BREAKING: Move runtime chroot directory to /var/unbound

This will make it easier to override configuration files in /etc/unbound without having to provide custom root hints. Signed-off-by: Kyle Harding <[email protected]>
klutchell · Nov 15, 2023 · 2a791bd · 2a791bd
1 parent 87faa6a
commit 2a791bd
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 9 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -53,8 +53,8 @@ People _love_ thorough bug reports. I'm not even kidding.
 1. Optionally update root hints before building
 
 ```bash
-rm rootfs_overlay/etc/unbound/root.hints
-wget https://www.internic.net/domain/named.root -O rootfs_overlay/etc/unbound/root.hints
+rm rootfs_overlay/var/unbound/root.hints
+wget https://www.internic.net/domain/named.root -O rootfs_overlay/var/unbound/root.hints
 ```
 
 2. Enable docker buildkit and experimental mode

diff --git a/Dockerfile b/Dockerfile
@@ -72,8 +72,11 @@ RUN echo "${UNBOUND_SHA256}  unbound.tar.gz" | sha256sum -c - \
 # https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/installation.html#building-from-source-compiling
 RUN ./configure \
 	--prefix=/opt/usr \
-	--sysconfdir=/etc \
-	--localstatedir=/var \
+	--with-conf-file=/etc/unbound/unbound.conf \
+	--with-run-dir=/var/unbound \
+	--with-chroot-dir=/var/unbound \
+	--with-pidfile=/var/unbound/unbound.pid \
+	--with-rootkey-file=/var/unbound/root.key \
 	--disable-static \
 	--disable-shared \
 	--disable-rpath \
@@ -111,9 +114,7 @@ COPY --from=unbound /opt/usr/sbin/ /usr/sbin/
 COPY --from=ldns /opt/usr/bin/ /usr/bin/
 
 COPY --chown=unbound:unbound rootfs_overlay/etc/unbound/ /etc/unbound/
-
-# TODO: run as non-root on port 5053
-# USER unbound
+COPY --chown=unbound:unbound rootfs_overlay/var/unbound/ /var/unbound/
 
 RUN [ "unbound", "-V" ]
 # hadolint ignore=DL3059

diff --git a/rootfs_overlay/etc/unbound/unbound.conf b/rootfs_overlay/etc/unbound/unbound.conf
@@ -115,14 +115,14 @@ server:
     # nameserver  names  and  addresses  only. The default may become outdated,
     # when servers change,  therefore  it is good practice to use a root-hints
     # file.  get one from https://www.internic.net/domain/named.root
-    root-hints: /etc/unbound/root.hints
+    root-hints: root.hints
 
     # File with trust anchor for one zone, which is tracked with RFC5011 probes.
     # The probes are several times per month, thus the machine must be online frequently.
     # The initial file can be one with contents as described in trust-anchor-file.
     # The file is written to when the anchor is updated, so the unbound user must
     # have write permission.
-    auto-trust-anchor-file: /etc/unbound/root.key
+    auto-trust-anchor-file: root.key
 
     # Number of ports to open. This number of file descriptors can be opened per thread.
     # Must be at least 1. Default depends on compile options. Larger numbers need extra

diff --git a/rootfs_overlay/etc/unbound/root.hints → rootfs_overlay/var/unbound/root.hints b/rootfs_overlay/etc/unbound/root.hints → rootfs_overlay/var/unbound/root.hints
diff --git a/rootfs_overlay/etc/unbound/root.key → rootfs_overlay/var/unbound/root.key b/rootfs_overlay/etc/unbound/root.key → rootfs_overlay/var/unbound/root.key