unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

chroot is not acknowledged by auth-zone zonefile path

Open puneetsharma1207 opened this issue 3 years ago • 4 comments

Hi team,

We have working unbound setup with auth-zone configured for internal zones.

When we try to enable chroot for this setup, #chroot: "" chroot: "/etc/unbound"

it always throws error for auth-zone zone file not found. auth-zone: name: corp for-downstream: no for-upstream: yes zonefile: "/etc/unbound/conf.d/corp.zone"

If i remove chroot everything is working fine.

I already tried all possible combinations for zone file path , both absolute and relative to chroot path:

Error: Apr 12 11:15:11 lvendnsubd002u unbound-checkconf[3499579]: [1649747711] unbound-checkconf[3499579:0] error: cannot open zonefile /conf.d/corp.zone for corp.: No suc> Apr 12 11:15:11 lvendnsubd002u unbound-checkconf[3499579]: [1649747711] unbound-checkconf[3499579:0] fatal error: Could not setup authority zones Apr 12 11:15:11 lvendnsubd002u systemd[1]: unbound.service: Control process exited, code=exited status=1 Apr 12 11:15:11 lvendnsubd002u systemd[1]: unbound.service: Failed with result 'exit-code'. Apr 12 11:15:11 lvendnsubd002u systemd[1]: Failed to start Unbound recursive Domain Name Server. Apr 12 11:18:32 lvendnsubd002u systemd[1]: Starting Unbound recursive Domain Name Server... Apr 12 11:18:32 lvendnsubd002u unbound-checkconf[3500027]: [1649747912] unbound-checkconf[3500027:0] error: cannot open zonefile /conf.d/corp.zone for corp.: No suc> Apr 12 11:18:32 lvendnsubd002u unbound-checkconf[3500027]: [1649747912] unbound-checkconf[3500027:0] fatal error: Could not setup authority zones Apr 12 11:18:32 lvendnsubd002u systemd[1]: unbound.service: Control process exited, code=exited status=1 Apr 12 11:18:32 lvendnsubd002u systemd[1]: unbound.service: Failed with result 'exit-code'. Apr 12 11:18:32 lvendnsubd002u systemd[1]: Failed to start Unbound recursive Domain Name Server. Apr 12 11:18:55 lvendnsubd002u systemd[1]: Starting Unbound recursive Domain Name Server... Apr 12 11:18:55 lvendnsubd002u unbound-checkconf[3500042]: unbound-checkconf: no errors in /etc/unbound/unbound.conf Apr 12 11:18:55 lvendnsubd002u bash[3500044]: Updates of root keys with unbound-anchor is disabled

If you require i can share the entire conf file as well.

the access permission for all the files is cd /etc/unbound;chown -R root:unbound *.

Appreciate any help on this.

puneetsharma1207 avatar Apr 12 '22 07:04 puneetsharma1207

It seems to work fine here. Also the error report looks strange. There is the report that unbound-checkconf cannot open the file, and it has already applied the chroot, but this does not happen for me, then unbound-checkconf complains about that again when the server is started again, and then unbound-checkconf[3500042] does not complain about anything.

For me, when chroot is enabled, unbound-checkconf removes the chroot setting, and the auth-zone code uses the absolute path to the file to open the file during the unbound-checkconf run, that is the /etc/... path. And that should work. But for you, this is not what happens. Could you put a print message in the code there to see how that can be?

index d3e93a62..0fc6c396 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -1573,6 +1573,7 @@ auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg)
                return 1; /* no file, or "", nothing to read */
        
        zfilename = z->zonefile;
+       log_info("chrootdir is %s", cfg->chrootdir?cfg->chrootdir:"nothing");
        if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
                cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
                zfilename += strlen(cfg->chrootdir);

For me that prints chrootdir is nothing, when unbound-checkconf is run. But for unbound, it would have a chrootdir at that point.

wcawijngaards avatar Apr 12 '22 08:04 wcawijngaards

hi @wcawijngaards

thanks for the update.

can i know the unbound version your running?, we are using unbound version 1.7.3. not sure whether this version got any issues.

Thanks,

eshankar43 avatar Apr 13 '22 10:04 eshankar43

The most recent is 1.15.0, https://github.com/NLnetLabs/unbound/releases/tag/release-1.15.0 . There have been many changes since 1.7.3. I am using the code repository version which is the most recent with the changes made since 1.15.0.

wcawijngaards avatar Apr 13 '22 11:04 wcawijngaards

Please request backport of a fix for this issue if you use RHEL8 or derivatives on bugzilla.redhat.com. This issue can be easily fixed there, but update to the latest release is not so simple, because it would break ABI.

pemensik avatar Apr 27 '22 18:04 pemensik