Problem with pidfile and permission...

Dimitri dimitri_emich at protonmail.com
Thu Jan 6 00:33:37 UTC 2022


Hi Jarno

> You have lot of sandboxing options(Protect*, Restrict* etc.) in the
> unbound.service file.
>
> Have you tried commenting all Protect*, Restrict* etc. and see if
> unbound is then able to start (and write to /test/unbound) ? And after that start
> adding those sandboxing options one by one ?

Yes, it was my next step yesterday.

And i find out that if i set a plus as the first character on "ExecStart=..." (which means execution with full privileges)
then the no pidfile-error occurs.

I would like to know why because i thougt that if no "User=" option in the service is set, then the service automaticly starts as root.

But the pidfile-error was not responsible for the failed start, it was the following line in my service-file:
====================================
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources
====================================
In the original service-file "mount" in that line is without "@".
When i set my service-file i looked into the man of systemd -> SystemCallFilter.
In the Table there are all possible values listed with a "@" and i thougt that in the original service-file the "@" at "mount" was simply forgotten.

I only now realized that "mount" was set correctly without a "@" because ONLY the system call "mount()" should be locked
and not the ENTIRE system call set "mount" (which set with a "@") which includes other system calls too like "chroot()".

So this start problem is eliminated.

But now i run into another problem which i have already seen before. Now i get the timeout-problem which is
known with the "Type=notify" option.

The user gthess explained here "https://github.com/NLnetLabs/unbound/issues/56#issuecomment-520837503" why this problem occurs.
And two posts next he talked about options to solve that problem.

But in the service-file the following line already exists:
====================================
BindReadOnlyPaths=-/run/systemd/notify:/test/unbound/run/systemd/notify
====================================
so why it doesn't work?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220106/aca56f61/attachment.htm>


More information about the Unbound-users mailing list