Re: Log rolling stopped working in 9.11.12 ?
Hi John,
> Thank you for the obvious suggestion, Mark. It hadn't occurred to me that a
> yum update might have clobbered my existing permissions.
>
> Sure enough, there it was -
> 755 root:root /var/opt/isc/isc-bind/log/
> Everything in that directory was still -
> 644 named:named
> but the user "named" was unable to create anything new
>
> Looking at my installation notes from earlier this year, I found the
> following:
> > Adjust the log directory permissions. chown named:named
> > /var/opt/isc/isc-bind/log
> > chmod 775 /var/opt/isc/isc-bind/log
>
> I have re-applied that permission change, and things are happy again. Which
> brings me to two follow-up questions.
>
> A) Should I expect these file permissions be altered by a minor update? I
> know I started at 9.11.8 and have updated to 9.11.9 and 9.11.10 without
> seeing this behavior.
/var/opt/isc/isc-bind/log is part of the isc-bind-runtime package, which
is the runtime package for the isc-bind Software Collection. The
contents of that package are determined by the %{scl_files} macro used
in the *.spec file for the isc-bind metapackage [1]. That is how the
runtime package is supposed to be created according to Software
Collection docs [2]. We do not add that directory explicitly.
Answering your question, this directory is not touched when you update
the isc-bind-bind package (which is usually the only package that gets
updated whenever a new version of BIND is released), but it *will* be
affected (i.e. its permissions will be reset to those specified by the
package) by isc-bind-runtime updates.
We recently had to update the metapackage to make the Software
Collection work on RHEL/CentOS 8, which also caused a revision bump for
the isc-bind-runtime package. That is likely the update that caused the
permissions on your box to be reset. Updates like this are rare, but
can happen from time to time, so I would avoid relying on customized
permissions for packaged directories.
> B) Should I not be logging to /var/opt/isc/isc-bind/log?
> The log path in my named.conf is currently set to a relative path
> "../../log/query.log", but I could easily change it to an absolute path
> "/var/log/named/query.log"
You can really log where you want as long as the permissions are right.
The default named.conf included with our packages causes logs to be
written to /var/opt/isc/isc-bind/named/data/named.run, mimicking what
stock RHEL/CentOS BIND packages do (with the path adjusted to follow the
Software Collection's directory layout).
Note that /var/opt/isc/isc-bind/log is the Software Collection's
equivalent of /var/log; if you configured named to log to the latter, it
would also not work because /var/log is owned by root:root by default,
just like /var/opt/isc/isc-bind/log is.
If you are okay with adhering to the Software Collection's directory
layout, feel free to create a subdirectory in /var/opt/isc/isc-bind/log
with proper permissions - subdirectories should not be affected by the
metapackage updates I mentioned above. But the Software Collection does
not force you to use that location.
Hope this helps,
[1]
https://gitlab.isc.org/isc-packages/rpms/isc-bind/blob/434d4d8a6e436e0943cfc2deac2f1a07fe3136b5/isc-bind.spec#L63
[2]
https://www.softwarecollections.org/en/docs/guide/#bh-Example_of_the_Meta_Package
--
Best regards,
Michał Kępień
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Log rolling stopped working in 9.11.12 ?
Am 19.11.19 um 18:23 schrieb John Thurston: A) Should I expect these file permissions be altered by a minor update? I know I started at 9.11.8 and have updated to 9.11.9 and 9.11.10 without seeing this behavior. On 11/19/2019 8:34 AM, Reindl Harald wrote: yes, every by a package owned directory or file has it's permissions in the rpm database and they are ensured everytime a package get updated I am certain I didn't need to reapply those file permissions with my earlier version updates. But if this is the expected behavior with each update, then that experience was an outlier. I will explore relocating my logs to a location not affected by package updates. I see bind 9.11.4 in centos7, where did you pull 9.11.10 from? which is why we don't need to reinstall our Linux boxes all the time when things become messy over the years On 19.11.19 12:16, John Thurston wrote: I find this somewhat humorous I have recently started using linux. I am amazed how often the operating system changes radically, and how short the support windows are . . . when compared to the Solaris environment we are turning off. yes, it depends on what you are replacing. commercial SW distributions have longer period than free. Redhat (commercial) and Centos (redhat-based) have 10-years security support. Debian and Ubuntu have 5-years LTS, Ubuntu provides commercial support for another 3 years (and company freexian tries to provide ELTS for debian for some time) However that does not apply for packages outside of centos. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Log rolling stopped working in 9.11.12 ?
