On Mon, 25 Oct 2010, Michael Tokarev wrote:
With root dnssec keys being now in place, I decided to enable DNSSEC support in our unbound servers. And immediately hit another problem with chrooting.
This is why SElinux is better then chroot(), and you should really consider using that (if on linux) and not using chroot() at all. See previous threads on this list before on chroot vs SElinux.
Yet another way is offered by modern linux - ability to "mount" (bind-mount) one file over another, similar to symlink but that works across filesystem boundaries and chroots - but this too is somewhat disgusting.)
yeah, this was done in the past, and it is terrible to maintain as well. The fedora/rhel packages now fully depend on SElinux, not chroot()
Why can't it just open everything at startup and chroot later?
It needs to write to the key files for RFC5011 support. So in a way you cannot have /etc/ readonly with that file in there. You might need to move that into /var/ And yes, the whole signaling and adding /var/unbound/var/unbound symlinks or equivalent is just a disaster (I remember those awful bind days with about as much love as my sendmail.cf manual editing days) Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
