date=`date +'%b %e, %Y'`
-ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service"
+ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service"
ac_config_headers="$ac_config_headers config.h"
"contrib/libunbound.pc") CONFIG_FILES="$CONFIG_FILES contrib/libunbound.pc" ;;
"contrib/unbound.socket") CONFIG_FILES="$CONFIG_FILES contrib/unbound.socket" ;;
"contrib/unbound.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound.service" ;;
- "contrib/unbound_nochroot.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_nochroot.service" ;;
+ "contrib/unbound_portable.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_portable.service" ;;
"config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
Contributed by Yuri Voinov.
* unbound.socket and unbound.service: systemd files for unbound, install them
in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov.
-* unbound_nochroot.service.in: systemd file for use with chroot: "", see
- comments in the file, it uses systemd protections instead. Contributed
- by Frzk.
+* unbound_portable.service.in: systemd file for use unbound as portable service,
+ see comments in the file. Contributed by Frzk.
* redirect-bogus.patch: Return configured address for bogus A and AAAA answers,
instead of SERVFAIL. Contributed by SIDN.
* fastrpz.patch: fastrpz support from Farsight Security.
+++ /dev/null
-; This unit file is provided to run unbound without chroot.
-;
-; To use this unit file, please make sure you either compile unbound with the
-; following options:
-;
-; - --with-pidfile=/run/unbound/unbound.pid
-; - --with-chroot-dir=""
-;
-; Or put the following options in your unbound configuration file:
-;
-; - chroot: ""
-; - pidfile: /run/unbound/unbound.pid
-;
-; Running without the chroot doesn't mean it's less secure. Simply put, we will
-; instead rely on a few systemd directives to harden the service.
-; To quote systemd : it's like a chroot on steroids !
-;
-; The most important parts are :
-;
-; - `ProtectSystem=strict` implies we mount the entire file system hierarchy
-; read-only for the processes invoked by the unit except for the API file
-; system subtrees /dev, /proc and /sys (which are protected by
-; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
-;
-; - `PrivateTmp=yes` secures access to temporary files of the process, and
-; makes sharing between processes via /tmp or /var/tmp impossible.
-;
-; - `ProtectHome=yes` makes the directories /home, /root, and /run/user
-; inaccessible and empty for processes invoked by the unit.
-;
-; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
-; (accessible through /sys/fs/cgroup) read-only to all processes invoked by
-; the unit. It also implies `MountAPIVFS=yes`.
-;
-; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
-; unit User and Group with read-write permissions (0755) as soon as the
-; unit starts. This allows unbound to store its pidfile. The directory and
-; its content are automatically removed by systemd when the unit stops.
-;
-; - `NoNewPrivileges=yes` ensures that the service process and all its
-; children can never gain new privileges through execve().
-;
-; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
-; (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
-;
-; - `RestrictRealTime=yes` ensures that any attempts to enable realtime
-; scheduling in a process invoked by the unit will be denied.
-;
-; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
-; is prohibited.
-;
-; - `LockPersonality=yes` locks down the personality system call so that the
-; kernel execution domain may not be changed from the default.
-;
-;
-; For further details about the directives used in this unit file, including
-; the above, please refer to systemd's official documentation, available at
-; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
-;
-;
-[Unit]
-Description=Validating, recursive, and caching DNS resolver
-Documentation=man:unbound(8)
-After=network.target
-Before=network-online.target nss-lookup.target
-Wants=nss-lookup.target
-
-[Install]
-WantedBy=multi-user.target
-
-[Service]
-ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
-ExecReload=+/bin/kill -HUP $MAINPID
-ExecStop=+/bin/kill -TERM $MAINPID
-NotifyAccess=main
-Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID \
- CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-ProtectHome=true
-ProtectControlGroups=true
-ProtectKernelModules=true
-ProtectSystem=strict
-ConfigurationDirectory=unbound
-RuntimeDirectory=unbound
-BindPaths=/run/systemd/notify
-BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-RestrictRealtime=true
-SystemCallArchitectures=native
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
-RestrictNamespaces=yes
-LockPersonality=yes
-RestrictSUIDSGID=yes
--- /dev/null
+; This unit file is provided to run unbound as portable service.
+; https://systemd.io/PORTABLE_SERVICES/
+;
+; To use this unit file, please make sure you either compile unbound with the
+; following options:
+;
+; - --with-pidfile=/run/unbound/unbound.pid
+; - --with-chroot-dir=""
+;
+; Or put the following options in your unbound configuration file:
+;
+; - chroot: ""
+; - pidfile: /run/unbound/unbound.pid
+;
+;
+[Unit]
+Description=Validating, recursive, and caching DNS resolver
+Documentation=man:unbound(8)
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+ExecReload=+/bin/kill -HUP $MAINPID
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
+NotifyAccess=main
+Type=notify
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=strict
+RuntimeDirectory=unbound
+ConfigurationDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes
+BindPaths=/run/systemd/notify
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
projects / thirdparty / unbound.git / commitdiff
