Hi Todd.
I think much better than Ask Fedora would be filling a bug in
bugzilla.redhat.com. I would see it straight away.
I am Fedora bind maintainer. If there is bug preventing correct start of
named-chroot, I would like to fix it.
You would see SElinux errors in command "ausearch -i -ts recent -m avc -m
user_avc -m selinux_err" if that errors were SElinux related.
I think your config file is missing pid-file "/run/named/named.pid"; It has to
match pid file used by your named-chroot.service. If systemd does not find the
pid file of forking service, it will cancel the service.
PIDFile in named-chroot service includes chroot path, but configuration file
has to point to path inside chroot only.
It should work with default configuration even when pid-file directive is
commented out. There is symlink from /var/run to /run also in /var/named/chroot.
Can you check rights and selinux context of chroot run directories?
These are on my Fedora 26.
$ ls -ldZ /var/named/chroot/{,var/}run{,/named}
drwxr-x---. 3 root named system_u:object_r:named_conf_t:s0 4096 Aug 11
13:01 /var/named/chroot/run
drwxr-xr-x. 2 named named system_u:object_r:named_var_run_t:s0 4096 Jun 30
18:45 /var/named/chroot/run/named
lrwxrwxrwx. 1 named named system_u:object_r:named_conf_t:s0 6 Jun 30
18:45 /var/named/chroot/var/run -> ../run
drwxr-xr-x. 2 named named system_u:object_r:named_var_run_t:s0 4096 Jun 30
18:45 /var/named/chroot/var/run/named
Is it possible you do not have the /var/run symlink there? It would not find
pid file and cancel the service then.
Did you upgrade to Fedora 26 from previous version?
I would be grateful If you could fill a bug. You may not be the only one
affected and I would like to fix it for everyone.
I would test whether Type=service proposed by Reindl can be used in new Fedora
release. I like it.
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com PGP: 65C6C973
----- Original Message -----
From: "toddandmargo" <toddandma...@zoho.com>
To: bind-users@lists.isc.org
Sent: Thursday, August 10, 2017 12:14:00 AM
Subject: bind-chroot, runs, works, dies
Hi All,
Help!
Fedora 26 x64
Xfce 4.12
# rpm -qa \bind\*
bind-libs-lite-9.11.1-2.P2.fc26.x86_64
bind99-libs-9.9.10-1.P2.fc26.x86_64
bind-chroot-9.11.1-2.P2.fc26.x86_64
bind-license-9.11.1-2.P2.fc26.noarch
bind-9.11.1-2.P2.fc26.x86_64
bind-libs-9.11.1-2.P2.fc26.x86_64
bind99-license-9.9.10-1.P2.fc26.noarch
bind-utils-9.11.1-2.P2.fc26.x86_64
I have a weird one. I am trying to set up bind-chroot. When I run it, it works
for about 30 seconds, then dies. And for the entire 30 seconds, it works
beautifully. I can go anywhere with Firefox and look up anything with "host".
Then it breaks my heart.
# systemctl start named-chroot Job for named-chroot.service canceled.
This is my error logs:
Aug 8 15:58:49 FedoraServer named[10120]: all zones loaded Aug 8 15:58:49
FedoraServer named[10120]: running Aug 8 15:58:49 FedoraServer named[10120]:
zone 255.168.192.in-addr.arpa/IN: sending notifies (serial 57) Aug 8 15:58:49
FedoraServer named[10120]: zone alpine.local/IN: sending notifies (serial 60)
Aug 8 15:58:49 FedoraServer systemd: named-chroot.service: PID file
/var/named/chroot/run/named/named.pid not readable (yet?) after start: No such
file or directory Aug 8 16:00:19 FedoraServer systemd: named-chroot.service:
Start operation timed out. Terminating. Aug 8 16:00:19 FedoraServer
named[10120]: shutting down Aug 8 16:00:19 FedoraServer named[10120]: stopping
command channel on 127.0.0.1#953 Aug 8 16:00:19 FedoraServer named[10120]:
stopping command channel on ::1#953 Aug 8 16:00:19 FedoraServer named[10120]:
no longer listening on ::#53 Aug 8 16:00:19 FedoraServer named[10120]: no
longer listening on 127.0.0.1#53 Aug 8 16:00:19 FedoraServer named[10120]: no
longer listening on 50.124.80.106#53 Aug 8 16:00:19 FedoraServer named[10120]:
exiting Aug 8 16:00:19 FedoraServer systemd: Stopped Berkeley Internet Name
Domain (DNS). Aug 8 16:00:19 FedoraServer systemd: named-chroot.service: Unit
entered failed state. Aug 8 16:00:19 FedoraServer systemd:
named-chroot.service: Failed with result 'timeout'. Aug 8 16:00:19
FedoraServer systemd: Stopping Set-up/destroy chroot environment for named
(DNS)... Aug 8 16:00:19 FedoraServer audit: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=named-chroot comm="systemd" exe="/usr/lib/systemd/systemd" hostname=?
