Preparing to move my server to LTS Ubuntu Hardy, just testing using vmware
I've found a weird issue while chrooting bind. ( following The Perfect Server Setup )
So I guess this will popup sooner or later anyway...

What I did so far -all as root-:

apt-get install bind9
/etc/init.d/bind9 stop

changed 1st line of /etc/default/bind9

vim /etc/default/bind9
> changed first line to > OPTIONS="-u bind -t /var/lib/named"

creating some directories & a link to move /etc/bind to /var/lib/named/etc/bind
creating null & random devices
fixing permissions

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

fixed /etc/default/syslogd

vim /etc/default/syslogd
> SYSLOGD="-a /var/lib/named/dev/log"


This has always worked in the past.. but doesn't on Hardy 8.04

if I try to start > /etc/bind9 start it simply fails
stopping it >

rndc: connect failed: 127.0.0.1#953: connection refused


vim /var/log/syslog reveals


Mar 25 08:06:57 hardy-server named[11824]: starting BIND 9.4.2 -u bind -t /var/lib/named
Mar 25 08:06:57 hardy-server named[11824]: found 1 CPU, using 1 worker thread
Mar 25 08:06:57 hardy-server named[11824]: loading configuration from '/etc/bind/named.conf'
Mar 25 08:06:57 hardy-server named[11824]: none:0: open: /etc/bind/named.conf: permission denied
Mar 25 08:06:57 hardy-server named[11824]: loading configuration: permission denied
Mar 25 08:06:57 hardy-server named[11824]: exiting (due to fatal error)
Mar 25 08:06:57 hardy-server kernel: [ 9136.933011] audit(1206428817.898:3): operation="inode_permission" request_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=11825 profile="/usr/sbin/named" namespace="default"

anybody any idea ?, I've checked permissions, locations.... and with feisty / gutsy this just worked...

thx..

As you can see from the error messages this is a permissions issue the config file can not be read by named.

Come to think of it looking at the last line it could be apparmor that is blocking access to the file.

:eek:
Woohoo cool that was it, after purging this package it worked, obviously this is not the way to do this, but now I know for certain... apparmor is something new on ubuntu, wasn't aware of it... I'll take a look in the Suse community for a decent manual

thank you,

here's the fix, don't know if it makes much sense to chroot and use apparmor at the same time.. guess there's no harm either...

follow above described procedure & end with

vim /etc/apparmor.d/usr.sbin.named

and change marked lines

# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>

capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,

# Dynamic updates needs zone and journal files rw. We just allow rw for all
# in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
/var/lib/named/etc/bind/* rw,

/proc/net/if_inet6 r,
/usr/sbin/named mr,
/var/cache/bind/* rw,
/var/lib/named/var/run/bind/run/named.pid w,
# /var/run/bind/run/named.pid w,
# support for resolvconf
/var/lib/named/var/run/bind/named.options r,
# /var/run/bind/named.options r,

# add also following lines thanks to Spezi2u
/var/lib/named/dev/null rw,
/var/lib/named/dev/random rw,


}

don't forget to (re)start services


/etc/init.d/sysklogd restart
/etc/init.d/apparmor start
/etc/init.d/bind9 start


:p

I wonder why they would ship a policy that does not work. Am not sure if it will work in the chroot, as most MAC systems use the real file path test if you can and let us know.

I wonder why they would ship a policy that does not work. Am not sure if it will work in the chroot, as most MAC systems use the real file path test if you can and let us know.

Well the policy did work until I moved & chrooted it... so IMHO that makes sense .. because that's part of what apparmor is supposed to do ( my rudimentary understanding of creating a hat )
I used a symbolic link for all libraries that have path's hard coded ( if I understand you correct ), Bind seems to behave properly so until now all is well.

I still don't know if there's a point in using chrooting & apparmor at the same time, as it might as well weaken security instead of additional hardening...

If someone knows of a deprecated package with known weaknesses I might be able to test those in this kind of environment ( why aren't there 48h days ).

But before that I have to solve another issue with compiling the ISPconfig package, as it's complaining about wrong syntaxes in an empty httpd.conf :rolleyes: ...

