[stunnel-users] jailed stunnel can't find DNS

John Conover conover at rahul.net
Mon Nov 8 13:06:37 CET 2004


Michal Trojnara writes:
> "John Conover" <conover at rahul.net> wrote:
> >    chroot = /usr/local/stunnel/var/run/
> [cut]
> >    delay = yes
> [cut]
> >    2004.11.07 16:49:10 LOG3[3794:1025]: Failed to resolve hostname 
> > 'abc.wxyz.net'
> [cut]
> > Removing chroot in stunnel.conf fixes the problem, but its no longer 
> > jailed.
> >
> > Hints?
> 
> Yes.  You have several options:
> 1. As you noticed you can turn off chroot.
> 2. You can turn off delayed resolver (to resolve hosts at startup, before 
> chroot).
> 3. You can create the files/devices your resolver library needs inside the 
> chroot jail.
>     strace is your friend: http://sourceforge.net/projects/strace/
> 4. You can use IP address as "connect" parameter instead of domain name. 
> 8-)
>

Thanks, Mike. Using IP addresses as a "connect" parameter worked like
a charm.

How do you make sure the remote/server stunnel is kept running?

I haven't waded through the sources to stunnel, but is there a command
line arg "if its not running, make it so," by checking the pid file as
a lock file and check if the pid is valid as a stunnel process-so it
could be run periodically out of cron(8) to keep it running, in case
the remote went down?

Or, something similar triggered by the client machine?

        Thanks,

        John

BTW, as a sidebar, the -Wall gcc(1) command line arg in the compile of
stunnel was a nice touch-shows the authors cared.

-- 

John Conover, conover at rahul.net, http://www.johncon.com/



More information about the stunnel-users mailing list