Minimized example is at upstream glibc bug: https://sourceware.org/PR27343 But I'm not sure what unbound does is legitimate. chroot() outside / renders nss functions unusable like initgroups(). At beast it would fail to populate any data. Should initgroups be called before chroot()? gdb backtrace to ease tracking down source location: # LANG=C gdb --quiet --args /usr/sbin/unbound -d Reading symbols from /usr/sbin/unbound... Reading symbols from /usr/lib/debug//usr/sbin/unbound.debug... (gdb) run Starting program: /usr/sbin/unbound -d [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. internal_getgrouplist (user=0x555555678550 "unbound", group=group@entry=987, size=size@entry=0x7fffffffe3a8, groupsp=groupsp@entry=0x7fffffffe3b0, limit=limit@entry=65536) at initgroups.c:91 91 initgroups.c: No such file or directory. (gdb) bt #0 internal_getgrouplist (user=0x555555678550 "unbound", group=group@entry=987, size=size@entry=0x7fffffffe3a8, groupsp=groupsp@entry=0x7fffffffe3b0, limit=limit@entry=65536) at initgroups.c:91 #1 0x00007ffff7a0423a in initgroups (user=<optimized out>, group=987) at initgroups.c:205 #2 0x0000555555560839 in perform_setup (need_pidfile=1, cfgfile=<synthetic pointer>, debug_mode=1, cfg=0x555555677f60, daemon=0x55555564d2d0) at daemon/unbound.c:622 #3 run_daemon (need_pidfile=1, debug_mode=1, cmdline_verbose=0, cfgfile=0x5555555fd5a4 "/unbound.conf") at daemon/unbound.c:699 #4 main (argc=<optimized out>, argv=<optimized out>) at daemon/unbound.c:808
Unbound upstream discussion (no conclusion yet): https://github.com/NLnetLabs/unbound/issues/418
This should already be fixed in current glibc-2.33 (patchlevel 2). (I did not revbump since it has no keywords.)
I still think it's an unbound bug to call NSS services in a chroot.