Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Unable to start bind-9.12.2_p2-r1 in chroot
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1387

PostPosted: Wed Jan 09, 2019 4:45 pm    Post subject: Unable to start bind-9.12.2_p2-r1 in chroot Reply with quote

I've been having a variety of problems on various servers. The first issue "OpenSSL pseudorandom number generator issue w/bind" was fixed on one server, but now, I have 2 other production servers that won't start.

Looking at the logs, I see the following...

Code:

Jan  9 08:49:20 comp named[4415]: configuring command channel from '/etc/bind/rndc.key'
Jan  9 08:49:20 comp named[4415]: socket.c:5681: unexpected error:
Jan  9 08:49:20 comp named[4415]: setsockopt(25, TCP_FASTOPEN) failed with Protocol not available
Jan  9 08:49:20 comp named[4415]: command channel listening on 127.0.0.1#953
Jan  9 08:49:20 comp named[4415]: the working directory is not writable
Jan  9 08:49:20 comp named[4415]: loading configuration: permission denied
Jan  9 08:49:20 comp named[4415]: exiting (due to fatal error)


Now, I originally thought it was the TCP_FASTOPEN, but I've been seeing that warning with older versions. The real problem is the vague "the working directory is not writable". That's weird. I've been running chroot named for years, and works fine when I roll back.

This is what I have in /etc/conf.d/named
Code:

CHROOT="/chroot/dns"
CHROOT_NOMOUNT="1"
CHROOT_NOCHECK=1
PIDFILE="${CHROOT}/var/run/named/named.pid"


If I change CHROOT_NOMOUNT then it starts, but named is hosed, since it grabs files from /etc, but I run my chroot enviro, the error. So, I feel like perms somewhere is wrong, but can't find it. Thought I would run strace to see what was up, but that didn't yield any specifics for me...

This is where it breaks:

Code:
7828  prctl(PR_SET_DUMPABLE, SUID_DUMP_USER) = 0
7828  capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
7828  capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
7828  capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_CHOWN|1<<CAP_DAC_READ_SEARCH|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_CHROOT|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0
7828  getuid()                          = 40
7828  capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, permitted=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0
7828  access(".", W_OK|X_OK)            = -1 EACCES (Permission denied)
7828  getpid()                          = 7828
7828  sendto(3, "<27>Jan  9 09:27:14 named[7828]:"..., 71, MSG_NOSIGNAL, NULL, 0) = 71
7828  gettimeofday({tv_sec=1547051234, tv_usec=763630}, NULL) = 0
7828  getpid()                          = 7828
7828  sendto(3, "<26>Jan  9 09:27:14 named[7828]:"..., 74, MSG_NOSIGNAL, NULL, 0) = 74
7828  getpid()                          = 7828
7828  sendto(3, "<26>Jan  9 09:27:14 named[7828]:"..., 62, MSG_NOSIGNAL, NULL, 0) = 62
7828  close(3)                          = 0
7828  unlink("/var/run/named/named.pid") = 0

Code:

7828  access(".", W_OK|X_OK)            = -1 EACCES (Permission denied)


I would assume "." is /chroot/dns?

Code:
ls -al /chroot
drwxrwx---  6 root named 4096 Jul 16  2014 dns


So, that's not it.

Code:
ls -al /chroot/dns
drwxr-xr-x 2 root root  4096 Jan  9 08:09 dev
drwxr-xr-x 3 root root  4096 Mar  2  2012 etc
drwxr-xr-x 3 root root  4096 Jul 16  2014 run
drwxr-xr-x 6 root root  4096 Jan  9 09:18 var


Okay, this might be something, but I've changed this to 775 root:named and it still does not start. Comparing to my other box that runs chroot, perms are the same, so I changed ownership/permissions to the way it was.

I thought it might be the pid directory.
Code:
ls -al /chroot/dns/var/run/
drwxrwx--- 2 root named 4096 Jan  9 09:34 named


Here are my USE flags for this version:
Code:
[ebuild   R    ] net-dns/bind-9.12.2_p2-r1::gentoo  USE="berkdb caps dlz ssl xml zlib -dnsrps -dnstap -doc -fixed-rrset -geoip -gost -gssapi -idn -ipv6 -json -ldap -libidn2 -libressl -lmdb -mysql -odbc -postgres -python -rpz (-seccomp) (-selinux) -static-libs -threads -urandom" PYTHON_TARGETS="python2_7 python3_4 python3_5 python3_6 (-python3_7)" 0 KiB


Not sure. If I roll back to net-dns/bind-9.11.2_p1 it fires right back up.

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com | Gentoo Hosting at Rackspace!