Thanks for the help on apparmor. I have noticed that bind will still not access the random device and apparmor seems to go out of the chroot jail and take the old one so I have just added two lines at the end to

/etc/apparmor.d/usr.bin.named


[...]
/var/lib/named/dev/null rw,
/var/lib/named/dev/random rw,
[...]


that seemed to do the trick. Bind starts perfectly now.

K thx, didn't notice yet ( stopped working on it ), pretty busy debugging a bogus driver..
I'll add it to the howto...

I just ran into this problem as well after upgrading to 8.04LTS also and this fixed it perfectly!

Thanks for the info guys!

if you happen to put your local zones in a subdirectory of i.e. /etc/bind don't forget to add all dirs into the apparmor file.


[...]

/etc/bind/zones/* rw,
/etc/bind/zones/external/* rw,
/etc/bind/zones/internal/* rw,

[...]


...have fun.
Michael

... I think I am still on WE. The last post should be reading:


[...]

/var/lib/named/etc/bind/zones/* rw,
/var/lib/named/etc/bind/zones/external/* rw,
/var/lib/named/etc/bind/zones/internal/* rw,

[...]

for some reason, it doesn't work here..

i even copied the whole sample into my file.

only when i stop apparmor it works again.

any ideas?

ubuntu 8.04 perfect server + ispconfig etc.

thank you

It's strongly recommended to disable AppArmor. See chapter 10 on http://www.howtoforge.com/perfect-server-ubuntu8.04-lts-p3

thank you, i must have overread this line... :o

It's strongly recommended to disable AppArmor. See chapter 10 on http://www.howtoforge.com/perfect-server-ubuntu8.04-lts-p3

Do you mind to tell why that is ( aside from the troubles with installing ISPconfig ) ?

Shouldn't that line then read as > It's strongly recommended to disable AppArmor when installing ISPconfig....

Currently I have no troubles whatsoever keeping it installed...

I do have some thoughts on the combination chroot / apparmor as it might well be that instead of adding security, security might get actually weaker. A simple " it's recommended " definitely won't do for an answer....

:)

I still can't get bind9 to start...I've tried the suggestions in this post as well as several others I've found and I'm still getting a permission denied error...

the biggest problem is that I've been using linux for about a week now, so I still know enough to barely fill a thimble-full

the other thing I noticed is that even though I followed falko's instructions on disabling apparmor, it restarts every time I reboot the machine...but I don't think the bind9 error has anything to do with apparmor considering the error is the same whether apparmor is running or not

I know...I probably sound like an idiot...but I'm a confused idiot and would love a little help here :P

...
the other thing I noticed is that even though I followed falko's instructions on disabling apparmor, it restarts every time I reboot the machine...but I don't think the bind9 error has anything to do with apparmor considering the error is the same whether apparmor is running or not
...

k.
well I suggest continuing learning linux coz it's a wonderful thing...
...
now, your problem at hand...
the chances of getting proper help on the forums grows as you provide good info..
so before anything else > what Linux flavour are you using ( they all differ a little > places of configs / commands etc... )
are you familiar with file permissions ( does 777 / 644 ring a bell ? )
owner permissions ? ( not all users can run all services )...
I've got to go for a couple of hours, but will be back in 2-3 from now on


:)

Installed Hardy updated to 8.04.1LTS w/LVM

All was well,
Dec 20 16:21:14 wonder named[31642]: starting BIND 9.4.2-P2 -u bind
Dec 20 16:21:14 wonder named[31642]: found 1 CPU, using 1 worker thread
Dec 20 16:21:14 wonder named[31642]: loading configuration from '/etc/bind/named.conf'
Dec 20 16:21:14 wonder named[31642]: listening on IPv6 interfaces, port 53

then I started going thru the Howtoforge "perfect server" tutorial. Got to the part where bind gets chrooted and...

