Hi, in Debian, the bind9 packages have recently started to trouble me in chrooted environments since some cryptographic libraries are loaded after bind has chrooted itself, which results - in the case of a minimal chroot - in a fatal run-time error:
May 14 21:57:17 fan named[28066]: starting BIND 9.10.3-P4-Debian <id:ebd72b3> -f -u bind -t /var/local /chroot/bind May 14 21:57:17 fan named[28066]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/ lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '-- localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable- static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/li b/x86_64-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Wer ror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=- fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE' May 14 21:57:17 fan named[28066]: ---------------------------------------------------- May 14 21:57:17 fan named[28066]: BIND 9 is maintained by Internet Systems Consortium, May 14 21:57:17 fan named[28066]: Inc. (ISC), a non-profit 501(c)(3) public-benefit May 14 21:57:17 fan named[28066]: corporation. Support and training for BIND 9 are May 14 21:57:17 fan named[28066]: available at https://www.isc.org/support May 14 21:57:17 fan named[28066]: ---------------------------------------------------- May 14 21:57:17 fan named[28066]: adjusted limit on open files from 4096 to 1048576 May 14 21:57:17 fan named[28066]: found 6 CPUs, using 6 worker threads May 14 21:57:17 fan named[28066]: using 3 UDP listeners per interface May 14 21:57:17 fan named[28066]: using up to 4096 sockets May 14 21:57:17 fan named[28066]: ENGINE_by_id failed (crypto failure) May 14 21:57:17 fan named[28066]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233: May 14 21:57:17 fan named[28066]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467: May 14 21:57:17 fan named[28066]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost May 14 21:57:17 fan named[28066]: initializing DST: crypto failure May 14 21:57:17 fan named[28066]: exiting (due to fatal error) I have filed Debian Bug #820974 (http://bugs.debian.org/820974) accordingly. The Debian bind people suggest that I copy the respective libraries to the chroot so that bind can find them. This, however, would take possibly security relevant libraries from the automated update mechanisms of the distributions, and would therefore greatly reduce ease of upgrades. It is also not mentioned in Chapter 6 of the ARM. What is the official upstream remedy to this situation? Frankly, I think this is a bug in bind 9.10, it should load all necessary libraries before chrooting itself. I am aware that this would probably need parsing of the configuration before chrooting. What is the recommended way to run bind 9.10 in a chroot? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users