PDA

View Full Version : bind only using 1 CPU when chrooted (perfect server setup etch) is this the solution?

Dennis
19th April 2008, 15:12
I am running Debian Etch 64bit on an Athlon 64 x2.

After installing bind, I get this in syslog:

Apr 19 10:17:14 server1 named[3273]: starting BIND 9.3.4 -u bind
Apr 19 10:17:14 server1 named[3273]: found 2 CPUs, using 2 worker threads
Apr 19 10:17:14 server1 named[3273]: loading configuration from '/etc/bind/named.conf'
Apr 19 10:17:14 server1 named[3273]: listening on IPv6 interfaces, port 53
Apr 19 10:17:14 server1 named[3273]: listening on IPv4 interface lo, 127.0.0.1#53
Apr 19 10:17:14 server1 named[3273]: listening on IPv4 interface eth0, xxx.xxx.xxx.xxx#53
Apr 19 10:17:14 server1 named[3273]: command channel listening on 127.0.0.1#953
Apr 19 10:17:14 server1 named[3273]: command channel listening on ::1#953
Apr 19 10:17:14 server1 named[3273]: zone 0.in-addr.arpa/IN: loaded serial 1
Apr 19 10:17:14 server1 named[3273]: zone 127.in-addr.arpa/IN: loaded serial 1
Apr 19 10:17:14 server1 named[3273]: zone 255.in-addr.arpa/IN: loaded serial 1
Apr 19 10:17:14 server1 named[3273]: zone localhost/IN: loaded serial 1
Apr 19 10:17:14 server1 named[3273]: running


When bind runs chrooted (see http://www.howtoforge.com/perfect_setup_debian_etch_p4), it only detects 1 CPU.

Apr 19 12:45:55 server1 named[3215]: starting BIND 9.3.4 -u bind -t /var/lib/named
Apr 19 12:45:55 server1 named[3215]: found 1 CPU, using 1 worker thread
Apr 19 12:45:55 server1 named[3215]: loading configuration from '/etc/bind/named.conf'
Apr 19 12:45:55 server1 named[3215]: listening on IPv6 interfaces, port 53
Apr 19 12:45:55 server1 named[3215]: listening on IPv4 interface lo, 127.0.0.1#53
Apr 19 12:45:55 server1 named[3215]: listening on IPv4 interface eth0, xxx.xxx.xxx.xxx#53
Apr 19 12:45:55 server1 named[3215]: command channel listening on 127.0.0.1#953
Apr 19 12:45:55 server1 named[3215]: command channel listening on ::1#953
Apr 19 12:45:55 server1 named[3215]: zone 0.in-addr.arpa/IN: loaded serial 1
Apr 19 12:45:55 server1 named[3215]: zone 127.in-addr.arpa/IN: loaded serial 1
Apr 19 12:45:55 server1 named[3215]: zone 255.in-addr.arpa/IN: loaded serial 1
Apr 19 12:45:55 server1 named[3215]: zone localhost/IN: loaded serial 1
Apr 19 12:45:55 server1 named[3215]: running

I think this user has the same problem:
http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/4aab4b2a0ad4a3e0

The solution (see above link) was mounting /proc in chroot:
That did the trick. I mounted /proc in chroot and restarted named.

But another user had some security concerns, so that they advise to mount read-only:

On Tue, Apr 01, 2008 at 11:20:50AM -0400, ... wrote:
> I'm sorry but doesn't this risk someone getting into your chroot
> environment and changing your SCSI setup or other things which is done
> by echoing things into /proc/scsi/...? If it's really required should
> it be a read only mount? The whole point of chroot is to limit what
> can be accessed if the chroot environment is compromised. Giving direct
> access to something like /proc seems counterintuitive to me.

> I feel I'm missing something important here.

You're right. It should be mounted read-only. But if named runs under
non-root user it is not needed because only root can change /proc
values (but as you wrote read-only is more secure).

Now, I have done the following:

1. mkdir /var/lib/named/proc
2. mount --bind /proc /var/lib/named/proc

Syslog:
Apr 19 13:25:33 server1 named[3254]: starting BIND 9.3.4 -u bind -t /var/lib/named
Apr 19 13:25:33 server1 named[3254]: found 2 CPUs, using 2 worker threads
Apr 19 13:25:33 server1 named[3254]: loading configuration from '/etc/bind/named.conf'
Apr 19 13:25:33 server1 named[3254]: listening on IPv6 interfaces, port 53
Apr 19 13:25:33 server1 named[3254]: listening on IPv4 interface lo, 127.0.0.1#53
Apr 19 13:25:33 server1 named[3254]: listening on IPv4 interface eth0, xxx.xxx.xxx.xxx#53
Apr 19 13:25:33 server1 named[3254]: command channel listening on 127.0.0.1#953
Apr 19 13:25:33 server1 named[3254]: command channel listening on ::1#953
Apr 19 13:25:33 server1 named[3254]: zone 0.in-addr.arpa/IN: loaded serial 1
Apr 19 13:25:33 server1 named[3254]: zone 127.in-addr.arpa/IN: loaded serial 1
Apr 19 13:25:33 server1 named[3254]: zone 255.in-addr.arpa/IN: loaded serial 1
Apr 19 13:25:33 server1 named[3254]: zone localhost/IN: loaded serial 1
Apr 19 13:25:33 server1 named[3254]: running

Looks good, but is it really correct? And, how do I mount read-only?

Thank you!
o.meyer
19th April 2008, 15:45
Hi Dennis,

mount --bind /proc /var/lib/named/proc -o ro

Best regards,

Olli
Dennis
22nd April 2008, 01:58
After a reboot the mounting is lost. I tried to edit /etc/fstab, but I still had to mount manually. I added this code:

/proc /var/lib/named/proc ext3 auto,ro 0 0

I also tried this:

/proc /var/lib/named/proc ext3 defaults 0 0

Is this the wrong code or are you not able to mount it automatically?
o.meyer
22nd April 2008, 04:05
Hi Dennis,

try this:

/proc /var/lib/named/proc none bind,ro 0 0

Best regards,

Olli
Dennis
22nd April 2008, 08:44
Thank you, Olli! It is working great now.

I had a feeling that the file type was wrong, but I never would have added the bind option. After knowing the solution, you see that all this was in the mount man page.