On 2020-05-27 11:48 a.m., Anand Buddhdev wrote: > On 27/05/2020 16:37, Simon Deziel via nsd-users wrote: > > Hi Simon, > >> As you saw, you need to add "ReadWritePaths=/var/log/" to the systemd >> unit so that nsd can create the file. >> >> When you do so, on first startup, nsd changes UID from root -> nsd and >> then creates /var/log/nsd.log: >> >> root@d10-nsd:~# ls -l /var/log/nsd.log >> -rw-r--r-- 1 nsd nsd 151 May 27 14:15 /var/log/nsd.log >> >> On subsequent starts, nsd checks if it can append to the log while still >> running as root. I believe this is a bug as this check should happen > > Are you certain of this? I have never seen any errors on my NSD systems.
I reproduced it all in a Debian Buster VM before posting. Are you using the same systemd unit as Debian Buster's [*] ? >> after the switch from root->nsd. You can workaround it by using the big >> hammer that is CAP_DAC_OVERRIDE [*] or add this with `systemctl edit >> nsd`: >> >> [Service] >> ExecStartPre=-/bin/chown --quiet root:root /var/log/nsd.log > > All of this seems to be band-aid upon band-aid of unnecessary hacks. That's a band-aid indeed. IMHO the proper fix is to be consistent in handling the file. So either open it as root and not chown it or always touch it after setuid(). >> As for the failed unlinking of the pidfile, this is harmless and should >> not be logged as a warning. It may already be fixed in newer releases as >> it was done with Unbound already. > > PID files are so passé! They are irrelevant on systems where daemons are > run under supervisors. I would highly recommend setting "pidfile" to "" > in nsd.conf. This prevents creation of a PID file. Systemd already knows > the PID of the NSD process, and can signal it directly. Would it make sense to simply ignore the pidfile directive when running through systemd? *: https://salsa.debian.org/dns-team/nsd/-/blob/nsd_debian/4.1.26-1/debian/nsd.service _______________________________________________ nsd-users mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