Last edited by hanj on Wed Jan 09, 2019 9:37 pm; edited 1 time in total
Back to top
View user's profile Send private message
mike155
l33t
l33t


Joined: 17 Sep 2010
Posts: 944
Location: Frankfurt, Germany

PostPosted: Wed Jan 09, 2019 9:26 pm    Post subject: Reply with quote

Quote:
I would assume "." is /chroot/dns?

1) Why don't you search upwards in the strace file for the last chdir()? Sometimes you can also guess the current directory from prior open() or stat() statements (if they use relative paths).

2) Why do you want to install BIND? Do you really want BIND? Or do you just need a local DNS server (authoritative and/or resolving)? BIND is a huge and complex software package and difficult to handle. If you just need a local DNS server, look at something smaller. I switched from BIND to dnsmasq a while ago and I'm very happy with it. Much smaller and much easier to handle.
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1387

PostPosted: Wed Jan 09, 2019 9:36 pm    Post subject: Reply with quote

mike155 wrote:
Quote:
I would assume "." is /chroot/dns?

1) Why don't you search upwards in the strace file for the last chdir()? Sometimes you can also guess the current directory from prior open() or stat() statements (if they use relative paths).


I actually looked at older logs, and see mention of this error in the older version. What's unique to this

Code:
Jan  9 08:49:20 comp named[4415]: loading configuration: permission denied


mike155 wrote:

2) Why do you want to install BIND? Do you really want BIND? Or do you just need a local DNS server (authoritative and/or resolving)? BIND is a huge and complex software package and difficult to handle. If you just need a local DNS server, look at something smaller. I switched from BIND to dnsmasq a while ago and I'm very happy with it. Much smaller and much easier to handle.


Not an internal DNS server.. just been using it for years.

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com | Gentoo Hosting at Rackspace!
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 246
Location: Germany

PostPosted: Thu Jan 10, 2019 9:16 pm    Post subject: Re: Unable to start bind-9.12.2_p2-r1 in chroot Reply with quote

hanj wrote:
Not sure. If I roll back to net-dns/bind-9.11.2_p1 it fires right back up.


Same problem here - also reverted back.
Back to top
View user's profile Send private message
deagol
n00b
n00b


Joined: 12 Jul 2014
Posts: 16

PostPosted: Sun Jan 20, 2019 6:49 pm    Post subject: Reply with quote

Just a tip, I did not look deeper into it:

I'm also running net-dns/bind-9.12.2_p2-r1 chrooted with openrc, but works for me...
So it could be that you are hit by the issue reported in Bug 601510 and I sidestepped that by having applied the patch from the bug years ago.

The "official" init script for openrc is broken when running chroot, some checks are done against "/" instead of the pid dir.
Which could explain the problem you observe.
Back to top
View user's profile Send private message
Schnulli
Guru
Guru


Joined: 25 Jun 2010
Posts: 320
Location: Bremen DE

PostPosted: Wed Jan 23, 2019 11:28 pm    Post subject: Reply with quote

well......
last time i was working also a few with Bind9

here i am running my fully chrooted DNS in the LAN with my TLD Domains bound... seems to work..... even if it is on test on a dynamic IPv4 & IPv6

A hint.....
Get a provider that will allow you to use TLD at dynamic Ips and get it working ;)

I will next time develope a Raspberry Pi Image for free & Download that will work as a DNS Server, the only thing that must be done ist to add ur own TLDs and Keys and it will work
I will add a readme as well to get the own TLDs bound than....

Regards
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1387

PostPosted: Fri Jan 25, 2019 4:36 am    Post subject: Reply with quote

Digging further. I thought I would run start-stop-daemon from hand:

Code:
 start-stop-daemon -v --start --pidfile /chroot/dns/var/run/named/named.pid --exec /usr/sbin/named -- -u named -t /chroot/dns
 * start-stop-daemon: fopen `/chroot/dns/var/run/named/named.pid': No such file or directory
 * Detaching to start `/usr/sbin/named' ...
 *   start-stop-daemon: failed to start `/usr/sbin/named


So, it's unable to write the pid file?

Here is what that directory looks like:

Code:
/chroot/dns/var/run/named # ls -al  /chroot/dns/var/run/named
total 16
drwxrwx--- 2 root  named 4096 Jan 24 21:33 .
drwxr-xr-x 3 root  root  4096 Mar  2  2012 ..
-rw------- 1 named named  102 Jan 24 21:33 session.key


Again, this works fine with the older version of bind in chroot. I just rolled back and verified that the named.pid was in this directory and it is.
_________________
Server Admin Blog - Uno-Code.com | Gentoo Hosting at Rackspace!
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1387

PostPosted: Fri Jan 25, 2019 4:38 am    Post subject: Reply with quote

deagol wrote:
Just a tip, I did not look deeper into it:

I'm also running net-dns/bind-9.12.2_p2-r1 chrooted with openrc, but works for me...
So it could be that you are hit by the issue reported in Bug 601510 and I sidestepped that by having applied the patch from the bug years ago.