Bind 9 fails - acc'd to /var/log/syslog:
Dec 21 14:00:54 wonder named[6828]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 21 14:00:54 wonder named[6828]: found 1 CPU, using 1 worker thread
Dec 21 14:00:54 wonder named[6828]: loading configuration from '/etc/bind/named.conf'
Dec 21 14:00:54 wonder named[6828]: none:0: open: /etc/bind/named.conf: permission denied
Dec 21 14:00:54 wonder named[6828]: loading configuration: permission denied
Dec 21 14:00:54 wonder named[6828]: exiting (due to fatal error)

Have tried it, per the tutorial ( w/ AppArmor disabled/purged ) as well as per Ubuntu Forum ( ubuntuforums.org/showthread.php?t=735188&highlight=bind9+fail ).

AppArmor is currently running and my usr.sbin.named is:
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>

capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,

# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
# /etc/bind/** r,

# Dynamic updates needs zone and journal files rw. We just allow rw for all
# in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
/var/lib/named/etc/bind/* rw,

# if local zones are in a subdirectory
/var/lib/named/etc/bind/zones/* rw,
/var/lib/named/etc/bind/zones/external/* rw,
/var/lib/named/etc/bind/zones/internal/* rw,

/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** rw,
/var/cache/bind/ rw,

# some people like to put logs in /var/log/named/
/var/log/named/** rw,

# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,

/proc/net/if_inet6 r,
/usr/sbin/named mr,
/var/lib/named/var/run/bind/run/named.pid w,
#/var/run/bind/run/named.pid w,
# support for resolvconf
/var/lib/named/var/run/bind/named.options r,
#/var/run/bind/named.options r,

# add also following lines thanks to Spezi2u
/var/lib/named/dev/null rw,
/var/lib/named/dev/random rw,

}

Contents of /etc/bind/ aka /var/lib/named/etc/bind/ are:
-rw-r--r-- 1 bind bind 237 2008-04-09 15:44 db.0
-rw-r--r-- 1 bind bind 271 2008-04-09 15:44 db.127
-rw-r--r-- 1 bind bind 237 2008-04-09 15:44 db.255
-rw-r--r-- 1 bind bind 353 2008-04-09 15:44 db.empty
-rw-r--r-- 1 bind bind 270 2008-04-09 15:44 db.local
-rw-r--r-- 1 bind bind 2878 2008-04-09 15:44 db.root
-rw-r--r-- 1 bind bind 907 2008-04-09 15:44 named.conf
-rw-r--r-- 1 bind bind 165 2008-04-09 15:44 named.conf.local
-rw-r--r-- 1 bind bind 3041 2008-12-21 13:51 named.conf.options
-rw------- 1 root root 695 2008-12-21 13:51 named.conf.options~
-rw-r----- 1 bind bind 77 2008-05-26 17:26 rndc.key
-rw-r--r-- 1 bind bind 1317 2008-04-09 15:44 zones.rfc1918

and still bind9 refuses to start from CLI or during reboot... It doesn't see to make any difference if I use OPTIONS="-u bind -t /var/lib/named" or OPTIONS="-u bind".

Any suggestions would greatly appreciated.

What's the output of ls -la /var/lib/named/etc/bind, and what's in named.conf?

As I indicated in the previous /etc/bind is symlinked to /var/lib/named/bind/, so...
root@wonder:/var/lib/named/etc/bind# ls -la
total 56
drwxr-sr-x 2 root root 4096 2008-12-21 13:51 .
drwx------ 3 root root 4096 2008-12-20 16:23 ..
-rw-r--r-- 1 bind bind 237 2008-04-09 15:44 db.0
-rw-r--r-- 1 bind bind 271 2008-04-09 15:44 db.127
-rw-r--r-- 1 bind bind 237 2008-04-09 15:44 db.255
-rw-r--r-- 1 bind bind 353 2008-04-09 15:44 db.empty
-rw-r--r-- 1 bind bind 270 2008-04-09 15:44 db.local
-rw-r--r-- 1 bind bind 2878 2008-04-09 15:44 db.root
-rw-r--r-- 1 bind bind 907 2008-04-09 15:44 named.conf
-rw-r--r-- 1 bind bind 165 2008-04-09 15:44 named.conf.local
-rw-r--r-- 1 bind bind 3041 2008-12-21 13:51 named.conf.options
-rw------- 1 root root 695 2008-12-21 13:51 named.conf.options~
-rw-r----- 1 bind bind 77 2008-05-26 17:26 rndc.key
-rw-r--r-- 1 bind bind 1317 2008-04-09 15:44 zones.rfc1918

named.conf is virgin:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";

