Package: nsd
Version: 4.3.5-1
Severity: important
Dear Maintainer,
When using the "chroot" option of nsd, the daemon refuses to start
without any information in the logs about why. The only output is:
× nsd.service - Name Server Daemon
Loaded: loaded (/lib/systemd/system/nsd.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/nsd.service.d
└─capabilities.conf
Active: failed (Result: signal) since Thu 2023-06-29 11:05:07 CEST; 735ms
ago
Duration: 38ms
Docs: man:nsd(8)
Process: 2480 ExecStart=/usr/sbin/nsd -d -P (code=killed, signal=SYS)
Main PID: 2480 (code=killed, signal=SYS)
CPU: 36ms
Jun 29 11:05:07 x systemd[1]: nsd.service: Main process exited, code=kill>
Jun 29 11:05:07 x systemd[1]: nsd.service: Failed with result 'signal'.
Jun 29 11:05:07 x systemd[1]: nsd.service: Scheduled restart job, restart>
Jun 29 11:05:07 x systemd[1]: Stopped nsd.service - Name Server Daemon.
Jun 29 11:05:07 x systemd[1]: nsd.service: Start request repeated too qui>
Jun 29 11:05:07 x systemd[1]: nsd.service: Failed with result 'signal'.
Jun 29 11:05:07 x systemd[1]: Failed to start nsd.service - Name Server D>
I created a bind mount for /dev/log into the chroot, but this did not help.
Starting it by hand (by invoking /usr/sbin/nsd from the shell) works
correctly without errors.
Eventually, I managed to work around this by commenting out the
SystemCallFilter line in the service file:
#SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount
@obsolete @resources
I don't know what the correct system call set name would be to make
chroot work. The systemd.exec(5) manual seems to imply that @mount
should be sufficient, so perhaps it's not the chroot itself that's
causing the problem, but something else that runs after chrooting.
The upstream contributed systemd service file[1] doesn't use
SystemCallFilter anymore. There used to be a more complex contrib
file but it got removed because it was "too complicated and not
useful"[2]. It looks like this old revision is the systemd file
that Debian is still using.
I ran into this again on the upgrade to Debian Bookworm, so this issue
hasn't been fixed.
-- System Information:
Debian Release: 11.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-23-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
[1] https://github.com/NLnetLabs/nsd/blob/master/contrib/nsd.service
[2]
https://github.com/NLnetLabs/nsd/commit/c8eae0d3073fa48e70875bdb01aa9f6b27538e87