#1123042 unbound: ip-transparent needs cap_net_admin which is blocked by apparmor

Package:
unbound
Source:
unbound
Description:
validating, recursive, caching DNS resolver
Submitter:
Uwe Kleine-König
Date:
2026-03-15 13:17:01 UTC
Severity:
normal
Tags:
#1123042#5
Date:
2025-12-16 10:15:01 UTC
From:
To:
Hello,

when enabling ip-transparent, unbound emits a warning

	unbound[1327:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted

(and doesn't use the socket option).

This is fixed by doing:

	echo capability net_admin, > /etc/apparmor.d/local/usr.sbin.unbound

.

Would be nice if that would work with the default apparmor profile, or
at least be documented.

(I need ip-transparent because unbound is started before networkd
configured the network interface that unbound should serve.)

Best regards
Uwe
#1123042#10
Date:
2025-12-16 10:24:21 UTC
From:
To:
Documented - probably yes, though it should be easy to spot, I guess.

Default - definitely not, this is an extra permission which should
not be enabled by default.

You can configure a systemd override with

[Unit]
Requires=systemd-networkd-wait-online@ETH:no-carrier.service
After=systemd-networkd-wait-online@ETH:no-carrier.service

for that, where "ETH" is your network interface name.  This
way, it wont be necessary to enable ip-transparent.

FWIW,

/mjt
#1123042#15
Date:
2025-12-16 10:24:21 UTC
From:
To:
Documented - probably yes, though it should be easy to spot, I guess.

Default - definitely not, this is an extra permission which should
not be enabled by default.

You can configure a systemd override with

[Unit]
Requires=systemd-networkd-wait-online@ETH:no-carrier.service
After=systemd-networkd-wait-online@ETH:no-carrier.service

for that, where "ETH" is your network interface name.  This
way, it wont be necessary to enable ip-transparent.

FWIW,

/mjt