Bug 247291 - dns/unbound: Add some support for running in chrooted env (which is by default)
Summary: dns/unbound: Add some support for running in chrooted env (which is by default)
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords: feature, needs-qa
Depends on:
Blocks:
 
Reported: 2020-06-15 23:11 UTC by lytboris
Modified: 2021-02-09 23:09 UTC (History)
2 users (show)

See Also:
jaap: maintainer-feedback+


Attachments
Initial version (3.28 KB, patch)
2020-06-15 23:11 UTC, lytboris
no flags Details | Diff
Add a comment for var/run (3.35 KB, patch)
2020-06-15 23:21 UTC, lytboris
no flags Details | Diff
Check for syslog socket as well (3.64 KB, patch)
2020-06-16 07:12 UTC, lytboris
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description lytboris 2020-06-15 23:11:44 UTC
Created attachment 215593 [details]
Initial version

Patch fixes couple of issues found in present version of unbound.in:
* ${unbound_conf} is never defined, ${unbound_config} must be used in all cases
* (u)mount devfs for an unbound instance running in chrooted environment, add a note for enabling robust syslog(3) logging in this case.

Severity is set to "many people" as the default unbound configuration enforces both chroot and logging via syslog.
Comment 1 lytboris 2020-06-15 23:21:11 UTC
Created attachment 215594 [details]
Add a comment for var/run
Comment 2 lytboris 2020-06-16 07:12:01 UTC
Created attachment 215599 [details]
Check for syslog socket as well
Comment 3 Jaap Akkerhuis 2020-07-14 12:09:50 UTC
Comment on attachment 215599 [details]
Check for syslog socket as well

Looks good to me,

        jaap
Comment 4 Jaap Akkerhuis 2020-07-27 10:44:05 UTC
(In reply to lytboris from comment #2)

Note that unbound actually opens the syslog socket before it does the chroot(). Therefore, creating the socket is not necessary.

And to be complete, the samme is try for the logfile. It will be opened before the chroot call.

         jaap
Comment 5 lytboris 2020-07-27 21:03:57 UTC
> Therefore, creating the socket is not necessary.
I thought the same way and I was wrong. Reload command forces unbound to reopen logs being chrooted and after that it fails to log anything via syslog.
Comment 6 Jaap Akkerhuis 2020-08-03 11:34:06 UTC
(In reply to lytboris from comment #5)

Loooking more closely, you should also have other directives adjusted to have chroot work properly or alternatively, copy the whole tree needed to the "changed root" so the defaults paths for  "chroot", "directory" and likely also things like auto-trust-anchor-file server-key-file server-cert-file and control-key-file etc.

        jaap
Comment 7 Jaap Akkerhuis 2021-02-08 13:25:38 UTC
Overtaken by events. Unbound 13.0 has fixes for chroot problems, see https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-0
Comment 8 Andriy Gapon freebsd_committer freebsd_triage 2021-02-09 18:49:43 UTC
(In reply to Jaap Akkerhuis from comment #7)
From my personal experience it seems that 1.13.0_1 still needs syslogd socket within its chroot for reliable logging.
Comment 9 Jaap Akkerhuis 2021-02-09 23:09:26 UTC
(In reply to Andriy Gapon from comment #8)
Er was a typo, 1.13.1 is out. The lunk has the announcement