Skip to content

Instantly share code, notes, and snippets.

@DavidWittman

DavidWittman/stunnel-chroot-reload.md

Created March 25, 2015 03:28
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save DavidWittman/ab2301b3939053546646 to your computer and use it in GitHub Desktop.
Save DavidWittman/ab2301b3939053546646 to your computer and use it in GitHub Desktop.
Download ZIP
Reloading stunnel configurations when in a chroot
Raw
stunnel-chroot-reload.md

Reloading stunnel configurations when in a chroot

Example stunnel config

# /etc/stunnel/stunnel.conf
cert = /etc/stunnel/cert.pem
sslVersion = TLSv1 TLSv1.1 TLSv1.2

chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid

foreground = yes
debug = local6.info
syslog = yes

# Disable Nagle's algorithm
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

# Enable TCP keepalives
socket = l:SO_KEEPALIVE=1
socket = l:TCP_KEEPIDLE=240
socket = l:TCP_KEEPINTVL=60

[mysql]
accept = 4306
connect = 127.0.0.1:3306

Instructions

  1. Bind mount /etc/stunnel to $chroot/etc/stunnel.
# mkdir -p /var/run/stunnel/etc/stunnel/
# mount -o bind /etc/stunnel /var/run/stunnel/etc/stunnel/
  1. Copy over the certificate to its full path within the chroot, and make sure it has the proper ownership. In our example, since we've already bind-mounted /etc/stunnel, we don't need to recreate any other directory structures.
# chown nobody:nobody $chroot/etc/stunnel/cert.pem
# chmod 0400 $chroot/etc/stunnel/cert.pem
  1. Copy /etc/passwd and /etc/group to $chroot/etc/
# cp /etc/{passwd,group} /var/run/stunnel/etc/
  1. Send a SIGHUP to stunnel to reload the configuration. (Note: this particular command won't work so hot if you're running multiple instances of stunnel. In that case, you should probably use the specific pid of the process you wish to reload.)
# pkill -1 stunnel
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment