Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Unbound doesn't start on Ubuntu 17.10
Sun 21 January 2018 — download

I've just reinstalled my laptop, and because I'm a lazy person, I went with Xubuntu instead of Debian: xfce already installed and looking nice, binary blobs all the way to make everything work, magical ppa support, …

Then systemd-resolvd went batshit crazy, and though that it's a marvellous idea to always use the domain search path (you know, the domain that is after the search keyword in your /etc/resolv.conf), making me have a heart attack seeing this, and then a long sigh seeing that in wireshark.

So I marked it with systemctl mask systemd-resolved, and installed unbound. Unfortunately, it didn't want to start:

Jan 21 21:57:10 grimhilde systemd[1]: Starting Unbound DNS server...
Jan 21 21:57:11 grimhilde package-helper[7035]: /var/lib/unbound/root.key has content
Jan 21 21:57:11 grimhilde package-helper[7035]: success: the anchor is ok
Jan 21 21:57:11 grimhilde unbound: [7039:0] notice: init module 0: subnet
Jan 21 21:57:11 grimhilde unbound: [7039:0] notice: init module 1: validator
Jan 21 21:57:11 grimhilde unbound: [7039:0] notice: init module 2: iterator
Jan 21 21:57:11 grimhilde unbound: [7039:0] info: start of service (unbound 1.6.5).
Jan 21 21:57:11 grimhilde kernel: [ 3033.448212] audit: type=1400 audit(1516568231.188:32): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/unbound" name="/run/systemd/notify" pid=7039 comm="unbound" requested_mask="w" denied_mask="w" fsuid=108 ouid=0

Apparmor is in the way. To fix it, simply add /{,var/}run/systemd/notify w, to your /etc/apparmor.d/usr.sbin.unbound file and everything should work:

Jan 21 21:57:46 grimhilde systemd[1]: Starting Unbound DNS server...
Jan 21 21:57:47 grimhilde package-helper[7165]: /var/lib/unbound/root.key has content
Jan 21 21:57:47 grimhilde package-helper[7165]: success: the anchor is ok
Jan 21 21:57:47 grimhilde unbound: [7169:0] notice: init module 0: subnet
Jan 21 21:57:47 grimhilde unbound: [7169:0] notice: init module 1: validator
Jan 21 21:57:47 grimhilde unbound: [7169:0] notice: init module 2: iterator
Jan 21 21:57:47 grimhilde unbound: [7169:0] info: start of service (unbound 1.6.5).
Jan 21 21:57:47 grimhilde systemd[1]: Started Unbound DNS server.
Jan 21 21:57:47 grimhilde systemd[1]: Started Unbound DNS server via resolvconf.

edit: Even better, as suggested by intrigeri (♥), in /etc/apparmor.d/local.d/usr.sbin.unbound, to avoid conflicts. Apparently, this is a known bug, both in Ubuntu and Debian since a couple of months