From e4334b70408b3852bae4708a4c5bc5b31d11ec0c Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Tue, 27 Apr 2021 13:45:01 +0200 Subject: [PATCH 1/3] unbound.service: Add root key path to `ReadWritePaths=` If the build is configured with a non-default pathname to the root key file, for example, `--with-rootkey-file=/var/unbound/root.key`, that path needs to be read and writable by Unbound, so add it to the list of directories Unbound can read from and write to. ReadWritePaths=/etc/unbound /etc/unbound unbound[6269]: [1619522080] unbound[6269:0] fatal error: could not open autotrust file for writing, /var/unbound/root.key.6269-0-593e60: Read-only file system Resolves: https://github.com/NLnetLabs/unbound/issues/475 --- contrib/unbound.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index a4596978d..d8a2a45b4 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -73,7 +73,7 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes -ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ +ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ @UNBOUND_ROOTKEY_FILE@ # Below rules are needed when chroot is enabled (usually it's enabled by default). # If chroot is disabled like chroot: "" then they may be safely removed. From 17af5e199f09daadc66ca86d20a6e4061ca7153f Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Tue, 27 Apr 2021 16:17:19 +0200 Subject: [PATCH 2/3] unbound.service: Use `RuntimeDirectory=@UNBOUND_RUN_DIR@` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit That’s semantically more correct than putting it in `ReadWritePaths`. It normally maps to `/run` and is cleared when the service is stopped. --- contrib/unbound.service.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index d8a2a45b4..9cda6c2bb 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -63,7 +63,7 @@ ProtectHome=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=strict -RuntimeDirectory=unbound +RuntimeDirectory=@UNBOUND_RUN_DIR@ ConfigurationDirectory=unbound StateDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX @@ -73,7 +73,7 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes -ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ @UNBOUND_ROOTKEY_FILE@ +ReadWritePaths=@UNBOUND_CHROOT_DIR@ @UNBOUND_ROOTKEY_FILE@ # Below rules are needed when chroot is enabled (usually it's enabled by default). # If chroot is disabled like chroot: "" then they may be safely removed. From f2a2d9c1e9497d04cbbb85fc3d5b04f78b288151 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Tue, 27 Apr 2021 16:20:26 +0200 Subject: [PATCH 3/3] unbound.service: Use `ConfigurationDirectory=@UNBOUND_SYSCONF_DIR@` This is configured when building Unbound, so use it. --- contrib/unbound.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index 9cda6c2bb..ea03e0883 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -64,7 +64,7 @@ ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=strict RuntimeDirectory=@UNBOUND_RUN_DIR@ -ConfigurationDirectory=unbound +ConfigurationDirectory=@UNBOUND_SYSCONF_DIR@ StateDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictRealtime=true