permission denied errors writing to log, pid file in non-standard location

[digisepio]

I'm posting this because it took me a long time to fix this, and the solution is not obvious since it's not unbound that's causing the error, so hopefully it'll help anyone else having this problem.

I'm running Unbound on Ubuntu with apparmor on, which is what's causing the problem.

Standard log is written to /var/log/unbound.log and PID to /run/unbound.pid. The unbound process doesn't have privileges in either directory so the service kind of runs, without a PID or logs. Creating directories in both /run and /var/log owned by user unbound and attempting to write the corresponding logs and PID there also fails. But now it's because of permissions in Apparmor. The only way to fix this issue, or having a PID/log in any other location that's writable by user unbound, is to start the service, kill it, then run aa-logprof after.

If there's another way to do this, please let me know.

[gthess]

Hi!

If there is an AppArmor profile for Unbound in that system then you need to update that for the aforementioned directories (I guess this is what happened already with aa-logprof).

Another solution would be to change the destination of those files via Unbound's configuration file with logfile: and pidfile: respectively. I assume that the default AppArmor profile would permit access to Unbound's default location (usually /etc/unbound/or /usr/local/etc/unbound/) so writing there would have no permission problems.

BTW is this Unbound installed from the Ubuntu packages, because I find it strange that the default configuration does not match a shipped AppArmor profile. If this is the case it would be helpful if you also reported this to the Ubuntu package maintainers.

[gthess]

Closing this as inactive and a non issue. Feel free to reopen/tag.