Package: nsd Version: 4.3.5-1 Severity: important Dear Maintainer,
When using the "chroot" option of nsd, the daemon refuses to start without any information in the logs about why. The only output is: × nsd.service - Name Server Daemon Loaded: loaded (/lib/systemd/system/nsd.service; enabled; preset: enabled) Drop-In: /etc/systemd/system/nsd.service.d └─capabilities.conf Active: failed (Result: signal) since Thu 2023-06-29 11:05:07 CEST; 735ms ago Duration: 38ms Docs: man:nsd(8) Process: 2480 ExecStart=/usr/sbin/nsd -d -P (code=killed, signal=SYS) Main PID: 2480 (code=killed, signal=SYS) CPU: 36ms Jun 29 11:05:07 x systemd[1]: nsd.service: Main process exited, code=kill> Jun 29 11:05:07 x systemd[1]: nsd.service: Failed with result 'signal'. Jun 29 11:05:07 x systemd[1]: nsd.service: Scheduled restart job, restart> Jun 29 11:05:07 x systemd[1]: Stopped nsd.service - Name Server Daemon. Jun 29 11:05:07 x systemd[1]: nsd.service: Start request repeated too qui> Jun 29 11:05:07 x systemd[1]: nsd.service: Failed with result 'signal'. Jun 29 11:05:07 x systemd[1]: Failed to start nsd.service - Name Server D> I created a bind mount for /dev/log into the chroot, but this did not help. Starting it by hand (by invoking /usr/sbin/nsd from the shell) works correctly without errors. Eventually, I managed to work around this by commenting out the SystemCallFilter line in the service file: #SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources I don't know what the correct system call set name would be to make chroot work. The systemd.exec(5) manual seems to imply that @mount should be sufficient, so perhaps it's not the chroot itself that's causing the problem, but something else that runs after chrooting. The upstream contributed systemd service file[1] doesn't use SystemCallFilter anymore. There used to be a more complex contrib file but it got removed because it was "too complicated and not useful"[2]. It looks like this old revision is the systemd file that Debian is still using. I ran into this again on the upgrade to Debian Bookworm, so this issue hasn't been fixed. -- System Information: Debian Release: 11.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-23-amd64 (SMP w/1 CPU thread) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) [1] https://github.com/NLnetLabs/nsd/blob/master/contrib/nsd.service [2] https://github.com/NLnetLabs/nsd/commit/c8eae0d3073fa48e70875bdb01aa9f6b27538e87