Bug 982145 - unbound fails to start chrooted
Summary: unbound fails to start chrooted
Status: NEW
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Current
Hardware: Other openSUSE 13.2
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Darin Perusich
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-29 19:46 UTC by Christian Boltz
Modified: 2016-05-29 23:37 UTC (History)
0 users

See Also:
Found By: Beta-Customer
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Boltz 2016-05-29 19:46:38 UTC 
I tried to enable chroot in unbound.conf:

    chroot: "/var/lib/unbound"

The result is that unbound (to be exact: unbound-checkconf) refuses to start with

May 29 21:40:58 tux unbound-checkconf[14288]: [1464550858] unbound-checkconf[14288:0] fatal error: config file /etc/unbound/unbound.conf is not inside chroot /var/lib/unbound


Full status output:

# rcunbound status
* unbound.service - Unbound recursive Domain Name Server
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2016-05-29 21:40:58 CEST; 3s ago
  Process: 14114 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 14288 ExecStartPre=/usr/sbin/unbound-checkconf (code=exited, status=1/FAILURE)
  Process: 14276 ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem (code=exited, status=0/SUCCESS)
 Main PID: 14114 (code=exited, status=0/SUCCESS)

May 29 21:40:57 tux systemd[1]: Starting Unbound recursive Domain Name Server...
May 29 21:40:57 tux sudo[14276]:     root : TTY=unknown ; PWD=/ ; USER=unbound ; COMMAND=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
May 29 21:40:57 tux sudo[14276]: pam_unix(sudo:session): session opened for user unbound by (uid=0)
May 29 21:40:58 tux unbound-checkconf[14288]: [1464550858] unbound-checkconf[14288:0] fatal error: config file /etc/unbound/unbound.conf is not inside chroot /var/lib/unbound
May 29 21:40:58 tux systemd[1]: unbound.service: Control process exited, code=exited status=1
May 29 21:40:58 tux systemd[1]: Failed to start Unbound recursive Domain Name Server.
May 29 21:40:58 tux systemd[1]: unbound.service: Unit entered failed state.
May 29 21:40:58 tux systemd[1]: unbound.service: Failed with result 'exit-code'.
Comment 1 Christian Boltz 2016-05-29 23:37:31 UTC 
FYI: This bug was brought to you by AppArmor ;-)  Yes, seriously - this started on the upstream AppArmor mailinglist where we are testing an AppArmor profile for unbound.

I found this bug after	Simon Deziel gave me a hint to try chroot, and after I told him about this bugreport, he came up with a useful reply:

-----------------------------------------------------------------------------
We've been through something similar on Debian/Ubuntu. The solution was
to augment the init script to setup the chroot then pass the in-chroot
path of the config file to unbound-checkconf.

The Debian maintainer has written a helper script [1] to factor this out
of the init script. Adding a "check_config" action to it would probably
make it suitable for reuse in your systemd unit.

1:
https://anonscm.debian.org/cgit/pkg-dns/unbound.git/tree/debian/package-helper
-----------------------------------------------------------------------------

HTH ;-)

If you want to test the AppArmor profile, you can find it at
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/16.10/usr.sbin.unbound
(copy it to /etc/apparmor.d and run "rcapparmor reload; rcunbound restart" to enable it)