1; This unit file is provided to run unbound as portable service. 2; https://systemd.io/PORTABLE_SERVICES/ 3; 4; To use this unit file, please make sure you either compile unbound with the 5; following options: 6; 7; - --with-chroot-dir="" 8; 9; Or put the following options in your unbound configuration file: 10; 11; - chroot: "" 12; 13; 14[Unit] 15Description=Validating, recursive, and caching DNS resolver 16Documentation=man:unbound(8) 17After=network-online.target 18Before=nss-lookup.target 19Wants=nss-lookup.target 20 21[Install] 22WantedBy=multi-user.target 23 24[Service] 25ExecReload=+/bin/kill -HUP $MAINPID 26ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p 27NotifyAccess=main 28Type=notify 29CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 30MemoryDenyWriteExecute=true 31NoNewPrivileges=true 32PrivateDevices=true 33PrivateTmp=true 34ProtectHome=true 35ProtectControlGroups=true 36ProtectKernelModules=true 37ProtectSystem=strict 38RuntimeDirectory=unbound 39ConfigurationDirectory=unbound 40StateDirectory=unbound 41RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX 42RestrictRealtime=true 43SystemCallArchitectures=native 44SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 45RestrictNamespaces=yes 46LockPersonality=yes 47RestrictSUIDSGID=yes 48BindPaths=/run/systemd/notify 49BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout 50