Hi Anders!
That helps for the log file. Thanks!
However, the pid warning remains:
nsd[27759]: warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission
denied
Not terrible, but any idea how to solve that one..?
I also tried commenting out the entire line, as suggested by Kaulkwappe,
(thanks for that, Kaulkwappe!) but also then the pid warning remains.
Thanks very much for your kind help!
MJ
On 5/27/20 2:33 PM, Anders Giversen via nsd-users wrote:
Hi
Try to add CAP_DAC_OVERRIDE to CapabilityBoundingSet so it ends up being:
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK
CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
Best regards
Anders Giversen
On 27-05-2020 08:22, Kaulkwappe via nsd-users wrote:
Hi MJ,
unfortunately I couldn't fix it. I tried one billion things, but
nothing worked. So I needed to go the hard way and commented this out
in /etc/systemd/system/multi-user.target.wants/nsd.service:
#CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
Kind Regards,
Kaulkwappe
-------------------------
From: mj via nsd-users <[email protected] [1]>
Sent: Tuesday, 26. May 2020 – 11:58 CEST +0200
To: [email protected] [1]
Subject: [nsd-users] NSD still shows permission errors on Debian 10
Buster
Hi,
Subscribed specially to reply to the subject thread.
I am also trying to run nsd on debian buster, and it's not working so
nicely. :-)
error: Cannot open /var/log/nsd.log for appending (Read-only file
system), logging to stderr
warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission
denied
I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service
file, but the error remains:
[Unit]
Description=Name Server Daemon
Documentation=man:nsd(8)
After=network.target
[Service]
Type=notify
Restart=always
ExecStart=/usr/sbin/nsd -d
ExecReload=+/bin/kill -HUP $MAINPID
CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd
RuntimeDirectory=nsd
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module
mount @obsolete @resources
[Install]
WantedBy=multi-user.target
I read in Paul Wouters reply to add nsd User/Group to the service
file,
but then nsd no longer starts, as the nsd user has no permission to
bind
to port 53:
error: can't bind udp socket: Permission denied
I wanted to migrate from bind to nsd, but it seems the debian package
could use some love. :-)
Does anyone have a suggestion how to proceed..? (a working systemd
file
perhaps?)
Thanks,
MJ
_______________________________________________
nsd-users mailing list
[email protected]
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
Links:
------
[1] http://mail.giver.dk/email/new/1/nsd-users%40lists.nlnetlabs.nl
_______________________________________________
nsd-users mailing list
[email protected]
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
_______________________________________________
nsd-users mailing list
[email protected]
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
_______________________________________________
nsd-users mailing list
[email protected]
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