I have not yet modified named.conf.local, but I have made mods to named.conf.options (using the bind acls/options from the current RH webserver which will be retired when I get this box up). However, bind9 is/was failing on this chrooted setup B4 I did anything to options, nevertheless:

// acls added TB 12.21.2008
acl "xfer" {
127.0.0.1; //localhost
localhost;
192.168.5.11; //temp new wonder IP
69.54.194.91; //wonder.what-if.com
69.54.194.92; //imagine.what-if.com
};

acl "trusted" {
127.0.0.1; //localhost
localhost;
192.168.5.11; //temp new wonder IP
66.255.223.103; //local IFI netw
69.54.194.91; //wonder.what-if.com
69.54.194.92; //imagine.what-if.com
};

acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
...
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/3;
};


options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.

// query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };

// additional options TB 12.21.2008
check-names master ignore;
check-names response ignore;
check-names slave warn;
version "<Phhhhhbbt!>";
notify yes;
allow-recursion {
trusted;
};
allow-transfer {
xfer;
};
allow-query {
trusted;
};
blackhole {
bogon;
};
};

Try this:
chmod 755 /var/lib/named/etc

thanks, but no difference... bind still fails

root@wonder:/var/lib/named# ls -la
total 20
drwx------ 5 root root 4096 2008-12-20 16:23 .
drwxr-xr-x 33 root root 4096 2008-12-21 12:50 ..
drwx------ 2 root root 4096 2008-12-21 13:05 dev
drwxr-xr-x 3 root root 4096 2008-12-20 16:23 etc
drwx------ 4 root root 4096 2008-12-20 16:23 var

syslog:
Dec 23 09:04:27 wonder named[10310]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 09:04:27 wonder named[10310]: found 1 CPU, using 1 worker thread
Dec 23 09:04:27 wonder named[10310]: loading configuration from '/etc/bind/named.conf'
Dec 23 09:04:27 wonder named[10310]: none:0: open: /etc/bind/named.conf: permission denied
Dec 23 09:04:27 wonder named[10310]: loading configuration: permission denied
Dec 23 09:04:27 wonder named[10310]: exiting (due to fatal error)

more ideas for me to check?

just for grins, I also tried chmod 755 /var/lib/named. Bind still failed, but now w/ new errors:
Dec 23 09:11:24 wonder named[10340]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 09:11:24 wonder named[10340]: found 1 CPU, using 1 worker thread
Dec 23 09:11:24 wonder named[10340]: loading configuration from '/etc/bind/named.conf'
Dec 23 09:11:24 wonder named[10340]: /etc/bind/named.conf.options:93: change directory to '/var/cache/bind' failed: permission denied
Dec 23 09:11:24 wonder named[10340]: /etc/bind/named.conf.options:93: parsing failed
Dec 23 09:11:24 wonder named[10340]: loading configuration: permission denied
Dec 23 09:11:24 wonder named[10340]: exiting (due to fatal error)

var is owned 755 root:root, /var/cache is 755 root:root, and /var/cache/bind is 755 bind:bind (also tried 755 root:bind for the last dir, but bind still failed).

/etc/apparmor.d/usr.sbin.named shows:
# Dynamic updates needs zone and journal files rw. We just allow rw for all
# in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
/var/lib/named/etc/bind/* rw,

# if local zones are in a subdirectory
/var/lib/named/etc/bind/zones/* rw,
/var/lib/named/etc/bind/zones/external/* rw,
/var/lib/named/etc/bind/zones/internal/* rw,

/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** rw,
/var/cache/bind/ rw,

# some people like to put logs in /var/log/named/
/var/log/named/** rw,

# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,

/proc/net/if_inet6 r,
/usr/sbin/named mr,
/var/lib/named/var/run/bind/run/named.pid w,
#/var/run/bind/run/named.pid w,
# support for resolvconf
/var/lib/named/var/run/bind/named.options r,
#/var/run/bind/named.options r,

