nsd
nsd copied to clipboard
NLnetLabs
chroot
Hello,
I have a problem with both nsd and unbound and I need direction on how to solve it. I need to respect standards, namely write the variable data under /var while keeping the read-only data and executables under /usr, where /usr is read-only in my case. Chroot seems to force non compliance: it works if I put everything under /var and it fails otherwise. Did any of you manage to have a compliant chroot?
Thank you
[/usr] "is the second major section of the filesystem. /usr is shareable, read-only data. That means that /usr should be shareable between various FHS-compliant hosts and must not be written to. Any information that is host-specific or varies with time is stored elsewhere. Large software packages must not use a direct subdirectory under the /usr hierarchy." (Filesystem Hierarchy Standard, ver. 2.3, FHSG 2004)
"/usr may be remote" (ISO 23360-1, a.k.a. "Linux Standard Base")
Hi, You seem to ask a question directed at other users. They can respond here, but we have a users mailing list for NSD and for Unbound, where people can share their experiences, and this may be what you are looking for. https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
Most chroots are made in /etc or /var, I thought. So, /var/lib/unbound would be a usual location for the chroot directory.
Hi, You seem to ask a question directed at other users. They can respond here, but we have a users mailing list for NSD and for Unbound, where people can share their experiences, and this may be what you are looking for. https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
No, I asked the question to the developers.
Most chroots are made in /etc or /var, I thought. So, /var/lib/unbound would be a usual location for the chroot directory.
/var/lib/unbound is a non-compliant chroot.
Could you tell more what you are trying to do? You want some readonly data in the /usr system but a chroot as well? And for certain files, like the pid file, you need to be able to write?
It is possible on many systems to mount a directory in a location, say /var, and then that becomes accessible inside the chroot. For certain /dev and /log places. I guess also a /usr readonly directory with like data files could be made accessible in that manner? Perhaps something like mount --bind -n /usr/share/zonedata /var/lib/someplace/zonedata (or on BSD with devfs(8))?
Could you tell more what you are trying to do?
I am trying to have an ISO 23360-1 conformant chroot, where the variable data is written under /var, and the read-only data and executables are written under /usr, where /usr is both remote and read-only.
So, what pieces of data are you trying to have where? NSD would need access from its chroot to these pieces of data, so during the chroot, they need to be inside that chroot directory. What are valid, compliant, chroot places?
NSD allows you to configure the directories and paths, so, I guess it would likely be possible. But what needs to be where? Are you trying to both have a chroot, one directory that becomes the only accessible place during runtime, and also have a 'compliant' place which is not in that directory for a bunch of stuff?
So I suggested the bind mount solution, that allows you to put data in the place where you want it, and then also have it appear inside the chroot directory, so it can be accessed during the server runtime. This makes 'everything under chroot' happen from the bind remount calls, but meanwhile the actual files live in the places where you want them, so it would work and you can also place the files where you want them. Perhaps with the bind mount you can have the data in both the places they need to be.