- Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
and Frzk. Updates the unbound.service systemd file and adds
a portable systemd service file.
Pidfiles aren't needed while running unbound through systemd.
The PID of the unbound daemon can still be obtained with:
'systemctl show --property MainPID --value unbound'.
While disabling pidfiles we can also drop CAP_CHOWN and writable
/run directory.
CAP_IPC_LOCK controls whether a process can lock pages into physical
memory (for instance to prevent passwords or private keys from
being swapped to disk), e.g. mmap() with the MAP_LOCKED flag or
shmctl() with the SHM_LOCK command, neither of which seem to be
used by unbound.
State directory will be created under /var/lib/unbound and will be
useful for writing various files managed at runtime like trust
anchors updates there instead of in ConfigureDirectory which could
be made read-only next. For this chroot needs to be disabled.
The real purpose of this service is to make it work with
https://systemd.io/PORTABLE_SERVICES/ which are incompatible with
chroot workarounds from original unbound.service.
The service content is identical to unbound.service with exception
for chroot related rules which were modified as needed.
Adding 'RuntimeDirectory' is needed when pidfile path is set to
subdirectory under /run.
Adding ConfigurationDirectory may help in some non-standard setups.
Also add more descriptions about used rules to avoid user confusion
about they meaning and purpose.
This commit removes the hardcoded dependency in the libunbound
pkg-config .pc file on the libcrypto and libssl modules and instead
populates the .pc file based on which crypto library was selected at
configure time.
Note that the .pc file specifies pkg-config module names for the
"Requires" line and this can vary from the library filename (e.g. "nss"
is the pkg-config module name vs. "nss3" being the library name).
According to the pkg-config manpage, the "Libs" line in a .pc file
should give the link flags "specific to your package", and specifically
says not to include link flags for dependencies:
Libs: This line should give the link flags specific to your
package. Don't add any flags for required packages;
pkg-config will add those automatically.
Add a new configure option `--with-libbsd', which allows to use libbsd's
portable implementations of:
strlcpy strlcat arc4random arc4random_uniform reallocarray
instead of the embedded code copies in contrib/, which will be
difficult to maintain in the long term.
Also patch util/random.c so that, when building with libbsd and without
OpenSSL, arc4random can still be used as the PRNG. Otherwise, building
with libnettle would need a kernel-specific getentropy implementation,
and libbsd does not export one.
[edmonds@debian.org: Imported patch description from BTS, refreshed
patch against Unbound 1.9.6.]
- Merge PR#150 from Frzk: Systemd unit without chroot. It add
contrib/unbound_nochroot.service.in, a systemd file for use with
chroot: "", see comments in the file, it uses systemd protections
instead.
because dnscrypt-proxy (2.0.36) does not support the test setup
any more, and also the config file format does not seem to have
the appropriate keys to recreate that setup.
