in
> 
> /var/run
> 
> or
> 
> /tmp

Yes and likely SElinux would fail outside of those directories.

I using systemd, it would be better to use a type=simple without pidfile.

Paul


> 
>> The error only comes when i try to start unbound with "sudo systemctl start unbound".
>> If i cd to "/test/unbound" and start with "sudo sbin/unbound -d -vvvv", then all works.
>> The installation folder is owned by the user "test_unbound" and the content of
>> unbound.conf is:
>> =========================================
>> server:
>> auto-trust-anchor-file: "/test/unbound/root.key"
>> chroot: "/test/unbound"
>> directory: "/test/unbound"
>> username: "test_unbound"
>> logfile: "/test/unbound/log.log"
>> pidfile: "/test/unbound/unbound.pid"
>> =========================================
>> And the unbound.service:
>> =========================================
>> [Unit]
>> Description=Unbound DNS Resolver
>> After=network-online.target
>> Before=nss-lookup.target
>> Wants=network-online.target nss-lookup.target
>> [Install]
>> WantedBy=multi-user.target
>> [Service]
>> ExecReload=+/bin/kill -HUP $MAINPID
>> ExecStartPre=+/test/unbound/sbin/unbound-anchor -a "/test/unbound/root.key" -c
>> "/test/unbound/icannbundle.pem"
>> ExecStart=/test/unbound/sbin/unbound -d -vvvv
>> Type=notify
>> NotifyAccess=main
>> CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
>> CAP_SYS_RESOURCE CAP_NET_RAW
>> MemoryDenyWriteExecute=true
>> NoNewPrivileges=true
>> PrivateDevices=true
>> PrivateTmp=true
>> ProtectHome=true
>> ProtectClock=true
>> ProtectControlGroups=true
>> ProtectKernelLogs=true
>> ProtectKernelModules=true
>> ProtectKernelTunables=true
>> ProtectProc=invisible
>> ProtectSystem=strict
>> RuntimeDirectory=unbound
>> ConfigurationDirectory=unbound
>> StateDirectory=unbound
>> RestrictAdressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
>> RestrictRealtime=true
>> SystemCallArchitectures=native
>> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources
>> RestrictNamespaces=yes
>> LockPersonality=yes
>> RestrictSUIDSGID=yes
>> ReadWritePaths=/test/unbound /test/unbound
>> TemporaryFileSystem=/test/unbound/dev:ro
>> TemporaryFileSystem=/test/unbound/run:ro
>> BindReadOnlyPaths=-/run/systemd/notify:/test/unbound/run/systemd/notify
>> BindReadOnlyPaths=-/dev/urandom:/test/unbound/dev/urandom
>> BindPaths=-/dev/log:/test/unbound/dev/log
>> =========================================
>> My System:
>> Ubuntu 21.04
>> Unbound 1.14.0
>> Can anyone please tell me, where is the problem? THANKS!

More information about the Unbound-users mailing list