improve chroot text

diff --git a/docs/security.rst b/docs/security.rst
index fb1aba32ef3620805e3538b069a8c52bf6e07e66..ac3b7cddac5116c2067a94df4fd73323a4f2dfe1 100644 (file)
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -25,6 +25,11 @@ Set these parameters immediately if they are not set!
 
 Jailing the process in a chroot
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Modern Linux distributions, with systemd for process management, do a better job of constraining PowerDNS than chroot can.
+We strongly suggest using distribution/OS features for process containment instead of the :ref:`setting-chroot` option.
+The text below is kept for those users that have specific reasons to prefer chroot.
+chroot functionality is not actively tested during development and might break during upgrades.
+
 The :ref:`setting-chroot` option secures PowerDNS to its own directory so that even if it should become compromised and under control of external influences, it will have a hard time affecting the rest of the system.
 
 Even though this will hamper hackers a lot, chroot jails have been known to be broken.
@@ -34,7 +39,7 @@ Even though this will hamper hackers a lot, chroot jails have been known to be b
   socket which should live within the chroot. It is often possible to
   hardlink such a socket into the chroot dir.
 
-When running with master or slave support, be aware that many operating
+When running with primary or secondary support, be aware that many operating
 systems need access to specific libraries (often ``/lib/libnss*``) in
 order to support resolution of domain names! You can also hardlink
 these.

diff --git a/docs/settings.rst b/docs/settings.rst
index 308a505d9520346423960d2ecd461d4ba71f224c..9060dfe4d770fd47a32984988c376b6546b4c2c8 100644 (file)
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -253,6 +253,8 @@ You may specify an alternate port by appending :port, ex:
 -  Path
 
 If set, chroot to this directory for more security. See :doc:`security`.
+This is not recommended; instead, we recommend containing PowerDNS using operating system features.
+We ship systemd unit files with our packages to make this easy.
 
 Make sure that ``/dev/log`` is available from within the chroot. Logging
 will silently fail over time otherwise (on logrotate).
@@ -263,9 +265,9 @@ set in the configuration are relative to the new root.
 
 When running on a system where systemd manages services, ``chroot`` does
 not work out of the box, as PowerDNS cannot use the ``NOTIFY_SOCKET``.
-Either don't ``chroot`` on these systems or set the 'Type' of the this
+Either don't ``chroot`` on these systems or set the 'Type' of the
 service to 'simple' instead of 'notify' (refer to the systemd
-documentation on how to modify unit-files)
+documentation on how to modify unit-files).
 
 .. _setting-config-dir:
 

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index d14c27dafa88aac8a13384cedac84cdaa7ee2342..125d247691998020975a002cad97234196db18ba 100644 (file)
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -210,7 +210,8 @@ See :doc:`metrics`.
 -  Path to a Directory
 
 If set, chroot to this directory for more security.
-See :doc:`security`
+This is not recommended; instead, we recommend containing PowerDNS using operating system features.
+We ship systemd unit files with our packages to make this easy.
 
 Make sure that ``/dev/log`` is available from within the chroot.
 Logging will silently fail over time otherwise (on logrotate).