1 files changed, 48 insertions, 0 deletions

diff --git a/net-dns/unbound/files/chroot_howto.txt b/net-dns/unbound/files/chroot_howto.txt
new file mode 100644
index 000000000..5699d00cb
--- /dev/null
+++ b/net-dns/unbound/files/chroot_howto.txt
@@ -0,0 +1,48 @@
+Chroot jail howto for unbound
+
+* Rationale
+
+I had no experience whatsoever with chroot jails for daemons, and when making an
+ebuild for unbound, someone suggested that I should just check it out.
+Unfortunately, my ebuild skills are not that great, so making the ebuild handle
+the rootjail support transparantly was out of my league. Getting unbound 
+running within a rootjail was no problem however. Below are my experiences.
+
+* Assumptions
+
+- You know your way around a linux machine on the console
+- You have root access
+
+* Setting it up
+
+1. Emerge unbound, switching USE flags has no effect to the steps in this guide.
+
+2. Decide where you want your rootjail. I choose /var/lib/unbound 
+   throughout this manual. Then create the directory:
+	 # mkdir /var/lib/unbound
+   # chown unbound:unbound /var/lib/unbound
+   # chmod 700 /var/lib/unbound
+
+3. Inside the chroot you'll need access to /dev/random, and possibly /dev/log 
+	 (when using syslog, the default). Simplest way is to bind-mount /dev:
+   # mkdir /var/lib/unbound/dev
+   # mount -o bind /dev /var/lib/unbound/dev
+
+   Hint: add a line to /etc/fstab to keep this persistent between reboots.
+
+4. Move the config file into the chroot and change some settings:
+   # mv /etc/unbound/unbound.conf /var/lib/unbound
+   # nano /var/lib/unbound/unbound.conf
+
+   Change following options (or copy/paste these lines near 
+   the end of the file):
+
+   chroot: "/var/lib/unbound"
+   directory: "/var/lib/unbound"
+   pidfile: "/var/lib/unbound/unbound.pid"
+
+5. Change /etc/conf.d/unbound to reflect the new locations of 
+   the config and the pid file.
+
+   config_file="/var/lib/unbound/unbound.conf"
+   pid_file="/var/lib/unbound/unbound.conf"