Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 25th March 2008, 21:53
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 12 Times in 7 Posts
Exclamation Ubuntu Hardy chrooted bind9 fails to start > FIXED

Preparing to move my server to LTS Ubuntu Hardy, just testing using vmware
I've found a weird issue while chrooting bind. ( following The Perfect Server Setup )
So I guess this will popup sooner or later anyway...

What I did so far -all as root-:

Code:
apt-get install bind9
/etc/init.d/bind9 stop
changed 1st line of /etc/default/bind9
Code:
vim /etc/default/bind9
> changed first line to > OPTIONS="-u bind -t /var/lib/named"
creating some directories & a link to move /etc/bind to /var/lib/named/etc/bind
creating null & random devices
fixing permissions
Code:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
fixed /etc/default/syslogd
Code:
vim /etc/default/syslogd
> SYSLOGD="-a /var/lib/named/dev/log"
This has always worked in the past.. but doesn't on Hardy 8.04

if I try to start > /etc/bind9 start it simply fails
stopping it >
Code:
 rndc: connect failed: 127.0.0.1#953: connection refused
vim /var/log/syslog reveals

Code:
Mar 25 08:06:57 hardy-server named[11824]: starting BIND 9.4.2 -u bind -t /var/lib/named
Mar 25 08:06:57 hardy-server named[11824]: found 1 CPU, using 1 worker thread
Mar 25 08:06:57 hardy-server named[11824]: loading configuration from '/etc/bind/named.conf'
Mar 25 08:06:57 hardy-server named[11824]: none:0: open: /etc/bind/named.conf: permission denied
Mar 25 08:06:57 hardy-server named[11824]: loading configuration: permission denied
Mar 25 08:06:57 hardy-server named[11824]: exiting (due to fatal error)
Mar 25 08:06:57 hardy-server kernel: [ 9136.933011] audit(1206428817.898:3): operation="inode_permission" request_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=11825 profile="/usr/sbin/named" namespace="default"
anybody any idea ?, I've checked permissions, locations.... and with feisty / gutsy this just worked...

thx..
__________________
Windows, the only virus you pay for

Last edited by Djamu; 2nd April 2008 at 23:18.
Reply With Quote
Sponsored Links
  #2  
Old 26th March 2008, 09:02
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

As you can see from the error messages this is a permissions issue the config file can not be read by named.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #3  
Old 26th March 2008, 09:04
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Come to think of it looking at the last line it could be apparmor that is blocking access to the file.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
Djamu (2nd April 2008)
  #4  
Old 2nd April 2008, 16:38
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 12 Times in 7 Posts
Default


Woohoo cool that was it, after purging this package it worked, obviously this is not the way to do this, but now I know for certain... apparmor is something new on ubuntu, wasn't aware of it... I'll take a look in the Suse community for a decent manual

thank you,
__________________
Windows, the only virus you pay for
Reply With Quote
  #5  
Old 2nd April 2008, 23:13
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 12 Times in 7 Posts
Exclamation Fixed

here's the fix, don't know if it makes much sense to chroot and use apparmor at the same time.. guess there's no harm either...

follow above described procedure & end with

Code:
vim /etc/apparmor.d/usr.sbin.named
and change marked lines

Code:
# vim:syntax=apparmor
# Last Modified: Fri Jun  1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,

  # Dynamic updates needs zone and journal files rw. We just allow rw for all
  # in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
  /var/lib/named/etc/bind/* rw,

  /proc/net/if_inet6 r,
  /usr/sbin/named mr,
  /var/cache/bind/* rw,
  /var/lib/named/var/run/bind/run/named.pid w,
  # /var/run/bind/run/named.pid w,
  # support for resolvconf
  /var/lib/named/var/run/bind/named.options r,
  # /var/run/bind/named.options r,

# add also following lines thanks to Spezi2u 
  /var/lib/named/dev/null rw,
  /var/lib/named/dev/random rw,


}
don't forget to (re)start services

Code:
/etc/init.d/sysklogd restart
/etc/init.d/apparmor start
/etc/init.d/bind9 start
__________________
Windows, the only virus you pay for

Last edited by Djamu; 29th April 2008 at 12:54.
Reply With Quote
The Following 2 Users Say Thank You to Djamu For This Useful Post:
astra2000 (19th September 2009), phicloray (8th June 2009)
  #6  
Old 3rd April 2008, 08:39
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

I wonder why they would ship a policy that does not work. Am not sure if it will work in the chroot, as most MAC systems use the real file path test if you can and let us know.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
AbannyvabVask (22nd December 2013)
  #7  
Old 29th April 2008, 12:42
Spezi2u Spezi2u is offline
Junior Member
 
Join Date: Apr 2008
Location: Frankfurt/M.
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Post Still some problems

Thanks for the help on apparmor. I have noticed that bind will still not access the random device and apparmor seems to go out of the chroot jail and take the old one so I have just added two lines at the end to

/etc/apparmor.d/usr.bin.named

Code:
[...]
  /var/lib/named/dev/null rw,
  /var/lib/named/dev/random rw,
[...]
that seemed to do the trick. Bind starts perfectly now.
Reply With Quote
  #8  
Old 19th September 2009, 13:46
astra2000 astra2000 is offline
Junior Member
 
Join Date: Jun 2007
Posts: 20
Thanks: 4
Thanked 1 Time in 1 Post
Default

Thnks Very much...
It works on ubuntu

thanks thanks thanks thanks
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"Too many open files in system" problems Berry Installation/Configuration 3 10th November 2007 21:58
Problem on restart bind9 satimis Server Operation 6 30th October 2007 02:01
BIND fails to start valtech Installation/Configuration 1 16th September 2007 19:55
Installation fails on Ubuntu 6.06 Jcorrea920 Installation/Configuration 2 23rd April 2007 20:14
Log for Debugging jwan Installation/Configuration 5 27th October 2006 14:34


All times are GMT +2. The time now is 01:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.