diff options
Diffstat (limited to 'net-dns/unbound/files/chroot_howto.txt')
1 files changed, 48 insertions, 0 deletions
diff --git a/net-dns/unbound/files/chroot_howto.txt b/net-dns/unbound/files/chroot_howto.txt
new file mode 100644
index 000000000..5699d00cb
--- /dev/null
+++ b/net-dns/unbound/files/chroot_howto.txt
@@ -0,0 +1,48 @@
+Chroot jail howto for unbound
+* Rationale
+I had no experience whatsoever with chroot jails for daemons, and when making an
+ebuild for unbound, someone suggested that I should just check it out.
+Unfortunately, my ebuild skills are not that great, so making the ebuild handle
+the rootjail support transparantly was out of my league. Getting unbound
+running within a rootjail was no problem however. Below are my experiences.
+* Assumptions
+- You know your way around a linux machine on the console
+- You have root access
+* Setting it up
+1. Emerge unbound, switching USE flags has no effect to the steps in this guide.
+2. Decide where you want your rootjail. I choose /var/lib/unbound
+ throughout this manual. Then create the directory:
+ # mkdir /var/lib/unbound
+ # chown unbound:unbound /var/lib/unbound
+ # chmod 700 /var/lib/unbound
+3. Inside the chroot you'll need access to /dev/random, and possibly /dev/log
+ (when using syslog, the default). Simplest way is to bind-mount /dev:
+ # mkdir /var/lib/unbound/dev
+ # mount -o bind /dev /var/lib/unbound/dev
+ Hint: add a line to /etc/fstab to keep this persistent between reboots.
+4. Move the config file into the chroot and change some settings:
+ # mv /etc/unbound/unbound.conf /var/lib/unbound
+ # nano /var/lib/unbound/unbound.conf
+ Change following options (or copy/paste these lines near
+ the end of the file):
+ chroot: "/var/lib/unbound"
+ directory: "/var/lib/unbound"
+ pidfile: "/var/lib/unbound/"
+5. Change /etc/conf.d/unbound to reflect the new locations of
+ the config and the pid file.
+ config_file="/var/lib/unbound/unbound.conf"
+ pid_file="/var/lib/unbound/unbound.conf"