after upgrading from Stretch to Debian Buster (10.2) I get following error message which blocks NSD (4.1.26) from starting:
> Nov 24 16:18:40 ns2 nsd[989]: [2019-11-24 16:18:40.030] nsd[989]: error: could not open zone list /var/lib/nsd/zone.list: Permission denied
> Nov 24 16:18:40 ns2 nsd[989]: [2019-11-24 16:18:40.032] nsd[989]: error: could not read zonelist file /var/lib/nsd/zone.list
However, the permissions are all fine; they did not change during the update.
ls -l /var/lib/nsd/zone.list
> -rw-r--r-- 1 nsd nsd 1195 Nov 4 17:33 /var/lib/nsd/zone.list
I had a look into /lib/systemd/system/nsd.service:
> [Unit]
> Description=Name Server Daemon
> Documentation=man:nsd(8)
> After=network.target
> [Service]
> Type=notify
> Restart=always
> ExecStart=/usr/sbin/nsd -d
> ExecReload=+/bin/kill -HUP $MAINPID
> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> MemoryDenyWriteExecute=true
> NoNewPrivileges=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectHome=true
> ProtectControlGroups=true
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectSystem=strict
> ReadWritePaths=/var/lib/nsd /etc/nsd /run
> RuntimeDirectory=nsd
> RestrictRealtime=true
> SystemCallArchitectures=native
> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
> [Install]
> WantedBy=multi-user.target
Once I remove following line,
> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
while it does not help to only remove params from it (I need to remove the full line), the error message changes to:
> Nov 24 16:37:57 ns2 systemd[1]: Starting Name Server Daemon...
> Nov 24 16:37:57 ns2 nsd[1607]: [2019-11-24 16:37:57.144] nsd[1607]: error: Cannot open /var/log/nsd.log for appending (Read-only file system), logging to stderr
> Nov 24 16:37:57 ns2 nsd[1607]: [2019-11-24 16:37:57.145] nsd[1607]: notice: nsd starting (NSD 4.1.26)
> Nov 24 16:37:57 ns2 nsd[1607]: [2019-11-24 16:37:57.252] nsd[1608]: notice: nsd started (NSD 4.1.26), pid 1607
> Nov 24 16:37:57 ns2 systemd[1]: Started Name Server Daemon.
Since nsd-control zonestatus now works, NSD now can read the /var/lib/nsd/zone.list. However, it is still not running fine because now NSD says it cannot open the /var/log/nsd.log.
Does anyone know how to fix that?
Kind Regards,
Kaulkwappe
_______________________________________________ nsd-users mailing list nsd-users@NLnetLabs.nl https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
