1 Chroot jail howto for unbound
5 I had no experience whatsoever with chroot jails for daemons, and when making an
6 ebuild for unbound, someone suggested that I should just check it out.
7 Unfortunately, my ebuild skills are not that great, so making the ebuild handle
8 the rootjail support transparantly was out of my league. Getting unbound
9 running within a rootjail was no problem however. Below are my experiences.
13 - You know your way around a linux machine on the console
14 - You have root access
18 1. Emerge unbound, switching USE flags has no effect to the steps in this guide.
20 2. Decide where you want your rootjail. I choose /var/lib/unbound
21 throughout this manual. Then create the directory:
22 # mkdir /var/lib/unbound
23 # chown unbound:unbound /var/lib/unbound
24 # chmod 700 /var/lib/unbound
26 3. Inside the chroot you'll need access to /dev/random, and possibly /dev/log
27 (when using syslog, the default). Simplest way is to bind-mount /dev:
28 # mkdir /var/lib/unbound/dev
29 # mount -o bind /dev /var/lib/unbound/dev
31 Hint: add a line to /etc/fstab to keep this persistent between reboots.
33 4. Move the config file into the chroot and change some settings:
34 # mv /etc/unbound/unbound.conf /var/lib/unbound
35 # nano /var/lib/unbound/unbound.conf
37 Change following options (or copy/paste these lines near
40 chroot: "/var/lib/unbound"
41 directory: "/var/lib/unbound"
42 pidfile: "/var/lib/unbound/unbound.pid"
44 5. Change /etc/conf.d/unbound to reflect the new locations of
45 the config and the pid file.
47 config_file="/var/lib/unbound/unbound.conf"
48 pid_file="/var/lib/unbound/unbound.conf"