# add also following lines thanks to Spezi2u
/var/lib/named/dev/null rw,
/var/lib/named/dev/random rw,

I tried commenting out the original default directory string in named.conf.options. Bind still fails, but w/ this error now...
Dec 23 10:37:19 wonder named[10423]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 10:37:19 wonder named[10423]: found 1 CPU, using 1 worker thread
Dec 23 10:37:19 wonder named[10423]: loading configuration from '/etc/bind/named.conf'
Dec 23 10:37:19 wonder named[10423]: listening on IPv6 interfaces, port 53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: D.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: command channel listening on 127.0.0.1#953
Dec 23 10:37:19 wonder named[10423]: command channel listening on ::1#953
Dec 23 10:37:19 wonder named[10423]: could not open entropy source /dev/random: permission denied
Dec 23 10:37:19 wonder named[10423]: using pre-chroot entropy source /dev/random
Dec 23 10:37:19 wonder named[10423]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Dec 23 10:37:19 wonder named[10423]: exiting (due to early fatal error)

permissions for /var/run/bind/run is:
drwxrwxr-x 2 root bind 40 2008-12-20 17:19 run

and permission for /dev/random is
crw-rw-rw- 1 root root 1, 8 2008-12-20 17:18 random

and per the perfect server tutorial, I had made both the null and random devices in /var/lib/named/dev/. Permissions here are:
srw-rw-rw- 1 root root 0 2008-12-21 13:05 log
crw-rw-rw- 1 root root 1, 3 2008-12-20 16:24 null
crw-rw-rw- 1 root root 1, 8 2008-12-20 16:24 random

ok... by commenting out the original directory string in named.conf.options (directory "/var/cache/bind";), I eliminated that error, but I no longer was specifying where the zone files are...

so, chmod 755 /var/lib/named/var/cache/bind, /var/lib/named/cache fixed the error, but I was still getting errors regarding entropy /dev/random and named.pid...

Dec 23 10:37:19 wonder named[10423]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 10:37:19 wonder named[10423]: found 1 CPU, using 1 worker thread
Dec 23 10:37:19 wonder named[10423]: loading configuration from '/etc/bind/named.conf'
Dec 23 10:37:19 wonder named[10423]: listening on IPv6 interfaces, port 53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: D.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: command channel listening on 127.0.0.1#953
Dec 23 10:37:19 wonder named[10423]: command channel listening on ::1#953
Dec 23 10:37:19 wonder named[10423]: could not open entropy source /dev/random: permission denied
Dec 23 10:37:19 wonder named[10423]: using pre-chroot entropy source /dev/random
Dec 23 10:37:19 wonder named[10423]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Dec 23 10:37:19 wonder named[10423]: exiting (due to early fatal error)

chmod 755 to /var/lib/named/dev/ seems to fix the 'entropy source' error... ( /dev/random/ is actually /var/lib/named/dev/random due to chroot)

Dec 23 11:07:29 wonder named[10480]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 11:07:29 wonder named[10480]: found 1 CPU, using 1 worker thread
Dec 23 11:07:29 wonder named[10480]: loading configuration from '/etc/bind/named.conf'
Dec 23 11:07:29 wonder named[10480]: listening on IPv6 interfaces, port 53
Dec 23 11:07:29 wonder named[10480]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 11:07:29 wonder named[10480]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: D.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: command channel listening on 127.0.0.1#953
Dec 23 11:07:29 wonder named[10480]: command channel listening on ::1#953
Dec 23 11:07:29 wonder named[10480]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Dec 23 11:07:29 wonder named[10480]: exiting (due to early fatal error)

chmod 755 to /var/lib/named/var/run/bind/, /var/lib/named/var/run/, and finally /var/lib/named/var/ eliminated the 'permission denied' error for named.pid (again, /var/run/bind/run/named.pid is actually /var/lib/named/var/run/bind/run/named.pid due to chroot)

