Unbound crash with chroot

Thanks for this bug report. There is a Debian bug for this issue which I linked to this report. As unbound is currently a sync from Debian and the impact of this bug is limited the fix should ideally land in Debian. Ubuntu will then pick it up with the next sync of the package.

Paride, while that is true I think we need to spend some time reviving/helping that old bug.
It is from mid 2017 with last update late 2018 - and nothing since then.

Adding server-next for our task to analyze the situation in more detail and maybe helping with a proposed patch.

Also subscribing Simon who submitted the bug report and is a very active community member in general.

On 2020-07-03 3:37 a.m., Christian Ehrhardt  wrote:
> Also subscribing Simon who submitted the bug report

I had forgotten about it, thanks for the reminder! I turned the patch
into a merge request [1] which tested fine on Debian/Sid. I'm waiting a
few more days for feedback but will merge it as-is if nobody shows up.
It's been ~3 years already ;)

Until that bug is fixed in Debian then Ubuntu, I think a good workaround
is to instead leverage the namespace features of systemd to achieve
something similar to chroot'ing unbound. Here's trimmed down example of
this:

  $ cat /etc/systemd/system/unbound.service.d/override.conf
  [Service]
  ReadWritePaths=/var/lib/unbound /run
  PrivateDevices=true
  PrivateTmp=yes
  ProtectSystem=strict
  ProtectHome=true

HTH,
Simon

1: https://salsa.debian.org/dns-team/unbound/-/merge_requests/10

Thank you so much!
I have added this override and the service runs without problems as far as I can see it.

This appears to now be merged into debian as of a couple hours ago. It doesn't look like there's a 1.10.1-2 release just yet, but if Debian releases 1.10.1-2 it looks like it should autosync to Ubuntu. If there isn't a new Debian release in a reasonable amount of time (couple weeks?) we can manually CP it in.

Either way, that will resolve it for groovy. If the fix is important to include in stable releases, then for getting an SRU accepted this bug report will also need to have steps to reproduce documented. So the next action for that would be to define how to configure a system (like maybe in a VM or lxc container) to show the problem.

I personally don't think this is worth a SRU but if someone believes otherwise, I'll be happy to provide the steps to reproduce and help get this through.

 unbound | 1.11.0-1 | groovy | source
 unbound | 1.11.0-1 | groovy/universe | amd64, arm64, armhf, i386, ppc64el, riscv64, s390x

I agree that this might not be for an SRU, but let us at least mark resolved in the current release.