Improvements and fixes for systemd unbound.service #76
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ProtectKernelTunables=true
: This prevents various with socket options from working as shown below.unbound[] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
CAP_NET_ADMIN
to available caps which is needed forip-transparent: yes
config option to work as shown below.unbound[] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
ReadWritePaths
less permissive:UNBOUND_SYSCONF_DIR
equals tosysconfdir
which usually equals to/etc
andUNBOUND_LOCALSTATE_DIR
equals tolocalstatedir
which usually equals to/var
. Allowing write access for those dirs shouldn't be needed. The only dirs unbound should be allow to write to are/run
( for pidfile),@UNBOUND_RUN_DIR@
(for chroot) and@UNBOUND_CHROOT_DIR@
in case it differs from the previous one./run/systemd/notify
,UNBOUND_PIDFILE
,/dev/log
,/dev/urandom
in order to use them inside chroot.RestrictNamespaces
,LockPersonality
andRestrictSUIDSGID
should be safe to use.@wcawijngaards