Dec 23 11:14:37 wonder named[10604]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 11:14:37 wonder named[10604]: found 1 CPU, using 1 worker thread
Dec 23 11:14:37 wonder named[10604]: loading configuration from '/etc/bind/named.conf'
Dec 23 11:14:37 wonder named[10604]: listening on IPv6 interfaces, port 53
Dec 23 11:14:37 wonder named[10604]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 11:14:37 wonder named[10604]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: D.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: command channel listening on 127.0.0.1#953
Dec 23 11:14:37 wonder named[10604]: command channel listening on ::1#953
Dec 23 11:14:37 wonder named[10604]: zone 0.in-addr.arpa/IN: loaded serial 1
Dec 23 11:14:37 wonder named[10604]: zone 127.in-addr.arpa/IN: loaded serial 1
Dec 23 11:14:37 wonder named[10604]: zone 255.in-addr.arpa/IN: loaded serial 1
Dec 23 11:14:37 wonder named[10604]: zone localhost/IN: loaded serial 2
Dec 23 11:14:37 wonder named[10604]: running

so is this unique to my install... did I miss a permissions step somewhere in the tutorial... should this be added to the 'perfect server' tutor?

I strongly recommend to disable AppArmor - that might have been the reason for your problems.

While I appreciate your views/opinion on AppArmor, the problem started w/ chrooting bind. I did, indeed, follow the steps exactly by stopping and purging AppArmor from the system.

With AppArmor purged AND later w/ it re-installed (w/ the appropriate lines added to the AppArmor named profile - at NO point did I get any error suggesting it was related to AppArmor ie:
... kernel: [ 9136.933011] audit(1206428817.898:3): operation="inode_permission" request_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=11825 profile="/usr/sbin/named" namespace="default"

However, under both scenarios, I only obtained syslog errors directly related to and fixed by assigning 755 permissions to the chrooted directories created in step #13, page #4 of the tutorial (specifically those in /var/lib/named/... ) In ferreting thru the various threads, it seems an equal number trying the tutorial, run into either the AppArmor errors OR the same Bind9 permission errors, ie:
... named[11824]: starting BIND 9.4.2 -u bind -t /var/lib/named
... named[11824]: found 1 CPU, using 1 worker thread
... named[11824]: loading configuration from '/etc/bind/named.conf'
... named[11824]: none:0: open: /etc/bind/named.conf: permission denied
... named[11824]: loading configuration: permission denied
... named[11824]: exiting (due to fatal error)


Which is why I posted the permission issues I found on a virgin install.

Bind9 failed in the same way when the server was gutted, AppArmor stopped/purged, and rebooted as when AppArmor was re-installed and correctly configured - so I'm not thinking it is/was a AppArmor issue.

AppArmor may well get purged before I'm done setting up the server completely, but I don't think the issues w/ chrooting bind can all be dismissed as AppArmor as the sole culprit.

Hi there, was away for a while ( Christmas & stuff :) )
did you get to fix it ?

I mostly dumped ubuntu-server crap in favor of plain debian and on the one server that still has it I purged ( apt-get purge package ) apparmor...
( but still do use ubuntu as desktop )

anyway if you still need assistance...

happy Christmas & NY to all...

Truly weird.
Has anyone solved this?
My talents seem to have been expired.

Well I got it solved ( 1st page ), seems docfx got his problem fixed too ...

Yes, my issue w/ bind is fixed...

per http://www.howtoforge.com/forums/showthread.php?t=21699&page=3 mine appeared NOT to ApArmor related but directory permissions not specified to be changed in the perfect server tutorial.

I just solved a similar issue, not so much regarding permissions but when you chroot bind to a new directory such as /var/lib/named, then bind considers /var/lib/named as it's new root home directory.

In otherwords, in the config files if you set /var/named/.... for any files, it ignores the /var/lib/named/ as it considers that it's root. So any new configuration files or the named.pid file must all be in the same directory structure within /var/lib/named.

My issue was getting an error: "couldn't open pid file '/var/run/bind/run/named.pid': No such file or directory" - yet that directory existed in the literal structure of /var/run/bind/run but NOT in /var/lib/named/var/run/bind/run

Once i created this structure within /var/lib/named and set the permissions, all was right with the world again.

I hope this helps others.

Thnks Very much...
It works on ubuntu :D

thanks thanks thanks thanks :)
http://www.tuga4u.com/forum/Smileys/default/festa.gif

Thanks a lot for this.

very happy now.