Hi MJ,
unfortunately I couldn't fix it. I tried one billion things, but nothing worked. So I needed to go the hard way and commented this out in /etc/systemd/system/multi-user.target.wants/nsd.service:
#CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
Kind Regards,
Kaulkwappe
From: mj via nsd-users <[email protected]>
Sent: Tuesday, 26. May 2020 – 11:58 CEST +0200
To: [email protected]
Subject: [nsd-users] NSD still shows permission errors on Debian 10 Buster
From: mj via nsd-users <[email protected]>
Sent: Tuesday, 26. May 2020 – 11:58 CEST +0200
To: [email protected]
Subject: [nsd-users] NSD still shows permission errors on Debian 10 Buster
Hi, Subscribed specially to reply to the subject thread.
I am also trying to run nsd on debian buster, and it's not working so nicely. :-) > error: Cannot open /var/log/nsd.log for appending (Read-only file system), logging to stderr > warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service file, but the error remains: > [Unit] > Description=Name Server Daemon > Documentation=man:nsd(8) > After=network.target > > [Service] > Type=notify > Restart=always > ExecStart=/usr/sbin/nsd -d > ExecReload=+/bin/kill -HUP $MAINPID > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > MemoryDenyWriteExecute=true > NoNewPrivileges=true > PrivateDevices=true > PrivateTmp=true > ProtectHome=true > ProtectControlGroups=true > ProtectKernelModules=true > ProtectKernelTunables=true > ProtectSystem=strict > ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd > RuntimeDirectory=nsd > RestrictRealtime=true > SystemCallArchitectures=native > SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources > > [Install] > WantedBy=multi-user.target I read in Paul Wouters reply to add nsd User/Group to the service file, but then nsd no longer starts, as the nsd user has no permission to bind to port 53: > error: can't bind udp socket: Permission denied I wanted to migrate from bind to nsd, but it seems the debian package could use some love. :-) Does anyone have a suggestion how to proceed..? (a working systemd file perhaps?) Thanks, MJ _______________________________________________ nsd-users mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
_______________________________________________ nsd-users mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
