fatal error: auto-trust-anchor-file: "/var/lib/unbound/root.key" does not exist in chrootdir /etc/unbound about puppet-unbound HOT 10 CLOSED

Thank you for the note, and letting me know that 1.3.6 had the same issue. What platform are you on please and how are you using the module?

from puppet-unbound.

I see this error only with 2.0.0. Everything was working fine with 1.3.6.

I'm running on RHEL 7

from puppet-unbound.

Sorry I'm a bit slow here. The branch i134 has a simple change that should order the download of the anchor file before the validation command is called. Could one of you test please? I think this is just a simple ordering issue that I don't see since my anchor is already downloaded.

from puppet-unbound.

Setting unbound::chroot: "" (empty string) in hiera may work. Because @chroot is nil by default in v2.0.0.

# https://github.com/xaque208/puppet-unbound/blob/2.0.0/data/common.yaml#L17
unbound::chroot: ~

# https://github.com/xaque208/puppet-unbound/blob/2.0.0/templates/unbound.conf.erb#L150-L152
<% if @chroot -%>
  chroot: "<%= @chroot %>"
<% end -%>

from puppet-unbound.

With v2.0.0 adding an empty chroot option resolves the issue e.g.

class { 'unbound':
        interface               => [$::ipaddress],
        access                  => ["${::network}/24"],
        skip_roothints_download => true,
        **chroot                  => ''**
    }

from puppet-unbound.

I'd like to close this issue out, either leaving the workaround in place, or fix the underlying problem. I'm now reading:

By default the software comes with chroot enabled. This provides an extra layer of defense against remote exploits. Enter file paths as full pathnames starting at the root of the filesystem ('/'). If chroot gives you trouble, you can disable it with chroot: "" in the config.

I don't think we want to disable the chroot by default, but it also means that if we want to get the paths correct, we need to know the default value of the chroot, which likely differ between platforms.

I have this issue on a new dns cache I'm bringing up, and would like to at least amend the README. If others have a suggestions on how to address this issue more generally, I'd love to hear it.

from puppet-unbound.

I'm having a possibly related issue, the module works and creates a config file, but then unbound-checkconf tells me the file is invalid:

root@osmc:/etc/unbound# unbound-checkconf
[1524035632] unbound-checkconf[8896:0] error: trust anchor presented twice
[1524035632] unbound-checkconf[8896:0] error: could not parse auto-trust-anchor-file /var/lib/unbound/root.key line 2
[1524035632] unbound-checkconf[8896:0] error: error reading auto-trust-anchor-file: /var/lib/unbound/root.key
[1524035632] unbound-checkconf[8896:0] error: validator: error in trustanchors config
[1524035632] unbound-checkconf[8896:0] error: validator: could not apply configuration settings.
[1524035632] unbound-checkconf[8896:0] fatal error: bad config for validator module

If i comment out the auto-trust-anchors-file config option the configuration works fine.

Happens with module version 2.0.0 and 1.3.6

from puppet-unbound.

root@osmc:/etc/unbound# aptitude versions unbound
i 1.6.0-3+deb9u1 stable,stable-updates 500

from puppet-unbound.

for the record i think the original problem is now fixed as redhat has a default of chroot: ""[1], which is the default redhat ships. @lemmy04 can you raise a new issue and include what version of puppet, OS and also include the unbound config file produced

[1]https://github.com/xaque208/puppet-unbound/blob/master/data/os/RedHat.yaml#L2

from puppet-unbound.

closing as no update since my last update

from puppet-unbound.