Hi Simon,

> I would have expect a permission error instead of a "read-only" one. It
> looks as if /var/log was not properly added to be ReadWritePaths set.

That is what I have used:
> ReadWritePaths=/var/lib/nsd /var/log /etc/nsd /run

> This unlink failure is expected and AFAICT harmless.
It should be harmless, but it doesn't look nice. I would consider this as a bug.

> I believe that xfrd.state should be owned by nsd:nsd as the daemon needs
> to write to that file.
After changing the owner to nsd:nsd I believe this problem is fixed. Thanks!

Kind Regards,
Kaulkwappe



From: Simon Deziel <si...@sdeziel.info>
Sent: Sunday, 24. Nov 2019 – 22:07 CET +0100
To: nsd-users@NLnetLabs.nl

Subject: Re: [nsd-users] Permission error after upgrade to Debian Buster (10.2)

On 2019-11-24 3:05 p.m., Kaulkwappe wrote:
> Hi Simon,
> 
> thanks for your fast answer.
> 
> It seems that you're right that NSD tries to open the files as root user – which 
> seems is blocked by the restrictive nsd.service configuration. See also:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=938987
> 
> So, I changed the owner of all the files to 'root:root' and added '/var/log' to 
> 'ReadWritePaths'. Then NSD starts without any problems.
> 
> However, on the next startup I see that NSD always changes back the ownership of 
> '/var/log/nsd.log' from 'root:root' back to the nsd user. This leads to 
> following error message:
>  > Nov 24 18:48:05 ns2 nsd[1959]: [2019-11-24 18:48:05.896] nsd[1959]: error: 
> Cannot open /var/log/nsd.log for appending (Read-only file system), logging to 
> stderr

I would have expect a permission error instead of a "read-only" one. It
looks as if /var/log was not properly added to be ReadWritePaths set.

> When I stop NSD, I get following messages:
>  > Nov 24 21:01:22 ns2 nsd[2168]: [2019-11-24 21:01:22.109] nsd[2169]: warning: 
> signal received, shutting down...
>  > Nov 24 21:01:22 ns2 nsd[2168]: [2019-11-24 21:01:22.112] nsd[2169]: warning: 
> failed to unlink pidfile /run/nsd/nsd.pid: Permission denied

This unlink failure is expected and AFAICT harmless.

>  > Nov 24 21:01:22 ns2 nsd[2168]: [2019-11-24 21:01:22.117] nsd[2168]: error: 
> xfrd: Could not open file /var/lib/nsd/xfrd.state for writing: Permission denied
> 
> This is very confusing since /var/lib/nsd/xfrd.state still has root:root, while 
> NSD created the /run/nsd/nsd.pid using nsd:nsd.

I believe that xfrd.state should be owned by nsd:nsd as the daemon needs
to write to that file.

For reference, here's what it looks on my local slave:

root@ns0:~# ll /var/lib/nsd/xfrd.state /run/nsd/nsd.*
srwxr-xr-x 1 nsd nsd    0 Nov 24 19:41 /run/nsd/nsd.ctl=
-rw-r--r-- 1 nsd nsd    4 Nov 24 19:41 /run/nsd/nsd.pid
-rw-r--r-- 1 nsd nsd 2702 Nov 24 19:39 /var/lib/nsd/xfrd.state

Regards,
Simon
_______________________________________________
nsd-users mailing list
nsd-users@NLnetLabs.nl
https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
_______________________________________________
nsd-users mailing list
nsd-users@NLnetLabs.nl
https://open.nlnetlabs.nl/mailman/listinfo/nsd-users

Reply via email to