Bug 2081958

Summary: chroot functionality isn't available in unbound-1.7.3 in RHEL8
Product: Red Hat Enterprise Linux 8 Reporter: Apurbita Mukherjee <apmukher>
Component: unboundAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Petr Sklenar <psklenar>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: pemensik, psklenar
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: unbound-1.16.0-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 09:51:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2027735    
Bug Blocks:    

Description Apurbita Mukherjee 2022-05-05 05:26:20 UTC 
Description of problem:
chroot functionality isn't available in unbound-1.7.3 in RHEL8

Version-Release number of selected component (if applicable):
unbound-1.7.3-17.el8

How reproducible:
Always

Steps to Reproduce:
1. Add chroot: "/etc/unbound" in configuration file /etc/unbound/unbound.conf
2. Receiving following error while running command /usr/sbin/unbound-checkconf
/etc/unbound/unbound.conf:835: error: syntax error
read /etc/unbound/unbound.conf failed: 1 errors in configuration file
3. unbound daemon not starting after enabling chroot option


Actual results:
# /usr/sbin/unbound-checkconf
/etc/unbound/unbound.conf:835: error: syntax error
read /etc/unbound/unbound.conf failed: 1 errors in configuration file

# journalctl logs of unbound:

example.com systemd[1]: Started Unbound recursive Domain Name Server.
example.com unbound[1101087]: [1101087:0] error: cannot open zonefile /etc/unbound/conf.d/corp.zone for corp.: No such file or directory
example.com unbound[1101087]: [1101087:0] fatal error: auth_zones could not be setup
example.com systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
example.com systemd[1]: unbound.service: Failed with result 'exit-code'.


Expected results:
/usr/sbin/unbound-checkconf command output without any error and unbound daemon should be running fine.

Additional info:
Comment 2 Petr Menšík 2022-06-27 14:29:37 UTC 
The new version contains fixed upstream release. After rebase to recent version this issue should be fixed. But a test should be made to ensure we have chroot possibility working.

Unbound is better protected with SELinux enabled and enforced however. Chroot make sense only in cases, where SELinux cannot be used for any reason.
Comment 12 errata-xmlrpc 2022-11-08 09:51:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: unbound security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7622