Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Unable to start bind-9.12.2_p2-r1 in chroot
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1377

PostPosted: Wed Jan 09, 2019 4:45 pm    Post subject: Unable to start bind-9.12.2_p2-r1 in chroot Reply with quote

I've been having a variety of problems on various servers. The first issue "OpenSSL pseudorandom number generator issue w/bind" was fixed on one server, but now, I have 2 other production servers that won't start.

Looking at the logs, I see the following...

Code:

Jan  9 08:49:20 comp named[4415]: configuring command channel from '/etc/bind/rndc.key'
Jan  9 08:49:20 comp named[4415]: socket.c:5681: unexpected error:
Jan  9 08:49:20 comp named[4415]: setsockopt(25, TCP_FASTOPEN) failed with Protocol not available
Jan  9 08:49:20 comp named[4415]: command channel listening on 127.0.0.1#953
Jan  9 08:49:20 comp named[4415]: the working directory is not writable
Jan  9 08:49:20 comp named[4415]: loading configuration: permission denied
Jan  9 08:49:20 comp named[4415]: exiting (due to fatal error)


Now, I originally thought it was the TCP_FASTOPEN, but I've been seeing that warning with older versions. The real problem is the vague "the working directory is not writable". That's weird. I've been running chroot named for years, and works fine when I roll back.

This is what I have in /etc/conf.d/named
Code:

CHROOT="/chroot/dns"
CHROOT_NOMOUNT="1"
CHROOT_NOCHECK=1
PIDFILE="${CHROOT}/var/run/named/named.pid"


If I change CHROOT_NOMOUNT then it starts, but named is hosed, since it grabs files from /etc, but I run my chroot enviro, the error. So, I feel like perms somewhere is wrong, but can't find it. Thought I would run strace to see what was up, but that didn't yield any specifics for me...

This is where it breaks:

Code:
7828  prctl(PR_SET_DUMPABLE, SUID_DUMP_USER) = 0
7828  capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
7828  capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
7828  capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_CHOWN|1<<CAP_DAC_READ_SEARCH|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_CHROOT|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0
7828  getuid()                          = 40
7828  capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, permitted=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0
7828  access(".", W_OK|X_OK)            = -1 EACCES (Permission denied)
7828  getpid()                          = 7828
7828  sendto(3, "<27>Jan  9 09:27:14 named[7828]:"..., 71, MSG_NOSIGNAL, NULL, 0) = 71
7828  gettimeofday({tv_sec=1547051234, tv_usec=763630}, NULL) = 0
7828  getpid()                          = 7828
7828  sendto(3, "<26>Jan  9 09:27:14 named[7828]:"..., 74, MSG_NOSIGNAL, NULL, 0) = 74
7828  getpid()                          = 7828
7828  sendto(3, "<26>Jan  9 09:27:14 named[7828]:"..., 62, MSG_NOSIGNAL, NULL, 0) = 62
7828  close(3)                          = 0
7828  unlink("/var/run/named/named.pid") = 0

Code:

7828  access(".", W_OK|X_OK)            = -1 EACCES (Permission denied)


I would assume "." is /chroot/dns?

Code:
ls -al /chroot
drwxrwx---  6 root named 4096 Jul 16  2014 dns


So, that's not it.

Code:
ls -al /chroot/dns
drwxr-xr-x 2 root root  4096 Jan  9 08:09 dev
drwxr-xr-x 3 root root  4096 Mar  2  2012 etc
drwxr-xr-x 3 root root  4096 Jul 16  2014 run
drwxr-xr-x 6 root root  4096 Jan  9 09:18 var


Okay, this might be something, but I've changed this to 775 root:named and it still does not start. Comparing to my other box that runs chroot, perms are the same, so I changed ownership/permissions to the way it was.

I thought it might be the pid directory.
Code:
ls -al /chroot/dns/var/run/
drwxrwx--- 2 root named 4096 Jan  9 09:34 named


Here are my USE flags for this version:
Code:
[ebuild   R    ] net-dns/bind-9.12.2_p2-r1::gentoo  USE="berkdb caps dlz ssl xml zlib -dnsrps -dnstap -doc -fixed-rrset -geoip -gost -gssapi -idn -ipv6 -json -ldap -libidn2 -libressl -lmdb -mysql -odbc -postgres -python -rpz (-seccomp) (-selinux) -static-libs -threads -urandom" PYTHON_TARGETS="python2_7 python3_4 python3_5 python3_6 (-python3_7)" 0 KiB


Not sure. If I roll back to net-dns/bind-9.11.2_p1 it fires right back up.

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com | Gentoo Hosting at Rackspace!


Last edited by hanj on Wed Jan 09, 2019 9:37 pm; edited 1 time in total
Back to top
View user's profile Send private message
mike155
l33t
l33t


Joined: 17 Sep 2010
Posts: 805
Location: Frankfurt, Germany

PostPosted: Wed Jan 09, 2019 9:26 pm    Post subject: Reply with quote

Quote:
I would assume "." is /chroot/dns?

1) Why don't you search upwards in the strace file for the last chdir()? Sometimes you can also guess the current directory from prior open() or stat() statements (if they use relative paths).

2) Why do you want to install BIND? Do you really want BIND? Or do you just need a local DNS server (authoritative and/or resolving)? BIND is a huge and complex software package and difficult to handle. If you just need a local DNS server, look at something smaller. I switched from BIND to dnsmasq a while ago and I'm very happy with it. Much smaller and much easier to handle.
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1377

PostPosted: Wed Jan 09, 2019 9:36 pm    Post subject: Reply with quote

mike155 wrote:
Quote:
I would assume "." is /chroot/dns?

1) Why don't you search upwards in the strace file for the last chdir()? Sometimes you can also guess the current directory from prior open() or stat() statements (if they use relative paths).


I actually looked at older logs, and see mention of this error in the older version. What's unique to this

Code:
Jan  9 08:49:20 comp named[4415]: loading configuration: permission denied


mike155 wrote:

2) Why do you want to install BIND? Do you really want BIND? Or do you just need a local DNS server (authoritative and/or resolving)? BIND is a huge and complex software package and difficult to handle. If you just need a local DNS server, look at something smaller. I switched from BIND to dnsmasq a while ago and I'm very happy with it. Much smaller and much easier to handle.


Not an internal DNS server.. just been using it for years.

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com | Gentoo Hosting at Rackspace!
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 242
Location: Germany

PostPosted: Thu Jan 10, 2019 9:16 pm    Post subject: Re: Unable to start bind-9.12.2_p2-r1 in chroot Reply with quote

hanj wrote:
Not sure. If I roll back to net-dns/bind-9.11.2_p1 it fires right back up.


Same problem here - also reverted back.
Back to top
View user's profile Send private message
deagol
n00b
n00b


Joined: 12 Jul 2014
Posts: 15

PostPosted: Sun Jan 20, 2019 6:49 pm    Post subject: Reply with quote

Just a tip, I did not look deeper into it:

I'm also running net-dns/bind-9.12.2_p2-r1 chrooted with openrc, but works for me...
So it could be that you are hit by the issue reported in Bug 601510 and I sidestepped that by having applied the patch from the bug years ago.

The "official" init script for openrc is broken when running chroot, some checks are done against "/" instead of the pid dir.
Which could explain the problem you observe.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum