State directory will be created under /var/lib/unbound and will be
useful for writing various files managed at runtime like trust
anchors updates there instead of in ConfigureDirectory which could
be made read-only next. For this chroot needs to be disabled.
The real purpose of this service is to make it work with
https://systemd.io/PORTABLE_SERVICES/ which are incompatible with
chroot workarounds from original unbound.service.
The service content is identical to unbound.service with exception
for chroot related rules which were modified as needed.
Adding 'RuntimeDirectory' is needed when pidfile path is set to
subdirectory under /run.
Adding ConfigurationDirectory may help in some non-standard setups.
Also add more descriptions about used rules to avoid user confusion
about they meaning and purpose.
This commit removes the hardcoded dependency in the libunbound
pkg-config .pc file on the libcrypto and libssl modules and instead
populates the .pc file based on which crypto library was selected at
configure time.
Note that the .pc file specifies pkg-config module names for the
"Requires" line and this can vary from the library filename (e.g. "nss"
is the pkg-config module name vs. "nss3" being the library name).
According to the pkg-config manpage, the "Libs" line in a .pc file
should give the link flags "specific to your package", and specifically
says not to include link flags for dependencies:
Libs: This line should give the link flags specific to your
package. Don't add any flags for required packages;
pkg-config will add those automatically.
- Merge PR#150 from Frzk: Systemd unit without chroot. It add
contrib/unbound_nochroot.service.in, a systemd file for use with
chroot: "", see comments in the file, it uses systemd protections
instead.
because dnscrypt-proxy (2.0.36) does not support the test setup
any more, and also the config file format does not seem to have
the appropriate keys to recreate that setup.
With this the neg and key caches can be shared between multiple
libunbound contexts.
The msg and rrset caches already allowed this since context_finalize()
did not touch those if they are already available and have the correct
size.
Care must be taken to properly unhook the caches from the validator
environment before calling ub_ctx_delete() otherwise one risks double
free or use after free bugs.
replacements for unbound-fuzzme.c that gets created after applying
the contrib/unbound-fuzzme.patch. They are contributed by
Eric Sesterhenn from X41 D-Sec.
