Difficulty setting up BIND in a chroot jail

Message

super_7b · Post by **super_7b** » Thu Jan 04, 2024 8:36 pm

Hi All,

I am preparing to re-install my home server using Gentoo to replace an old Centos 8 installation. To make this as pain-free as possible, I have built a dummy Gentoo machine under VirtualBox on a Windows 10 Host so I can practise in a safe manner and get it right first time on the real installation.

The Gentoo basic installation (6.1.67-gentoo-x86_64) is working nicely using OpenRC rather than systemd and I began my tests by trying to setup a BIND DNS server under a chroot jail.

I searched for information, but could not find anything very clear to me. The best I could find was in the Gentoo BIND Wiki, which seemed to indicate that I should install BIND in the "unjailed" way, then run an emerge --config.

I did the basic installation and followed the instructions printed out at the end:-

Code: Select all

 *
 * You can edit /etc/conf.d/named to customize named settings
 *
 * If you'd like to run bind in a chroot AND this is a new
 * install OR your bind doesn't already run in a chroot:
 * 1) Uncomment and set the CHROOT variable in /etc/conf.d/named.
 * 2) Run `emerge --config '=net-dns/bind-9.16.42'`
 *

I then investigated if the system was setup correctly by issuing the following commands:-

Code: Select all

[root@localhost:/]$$ rc-service named checkconfig
 * Checking named configuration ...
 * No /chroot/dns/etc/bind/named.conf file exists!
[root@localhost:/]$
[root@localhost:/]$
[root@localhost:/]$
[root@localhost:/]$ rc-service named checkzones
 * Checking named configuration and zones ...
open: /etc/bind/named.conf: file not found                                                                                                                                                                  [ !! ]
[root@localhost:/]$

I suspected some file(s) to be missing from the jail file tree because of the checkconfig error, but I knew that /etc/bind/named.conf existed, so I suspected that checkzones was implicitly searching within the jail.

I then investigated the basic installation directories under /etc/bind and compared them to those under /chroot/dns/etc/bind and found that the latter was empty.
The other directories (/chroot/dns/dev and /chroot/dns/var) were populated with what looked to be reasonable files and sub-directories when compared to my Centos chrooted BIND.

Code: Select all

[root@localhost:/]$ ls -l /etc/bind
total 12
-rw-r----- 1 root named 1991 Jan  4 19:32 bind.keys
lrwxrwxrwx 1 root root    18 Jan  4 19:32 dyn -> ../../var/bind/dyn
-rw-r----- 1 root named 4020 Jan  4 19:32 named.conf
lrwxrwxrwx 1 root root    18 Jan  4 19:32 pri -> ../../var/bind/pri
-rw-r----- 1 root named  100 Jan  4 16:10 rndc.key
lrwxrwxrwx 1 root root    18 Jan  4 19:32 sec -> ../../var/bind/sec
[root@localhost:/]$
[root@localhost:/]$
[root@localhost:/]$
[root@localhost:/]$ ls -lR /chroot/dns
/chroot/dns:
total 16
drwxr-xr-x 2 root root 4096 Jan  4 19:39 dev
drwxr-xr-x 3 root root 4096 Jan  4 19:39 etc
drwxr-xr-x 3 root root 4096 Jan  4 19:39 run
drwxr-xr-x 4 root root 4096 Jan  4 19:39 var

/chroot/dns/dev:
total 0
crw-rw-rw- 1 root root 1, 3 Jan  4 19:39 null
crw-rw-rw- 1 root root 1, 9 Jan  4 19:39 urandom
crw-rw-rw- 1 root root 1, 5 Jan  4 19:39 zero

/chroot/dns/etc:
total 4
drwxr-x--- 2 root named 4096 Jan  4 19:39 bind

/chroot/dns/etc/bind:
total 0

/chroot/dns/run:
total 4
drwxrwx--- 2 root named 4096 Jan  4 19:39 named

/chroot/dns/run/named:
total 0

/chroot/dns/var:
total 8
drwxrwx--- 2 root named 4096 Jan  4 19:39 bind
drwxr-xr-x 3 root root  4096 Jan  4 19:39 log

/chroot/dns/var/bind:
total 0

/chroot/dns/var/log:
total 4
drwxrwx--- 2 root named 4096 Jan  4 19:39 named

/chroot/dns/var/log/named:
total 0

I could copy/create the missing files, but I'm a bit confused why the emerge --config seems to only set up part of what I'd expect.
I'm also not sure why there are files left outside of the jail. I thought they would all be in the jail, with just /etc/bind/named.conf remaining in the normal tree, perhaps as a symlink to the "real" one in the jail.

I'm not any kind of BIND expert, so I would appreciate any help in configuring my BIND correctly.