The "official" init script for openrc is broken when running chroot, some checks are done against "/" instead of the pid dir.
Which could explain the problem you observe.


I tried some of this, but it was getting me any where. Could you post your /etc/init.d/named file?

I am running openrc, but when I issue debug statements, it seems like it's seeing the chroot properly.

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com | Gentoo Hosting at Rackspace!
Back to top
View user's profile Send private message
deagol
n00b
n00b


Joined: 12 Jul 2014
Posts: 16

PostPosted: Mon Jan 28, 2019 7:17 pm    Post subject: Reply with quote

You can get my init script by downloading this patch https://601510.bugs.gentoo.org/attachment.cgi?id=473634 and apply it to the "official" init script.
If you have custom modifications: The official script is also in portage, /usr/portage/net-dns/bind/files/named.init-r13.

With those commands you can get exactly my script:
Code:
cd /tmp
wget 'https://601510.bugs.gentoo.org/attachment.cgi?id=473634' -O patch.txt
cp /usr/portage/net-dns/bind/files/named.init-r13 /tmp
patch named.init-r13 < patch.txt
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 246
Location: Germany

PostPosted: Sat Mar 23, 2019 2:55 pm    Post subject: Reply with quote

Don't try to patch /etc/init.d/named

...just try my solution: https://forums.gentoo.org/viewtopic-t-1090564.html
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1387

PostPosted: Sat Mar 23, 2019 3:15 pm    Post subject: Reply with quote

Duncan Mac Leod wrote:
Don't try to patch /etc/init.d/named

...just try my solution: https://forums.gentoo.org/viewtopic-t-1090564.html


I'm still having problems on all of my servers in chroot with this version. I did try the init.d/named patch.. no dice. I have urandom. Still not starting in chroot.

Code:
/chroot/dns/dev # ls -al
total 0
drwxr-xr-x 2 named named  144 Mar 20 21:18 .
drwx------ 7 root  named  168 Jun 27  2014 ..
crw-rw-rw- 1 named named 1, 3 Mar 20 21:18 null
crw-rw-rw- 1 named named 1, 8 Sep 16  2005 random
crw-rw-rw- 1 named named 1, 9 Mar 20 21:18 urandom
crw-rw-rw- 1 named named 1, 5 Mar 20 21:18 zero


/etc/conf.d/named:
Code:
CHROOT="/chroot/dns"
CHROOT_NOMOUNT="1"
PIDFILE="${CHROOT}/var/run/named/named.pid"


Code:
 /etc/init.d/named restart
 * Caching service dependencies ...                                                                                                                        [ ok ]
 * Starting chrooted named ...
 * Checking named configuration ...                                                                                                                        [ ok ]
 * start-stop-daemon: failed to start `/usr/sbin/named'                                                                                                    [ !! ]


output in logs...

Code:
Mar 23 09:12:43 comp named[31391]: starting BIND 9.12.2-P2 <id:b2bf278>
Mar 23 09:12:43 comp named[31391]: running on Linux i686 4.14.63-gentoo #3 Fri Sep 7 09:30:56 MDT 2018
Mar 23 09:12:43 comp named[31391]: built with '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.12.2_p2-r1' '--htmldir=/usr/share/doc/bind-9.12.2_p2-r1/html' '--with-sysroot=/' '--libdir=/usr/lib' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-dnsrps' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--disable-threads' '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gost' '--without-gssapi' '--without-idnkit' '--without-libidn2' '--without-libjson' '--without-dlz-ldap' '--with-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--with-ecdsa' '--with-openssl=/usr' '--without-libxml2' '--with-zlib' '--with-randomdev=/dev/urandom' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CFLAGS=-O2 -march=pentium4 -pipe -I/usr/include/db5.3' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
Mar 23 09:12:43 comp named[31391]: running as: named -u named -t /chroot/dns
Mar 23 09:12:43 comp named[31391]: compiled by GCC 6.4.0
Mar 23 09:12:43 comp named[31391]: compiled with OpenSSL version: OpenSSL 1.0.2p  14 Aug 2018
Mar 23 09:12:43 comp named[31391]: linked to OpenSSL version: OpenSSL 1.0.2r  26 Feb 2019
Mar 23 09:12:43 comp named[31391]: compiled with zlib version: 1.2.11
Mar 23 09:12:43 comp named[31391]: linked to zlib version: 1.2.11
Mar 23 09:12:43 comp named[31391]: threads support is disabled
Mar 23 09:12:43 comp named[31391]: ----------------------------------------------------
Mar 23 09:12:43 comp named[31391]: BIND 9 is maintained by Internet Systems Consortium,
Mar 23 09:12:43 comp named[31391]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Mar 23 09:12:43 comp named[31391]: corporation.  Support and training for BIND 9 are
Mar 23 09:12:43 comp named[31391]: available at https://www.isc.org/support
Mar 23 09:12:43 comp named[31391]: ----------------------------------------------------
Mar 23 09:12:43 comp named[31391]: using up to 4096 sockets
Mar 23 09:12:43 comp named[31391]: loading configuration from '/etc/bind/named.conf'
Mar 23 09:12:43 comp named[31391]: directory '/var/named' is not writable
Mar 23 09:12:43 comp named[31391]: /etc/bind/named.conf:3: parsing failed: permission denied
Mar 23 09:12:43 comp named[31391]: loading configuration: permission denied
Mar 23 09:12:43 comp named[31391]: exiting (due to fatal error)
Mar 23 09:12:43 comp /etc/init.d/named[31389]: start-stop-daemon: failed to start `/usr/sbin/named'
Mar 23 09:12:43 comp /etc/init.d/named[31145]: ERROR: named failed to start


These seem to be the problem...
Code:
Mar 23 09:12:43 comp named[31391]: directory '/var/named' is not writable
Mar 23 09:12:43 comp named[31391]: /etc/bind/named.conf:3: parsing failed: permission denied
Mar 23 09:12:43 comp named[31391]: loading configuration: permission denied


But.. perms look good. Again, in chroot.

Code:
/chroot/dns # ls -al
total 0
drwx------ 7 root  named 168 Jun 27  2014 .
drwxr-xr-x 3 root  root   72 Jan  4  2007 ..
drwxr-xr-x 2 named named 144 Mar 20 21:18 dev
drwxr-xr-x 3 named named 104 Jan 14  2013 etc
drwxr-xr-x 3 named named  72 Jun 27  2014 run
drwxrwxrwx 7 named named 168 Nov  7  2016 var <= I changed it to 777 for testing


Code:
/chroot/dns/etc/bind # ls -al
total 64
drwxr-xr-x 2 named named   240 Mar 20 21:25 .
drwxr-xr-x 3 named named   104 Jan 14  2013 ..
-rw-r----- 1 named named  2761 Dec 14 09:11 bind.keys
lrwxrwxrwx 1 named named    13 Dec 14 09:11 dyn -> /var/bind/dyn
-rw-r--r-- 1 named named 34967 Dec  8  2010 named.conf
lrwxrwxrwx 1 named named    13 Dec 14 09:11 pri -> /var/bind/pri
-rw------- 1 named named    77 Sep 16  2005 rndc.key
lrwxrwxrwx 1 named named    13 Dec 14 09:11 sec -> /var/bind/sec



hanji
_________________
Server Admin Blog - Uno-Code.com | Gentoo Hosting at Rackspace!
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 246
Location: Germany

PostPosted: Sat Mar 23, 2019 3:50 pm    Post subject: Reply with quote

maybe you have a permission problem in chroot...

my permissions are:

Code:

ls -l /chroot/dns/
insgesamt 16
drwxr-xr-x 2 root root 4096 23. Mär 15:36 dev
drwxr-xr-x 3 root root 4096 11. Aug 2018  etc
drwxr-xr-x 3 root root 4096  6. Aug 2018  run
drwxr-xr-x 5 root root 4096 11. Aug 2018  var


Code:

ls -l /chroot/dns/dev/
insgesamt 0
crw-rw-rw- 1 root root 1, 3  6. Aug 2018  null
crw-rw-rw- 1 root root 1, 8  6. Aug 2018  random
crw-rw-rw- 1 root root 1, 9 23. Mär 15:36 urandom
crw-rw-rw- 1 root root 1, 5  6. Aug 2018  zero


Code:

ls -l /chroot/dns/etc/
insgesamt 8
drwxr-xr-x 2 named root 4096 23. Mär 15:27 bind
-rw-r--r-- 1 root  root 2326 24. Jan 18:19 localtime


Code:

ls -l /chroot/dns/run/
insgesamt 4
drwxrwx--- 2 root named 4096 23. Mär 15:44 named


Code:

ls -l /chroot/dns/var/
insgesamt 12
drwxrwx--- 5 root  named 4096 23. Mär 15:45 bind
drwxr-xr-x 3 root  root  4096  6. Aug 2018  log
drwxr-xr-x 2 named named 4096 11. Aug 2018  run


Code:

ls -l /chroot/dns/etc/bind/
insgesamt 24
-rw-r----- 1 root named  2761 23. Mär 15:24 bind.keys
lrwxrwxrwx 1 root root     13 23. Mär 15:24 dyn -> /var/bind/dyn
-rw-r----- 1 root named 13228  7. Okt 16:29 named.conf
lrwxrwxrwx 1 root root     13 23. Mär 15:24 pri -> /var/bind/pri
-rw-r----- 1 root named    77  6. Aug 2018  rndc.key
lrwxrwxrwx 1 root root     13 23. Mär 15:24 sec -> /var/bind/sec
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum