Bug 4142 - unbound.service.in: improvements and fixes
unbound.service.in: improvements and fixes
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
unspecified
Other Linux
: P5 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-06 22:19 CEST by Guido Shanahan
Modified: 2018-08-07 10:30 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Guido Shanahan 2018-08-06 22:19:50 CEST
Below is a patch which make some improvements and fixes to unbound systemd service unit. The most important is fix for IPv6 but others are also strongly encouraged to add.

---
Add unit dependency ordering
(based on systemd-resolved)

Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet'
(fixes warnings about missing privileges during startup)

Add 'AF_INET6' to 'RestrictAddressFamilies'
(without it IPV6 can't work)
---
 contrib/unbound.service.in | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -1,6 +1,9 @@
 [Unit]
 Description=Validating, recursive, and caching DNS resolver
 Documentation=man:unbound(8)
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target
 
 [Install]
 WantedBy=multi-user.target
@@ -10,7 +13,7 @@ ExecReload=/bin/kill -HUP $MAINPID
 ExecStart=@UNBOUND_SBIN_DIR@/unbound
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
@@ -21,7 +24,7 @@ ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectSystem=strict
 ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
-RestrictAddressFamilies=AF_INET AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
--
Comment 1 Wouter Wijngaards 2018-08-07 10:30:48 CEST
Hi Guido,

Thank you for the fixes!  I have incorporated them into the code repository.

Best regards, Wouter