1 ; This unit file is provided to run unbound as portable service.
2 ; https://systemd.io/PORTABLE_SERVICES/
4 ; To use this unit file, please make sure you either compile unbound with the
7 ; - --with-chroot-dir=""
9 ; Or put the following options in your unbound configuration file:
15 Description=Validating, recursive, and caching DNS resolver
16 Documentation=man:unbound(8)
18 Before=network-online.target nss-lookup.target
19 Wants=nss-lookup.target
22 WantedBy=multi-user.target
25 ExecReload=+/bin/kill -HUP $MAINPID
26 ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
29 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
30 MemoryDenyWriteExecute=true
35 ProtectControlGroups=true
36 ProtectKernelModules=true
38 RuntimeDirectory=unbound
39 ConfigurationDirectory=unbound
40 StateDirectory=unbound
41 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
43 SystemCallArchitectures=native
44 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
45 RestrictNamespaces=yes
48 BindPaths=/run/systemd/notify
49 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout