1361322Scy; This unit file is provided to run unbound as portable service. 2361322Scy; https://systemd.io/PORTABLE_SERVICES/ 3361322Scy; 4361322Scy; To use this unit file, please make sure you either compile unbound with the 5361322Scy; following options: 6361322Scy; 7361322Scy; - --with-chroot-dir="" 8361322Scy; 9361322Scy; Or put the following options in your unbound configuration file: 10361322Scy; 11361322Scy; - chroot: "" 12361322Scy; 13361322Scy; 14361322Scy[Unit] 15361322ScyDescription=Validating, recursive, and caching DNS resolver 16361322ScyDocumentation=man:unbound(8) 17361322ScyAfter=network.target 18361322ScyBefore=network-online.target nss-lookup.target 19361322ScyWants=nss-lookup.target 20361322Scy 21361322Scy[Install] 22361322ScyWantedBy=multi-user.target 23361322Scy 24361322Scy[Service] 25361322ScyExecReload=+/bin/kill -HUP $MAINPID 26361322ScyExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p 27361322ScyNotifyAccess=main 28361322ScyType=notify 29361322ScyCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 30361322ScyMemoryDenyWriteExecute=true 31361322ScyNoNewPrivileges=true 32361322ScyPrivateDevices=true 33361322ScyPrivateTmp=true 34361322ScyProtectHome=true 35361322ScyProtectControlGroups=true 36361322ScyProtectKernelModules=true 37361322ScyProtectSystem=strict 38361322ScyRuntimeDirectory=unbound 39361322ScyConfigurationDirectory=unbound 40361322ScyStateDirectory=unbound 41368693ScyRestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX 42361322ScyRestrictRealtime=true 43361322ScySystemCallArchitectures=native 44361322ScySystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 45361322ScyRestrictNamespaces=yes 46361322ScyLockPersonality=yes 47361322ScyRestrictSUIDSGID=yes 48361322ScyBindPaths=/run/systemd/notify 49361322ScyBindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout 50