Title: Unbound doesn't start on Ubuntu 17.10
Date: 2018-01-21 22:15

I've just reinstalled my laptop, and because I'm a lazy person, I went with
[Xubuntu](https://xubuntu.org) instead of Debian: [xfce](
https://xubuntu.org/screenshots/ ) already installed and looking nice, binary
blobs all the way to make everything work, magical ppa support, …

Then `systemd-resolvd` went batshit crazy, and though that it's a marvellous idea
to always use the *domain search path* (you know, the domain that is after the `search` keyword in your
`/etc/resolv.conf`), making me have a heart attack seeing [this]({static}/images/resolvd_idiot.png),
and then a long sigh seeing [that]({static}/images/resolvd_wireshark.png) in wireshark.

So I marked it with `systemctl mask systemd-resolved`, and installed [unbound](https://unbound.net/).
Unfortunately, it didn't want to start:

```
Jan 21 21:57:10 grimhilde systemd[1]: Starting Unbound DNS server...
Jan 21 21:57:11 grimhilde package-helper[7035]: /var/lib/unbound/root.key has content
Jan 21 21:57:11 grimhilde package-helper[7035]: success: the anchor is ok
Jan 21 21:57:11 grimhilde unbound: [7039:0] notice: init module 0: subnet
Jan 21 21:57:11 grimhilde unbound: [7039:0] notice: init module 1: validator
Jan 21 21:57:11 grimhilde unbound: [7039:0] notice: init module 2: iterator
Jan 21 21:57:11 grimhilde unbound: [7039:0] info: start of service (unbound 1.6.5).
Jan 21 21:57:11 grimhilde kernel: [ 3033.448212] audit: type=1400 audit(1516568231.188:32): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/unbound" name="/run/systemd/notify" pid=7039 comm="unbound" requested_mask="w" denied_mask="w" fsuid=108 ouid=0
```

Apparmor is in the way. To fix it, simply add
`/{,var/}run/systemd/notify w,` to your `/etc/apparmor.d/usr.sbin.unbound` file
and everything should work:

```
Jan 21 21:57:46 grimhilde systemd[1]: Starting Unbound DNS server...
Jan 21 21:57:47 grimhilde package-helper[7165]: /var/lib/unbound/root.key has content
Jan 21 21:57:47 grimhilde package-helper[7165]: success: the anchor is ok
Jan 21 21:57:47 grimhilde unbound: [7169:0] notice: init module 0: subnet
Jan 21 21:57:47 grimhilde unbound: [7169:0] notice: init module 1: validator
Jan 21 21:57:47 grimhilde unbound: [7169:0] notice: init module 2: iterator
Jan 21 21:57:47 grimhilde unbound: [7169:0] info: start of service (unbound 1.6.5).
Jan 21 21:57:47 grimhilde systemd[1]: Started Unbound DNS server.
Jan 21 21:57:47 grimhilde systemd[1]: Started Unbound DNS server via resolvconf.
```

edit: Even better, as suggested by [intrigeri](
http://gaffer.ptitcanardnoir.org/intrigeri/ ) (♥), in
`/etc/apparmor.d/local.d/usr.sbin.unbound`, to avoid conflicts. Apparently,
this is a known bug, both in [Ubuntu](
https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1723900 ) and [Debian](
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867186 ) since a couple of
months