addr=? terminal=? res=failed' Aug 8 16:00:20 FedoraServer systemd: Stopped
Set-up/destroy chroot environment for named (DNS). Aug 8 16:00:20 FedoraServer
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='unit=named-chroot-setup comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
I find the
PID file /var/named/chroot/run/named/named.pid not readable (yet?) after start:
No such file or directory
error to be a bit weird as the directory does exist and the entire directory
tree from /var/named is owned by "named". This is usually SELinux's doing. But
SELinux does not throw an error.
My "named.conf":
// generated by named-bootconf.pl options { # the following forwarders
is for Open DNS forwarders { 208.67.222.222; 208.67.220.220; };
directory "/var/named"; # pid-file
"/var/named/chroot/run/named/named.pid"; # pid-file
"/var/named/chroot/run/named/nonamed.pid"; /* * If there is a firewall
between you and nameservers you want * to talk to, you might need to
uncomment the query-source * directive below. Previous versions of BIND
always asked * questions using port 53, but BIND 8.1 uses an unprivileged
* port by default. */ // query-source address * port 53; }; //
// /etc/named.boot // // This is the boot file that /etc/init.d/inetsvc uses
to run in.named // // // The "directory <path>" statement points to where the
name server (and // its files) will be running. // example: // directory
/var/named // // // // The "cache . named.ca" statement appears on all
servers and tells the // server which servers are authoritative name servers
for the root zone. // The addresses of the "higher authorities" are listed in
the named.ca file. // zone "." { type hint; file "named.ca"; }; //
// // forwarders 206.40.79.2 // forward-only // // key DHCP_UPDATER {
algorithm hmac-md5; secret dgGxxxxxxxxxxxxxxxxQZwgQ==; }; zone
"alpine.local" { type master; file "slaves/alpine.hosts";
allow-update { key DHCP_UPDATER; }; # allow-update { 127.0.0.1; }; };
zone "255.168.192.in-addr.arpa" { type master; file
"slaves/alpine.hosts.rev"; allow-update { key DHCP_UPDATER; }; #
allow-update { 127.0.0.1; }; }; zone "0.0.127.in-addr.arpa" { type master;
file "named.local"; }; logging { channel update_debug {
file "slaves/named-update-debug.log"; severity debug 3;
print-category yes; print-severity yes; print-time yes;
}; channel security_info { file
"slaves/named-auth.info"; severity info; print-category
yes; print-severity yes; print-time yes; };
category update { update_debug; }; category security { security_info; };
};
This is my "named-chroot.service:
# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log" # line
to your /etc/rsyslog.conf file. Otherwise your logging becomes # broken when
rsyslogd daemon is restarted (due update, for example). [Unit]
Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target
Requires=named-chroot-setup.service Before=nss-lookup.target
After=named-chroot-setup.service After=network.target [Service] Type=forking
EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot/run/named/named.pid ExecStartPre=/bin/bash -c 'if [
! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t
/var/named/chroot -z /etc/named.conf; else echo "Checking of zone files is
disabled"; fi' ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill
-HUP $MAINPID' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 ||
/bin/kill -TERM $MAINPID' PrivateTmp=false [Install]
WantedBy=multi-user.target
Any words of wisdom?
Many thanks, -T
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