BR

Mick

alamahant · Post by **alamahant** » Thu Jan 04, 2024 9:37 pm

I only tried running named in chroot once and i had the exact same problem.
Namely i had to copy
/etc/bind and /var/bind
to <chroot>/etc/bind and <chroot>/var/bind.
It is like that.Maybe a glitch.
Why don't you open a bug report?

super_7b · Post by **super_7b** » Thu Jan 04, 2024 10:13 pm

I could copy the files, as I originally mentioned, but I wondered if this was the "official" way. Perhaps I was missing some step(s) that would set it up correctly automatically.

I will copy the files and see if that allows BIND to fire up.

I'd still like confirmation if anyone has a firm answer.

pa4wdh · Post by **pa4wdh** » Fri Jan 05, 2024 10:34 am

I'm not sure about the official way, but i've been running BIND on Gentoo in a chroot for as long as i can remember

My setup:
/etc/conf.d/named (relevant parts only)

Code: Select all

CHROOT="/opt/chroot/named"
CHROOT_NOMOUNT="1"
PIDFILE="${CHROOT}/var/run/named/named.pid"

Files in /opt/chroot/named (some files have been removed from the listing because they are specific to my setup)

Code: Select all

/opt/chroot/named # ls -lR
.:
total 16
drwxr-xr-x 2 root root 4096 Aug 12  2019 dev
drwxr-xr-x 3 root root 4096 Oct 16  2017 etc
drwxr-xr-x 3 root root 4096 Oct 15  2017 run
drwxr-xr-x 6 root root 4096 Oct 21  2017 var

./dev:
total 0
crw-rw-rw- 1 root root 1, 3 Oct 15  2017 null
crw-rw-rw- 1 root root 1, 8 Oct 15  2017 random
crw-r--r-- 1 root root 1, 9 Oct 12  2017 urandom
crw-rw-rw- 1 root root 1, 5 Oct 15  2017 zero

./etc:
total 8
drwxr-x--- 2 root named 4096 Sep  4 15:45 bind
-rw-r--r-- 1 root root  2933 Dec 16 13:12 localtime

./etc/bind:
total 96
-rw-r--r-- 1 root root  5392 Feb  5  2022 named.conf
< removed from listing: Key files >

./run:
total 4
drwxrwx--- 2 root named 4096 Oct 19  2017 named

./run/named:
total 0

./var:
total 16
drwxr-xr-x 2 root root  4096 Oct 16  2017 bind
drwxr-xr-x 3 root root  4096 Oct 15  2017 log
drwxrwx--- 5 root named 4096 Jan  5 10:42 named
drwxrwx--- 3 root named 4096 Oct 21  2017 run

./var/bind:
total 0

./var/log:
total 4
drwxrwx--- 2 root named 4096 Oct 15  2017 named

./var/log/named:
total 0

./var/named:
total 112
< Removed from listing: my zone files + dnssec keys >

./var/run:
total 4
drwxrwx--- 2 root named 4096 Dec 23 10:33 named

./var/run/named:
total 8
-rw-r--r-- 1 named named   4 Dec 23 10:33 named.pid
-rw------- 1 named named 102 Dec 23 10:33 session.key

For a basic configuration copying the shipped files into the chroot should give you a good starting point.

super_7b · Post by **super_7b** » Fri Jan 05, 2024 3:24 pm

Thanks to alamahant and pa4wdh for the pointers.

I have done as pa4wdh suggested and also added a couple of zone files. As a result, "rc-service named checkconfig" and "rc-service named checkzones" return good results.

My further questions to pa4wdh are:-

1) Do you still have the directories and associated files "/var/bind" and "/etc/bind"? If they are not needed, I would rather remove them so there can be no confusion if later editing is needed.
2) I wonder if there needs to be an external link to the working "/etc/bind/named.conf" in the chroot jail? Perhaps a symlink in a top-level "/etc/bind" directory to the file in the chroot jail, in case other applications need to be able to access the working file?

Thanks

Mick

pa4wdh · Post by **pa4wdh** » Wed Jan 10, 2024 9:27 am

Sorry for my late response

1) Do you still have the directories and associated files "/var/bind" and "/etc/bind"? If they are not needed, I would rather remove them so there can be no confusion if later editing is needed.

You don't need these directories if you do not intend to run bind outside a chroot jail. Keep in mind that they might be created by the ebuild, so you'll probably have to INSTALL_MASK them to make sure they don't come back after a bind update.

2) I wonder if there needs to be an external link to the working "/etc/bind/named.conf" in the chroot jail? Perhaps a symlink in a top-level "/etc/bind" directory to the file in the chroot jail, in case other applications need to be able to access the working file?

This is not needed for named.conf, but it is often done for the rndc key when you wish to use rndc to control the bind instance inside the chroot.

super_7b · Post by **super_7b** » Wed Jan 10, 2024 7:38 pm

Hi pa4wdh

Thanks for the reply.That's very clear.

I will tidy up as you suggest and make the link for the rndc key

BR

Mick