summaryrefslogtreecommitdiff
blob: 5699d00cb26901566e759d689a36af3d4eaed562 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Chroot jail howto for unbound

* Rationale

I had no experience whatsoever with chroot jails for daemons, and when making an
ebuild for unbound, someone suggested that I should just check it out.
Unfortunately, my ebuild skills are not that great, so making the ebuild handle
the rootjail support transparantly was out of my league. Getting unbound 
running within a rootjail was no problem however. Below are my experiences.

* Assumptions

- You know your way around a linux machine on the console
- You have root access

* Setting it up

1. Emerge unbound, switching USE flags has no effect to the steps in this guide.

2. Decide where you want your rootjail. I choose /var/lib/unbound 
   throughout this manual. Then create the directory:
	 # mkdir /var/lib/unbound
   # chown unbound:unbound /var/lib/unbound
   # chmod 700 /var/lib/unbound

3. Inside the chroot you'll need access to /dev/random, and possibly /dev/log 
	 (when using syslog, the default). Simplest way is to bind-mount /dev:
   # mkdir /var/lib/unbound/dev
   # mount -o bind /dev /var/lib/unbound/dev

   Hint: add a line to /etc/fstab to keep this persistent between reboots.

4. Move the config file into the chroot and change some settings:
   # mv /etc/unbound/unbound.conf /var/lib/unbound
   # nano /var/lib/unbound/unbound.conf

   Change following options (or copy/paste these lines near 
   the end of the file):

   chroot: "/var/lib/unbound"
   directory: "/var/lib/unbound"
   pidfile: "/var/lib/unbound/unbound.pid"

5. Change /etc/conf.d/unbound to reflect the new locations of 
   the config and the pid file.

   config_file="/var/lib/unbound/unbound.conf"
   pid_file="/var/lib/unbound/unbound.conf"