I am running unbound. I have defined an AA-profile for it. From time to time unbound does not start. The reason I find in the logs: could not open autotrust-file for writing /var/lib/unbound/root.key.2112-0 permission denied. I tried to set AA on complain, but it does not encounter something to complain and to adapt. I recall I granted the right to that process in AA. Moreover, when I start the unbound by hand in "service" the process starts without any problem. And without giving error. So the issue seems only when it tries to update the autotrust-file. So, I do not understand why it needs to write to autotrust and I would like to know what permissions it should have, to compare with the ones I have: ls -l /var/lib/unbound/ entropia@roadrunner:~> ls -l /var/lib/unbound/ totale 4 -rw-r--r-- 1 unbound unbound 1251 20 gen 02.14 root.key Seems about right?? Or does the permission here need to be root:unbound? Thanks in advance. (Once it runs it is fast and reliable, but it is irritating that it fallbacks all the time due to this error.
I am running unbound. I have defined an AA-profile for it.be From time to time unbound does not start. The reason I find in the logs: could not open autotrust-file for writing /var/lib/unbound/root.key.2112-0 permission denied.
I tried to set AA on complain, but it does not encounter something to complain and to adapt. I recall I granted the right to that process in AA.
Moreover, when I start the unbound by hand in "service" the process starts without any problem. And without giving error. So the issue seems only when it tries to update the autotrust-file. So, I do not understand why it needs to write to autotrust and I would like to know what permissions it should have, to compare with the ones I have: ls -l /var/lib/unbound/
entropia@roadrunner:~> ls -l /var/lib/unbound/ totale 4 -rw-r--r-- 1 unbound unbound 1251 20 gen 02.14 root.key
Seems about right?? Or does the permission here need to be root:unbound?
Thanks in advance. (Once it runs it is fast and reliable, but it is irritating that it fallbacks all the time due to this error. Is that a systemd service? If so, this looks like a timing issue. Something else needs to be done first, before unbound can start. You'd have to look at
Op woensdag 20 januari 2021 02:28:53 CET schreef Stakanov: the status of the service if it doesn't run, or find out with journalctl -- Gertjan Lettink a.k.a. Knurpht openSUSE Board openSUSE Forums Team
In data mercoledì 20 gennaio 2021 02:37:46 CET, Knurpht-openSUSE ha scritto:
Op woensdag 20 januari 2021 02:28:53 CET schreef Stakanov:
I am running unbound. I have defined an AA-profile for it.be From time to time unbound does not start. The reason I find in the logs: could not open autotrust-file for writing /var/lib/unbound/root.key.2112-0 permission denied.
I tried to set AA on complain, but it does not encounter something to complain and to adapt. I recall I granted the right to that process in AA.
Moreover, when I start the unbound by hand in "service" the process starts without any problem. And without giving error. So the issue seems only when it tries to update the autotrust-file. So, I do not understand why it needs to write to autotrust and I would like to know what permissions it should have, to compare with the ones I have: ls -l /var/lib/unbound/
entropia@roadrunner:~> ls -l /var/lib/unbound/ totale 4 -rw-r--r-- 1 unbound unbound 1251 20 gen 02.14 root.key
Seems about right?? Or does the permission here need to be root:unbound?
Thanks in advance. (Once it runs it is fast and reliable, but it is irritating that it fallbacks all the time due to this error.
Is that a systemd service? If so, this looks like a timing issue. Something else needs to be done first, before unbound can start. You'd have to look at the status of the service if it doesn't run, or find out with journalctl
It is actually again an AA problem. Once put on complaint and checking the logs the two or three rules that served the "update ancor" service. And no, they are independent services AFAIK, but I have to say, the possibility to run DNS server in "round robin" and to have all DNSSEC validated is great. One have to be sure though that all severs work and the list is updated, because that function can give trouble if one does not respond at all.
On Wed, Jan 20, 2021 at 02:28:53AM +0100, Stakanov wrote: [...]
entropia@roadrunner:~> ls -l /var/lib/unbound/ totale 4 -rw-r--r-- 1 unbound unbound 1251 20 gen 02.14 root.key
Seems about right?? Or does the permission here need to be root:unbound?
[...] I have: -rw-r--r-- 1 root unbound 653 Dec 4 20:47 root.key and I haven't seen issues. But I am not using Apparmor. -- ============================ Roger Whittaker ============================
In data mercoledì 20 gennaio 2021 10:28:15 CET, Roger Whittaker ha scritto:
On Wed, Jan 20, 2021 at 02:28:53AM +0100, Stakanov wrote:
[...]
entropia@roadrunner:~> ls -l /var/lib/unbound/ totale 4 -rw-r--r-- 1 unbound unbound 1251 20 gen 02.14 root.key
Seems about right?? Or does the permission here need to be root:unbound?
[...]
I have:
-rw-r--r-- 1 root unbound 653 Dec 4 20:47 root.key
and I haven't seen issues. But I am not using Apparmor.
if this is the default I am going to chown it. I just have to put it on complain afterwards. Thanks for the info.
participants (3)
-
Knurpht-openSUSE -
Roger Whittaker -
Stakanov