diff options
Diffstat (limited to 'net-dns/unbound/files')
-rw-r--r-- | net-dns/unbound/files/chroot_howto.txt | 48 | ||||
-rw-r--r-- | net-dns/unbound/files/unbound.confd | 7 | ||||
-rw-r--r-- | net-dns/unbound/files/unbound.initd | 46 |
3 files changed, 101 insertions, 0 deletions
diff --git a/net-dns/unbound/files/chroot_howto.txt b/net-dns/unbound/files/chroot_howto.txt new file mode 100644 index 000000000..5699d00cb --- /dev/null +++ b/net-dns/unbound/files/chroot_howto.txt @@ -0,0 +1,48 @@ +Chroot jail howto for unbound + +* Rationale + +I had no experience whatsoever with chroot jails for daemons, and when making an +ebuild for unbound, someone suggested that I should just check it out. +Unfortunately, my ebuild skills are not that great, so making the ebuild handle +the rootjail support transparantly was out of my league. Getting unbound +running within a rootjail was no problem however. Below are my experiences. + +* Assumptions + +- You know your way around a linux machine on the console +- You have root access + +* Setting it up + +1. Emerge unbound, switching USE flags has no effect to the steps in this guide. + +2. Decide where you want your rootjail. I choose /var/lib/unbound + throughout this manual. Then create the directory: + # mkdir /var/lib/unbound + # chown unbound:unbound /var/lib/unbound + # chmod 700 /var/lib/unbound + +3. Inside the chroot you'll need access to /dev/random, and possibly /dev/log + (when using syslog, the default). Simplest way is to bind-mount /dev: + # mkdir /var/lib/unbound/dev + # mount -o bind /dev /var/lib/unbound/dev + + Hint: add a line to /etc/fstab to keep this persistent between reboots. + +4. Move the config file into the chroot and change some settings: + # mv /etc/unbound/unbound.conf /var/lib/unbound + # nano /var/lib/unbound/unbound.conf + + Change following options (or copy/paste these lines near + the end of the file): + + chroot: "/var/lib/unbound" + directory: "/var/lib/unbound" + pidfile: "/var/lib/unbound/unbound.pid" + +5. Change /etc/conf.d/unbound to reflect the new locations of + the config and the pid file. + + config_file="/var/lib/unbound/unbound.conf" + pid_file="/var/lib/unbound/unbound.conf" diff --git a/net-dns/unbound/files/unbound.confd b/net-dns/unbound/files/unbound.confd new file mode 100644 index 000000000..709724ec5 --- /dev/null +++ b/net-dns/unbound/files/unbound.confd @@ -0,0 +1,7 @@ +# Settings should normally only be changed when using a chroot jail. + +# Location of the unbound configuration file. Leave empty for the default. +#config_file="/etc/unbound/unbound.conf" + +# Location of the unbound pidfile. Leave empty for the default. +#pid_file="/var/run/unbound.pid" diff --git a/net-dns/unbound/files/unbound.initd b/net-dns/unbound/files/unbound.initd new file mode 100644 index 000000000..525020c39 --- /dev/null +++ b/net-dns/unbound/files/unbound.initd @@ -0,0 +1,46 @@ +#!/sbin/runscript +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +opts="start stop configtest" +description="Unbound is a validating, recursive and caching DNS resolver" +description_start="Start the server" +description_stop="Stop the server" +description_configtest="Check the syntax of the configuration file" + +config_file=${config_file:-/etc/unbound/unbound.conf} +pid_file=${pid_file:-/var/run/unbound.pid} + +depend() { + provide dns + need net + after auth-dns +} + +start() { + configtest || return 1 + + ebegin "Starting unbound" + touch "${pid_file}" + chown unbound:unbound "${pid_file}" + unbound -c "${config_file}" + eend $? +} + +stop() { + ebegin "Stopping unbound" + start-stop-daemon --stop --pidfile="${pid_file}" + eend $? +} + +configtest() { + ebegin "Checking config" + unbound-checkconf "${config_file}" > /dev/null 2>&1 + local RESULT=$? + if test "$RESULT" != 0; then + eerror "`unbound-checkconf "${config_file}" 2>&1`" + eend 1 + fi + eend "$RESULT" +} |