On 11/19/2019 8:34 AM, Reindl Harald wrote: Am 19.11.19 um 18:23 schrieb John Thurston: A) Should I expect these file permissions be altered by a minor update? I know I started at 9.11.8 and have updated to 9.11.9 and 9.11.10 without seeing this behavior. yes, every by a package owned directory or file has it's permissions in the rpm database and they are ensured everytime a package get updated I am certain I didn't need to reapply those file permissions with my earlier version updates. But if this is the expected behavior with each update, then that experience was an outlier. I will explore relocating my logs to a location not affected by package updates. Thank you for the information and insight. which is why we don't need to reinstall our Linux boxes all the time when things become messy over the years I find this somewhat humorous I have recently started using linux. I am amazed how often the operating system changes radically, and how short the support windows are . . . when compared to the Solaris environment we are turning off. -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Log rolling stopped working in 9.11.12 ?
Am 19.11.19 um 18:23 schrieb John Thurston: > Looking at my installation notes from earlier this year, I found the > following: >> Adjust the log directory permissions. chown named:named >> /var/opt/isc/isc-bind/log >> chmod 775 /var/opt/isc/isc-bind/log > > I have re-applied that permission change, and things are happy again. > Which brings me to two follow-up questions. > > A) Should I expect these file permissions be altered by a minor update? > I know I started at 9.11.8 and have updated to 9.11.9 and 9.11.10 > without seeing this behavior. yes, every by a package owned directory or file has it's permissions in the rpm database and they are ensured everytime a package get updated which is why we don't need to reinstall our Linux boxes all the time when things become messy over the years ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Log rolling stopped working in 9.11.12 ?
Thank you for the obvious suggestion, Mark. It hadn't occurred to me that a yum update might have clobbered my existing permissions. Sure enough, there it was - 755 root:root /var/opt/isc/isc-bind/log/ Everything in that directory was still - 644 named:named but the user "named" was unable to create anything new Looking at my installation notes from earlier this year, I found the following: Adjust the log directory permissions. chown named:named /var/opt/isc/isc-bind/log chmod 775 /var/opt/isc/isc-bind/log I have re-applied that permission change, and things are happy again. Which brings me to two follow-up questions. A) Should I expect these file permissions be altered by a minor update? I know I started at 9.11.8 and have updated to 9.11.9 and 9.11.10 without seeing this behavior. B) Should I not be logging to /var/opt/isc/isc-bind/log? The log path in my named.conf is currently set to a relative path "../../log/query.log", but I could easily change it to an absolute path "/var/log/named/query.log" -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska On 11/18/2019 6:49 PM, Mark Andrews wrote: There have been no changes. I would be checking directory permissions. Anything that would stop rename() succeeding. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Log rolling stopped working in 9.11.12 ?
Or changes to SELinux policies (since you are running CentOS). Ondrej -- Ondřej Surý ond...@isc.org > On 19 Nov 2019, at 11:49, Mark Andrews wrote: > > There have been no changes. I would be checking directory permissions. > Anything that would > stop rename() succeeding. > >> On 19 Nov 2019, at 08:53, John Thurston wrote: >> >> I recently updated from 9.11.10 to 9.11.12 with the ISC-provided package for >> CentOS 7. Everything looked ok, until today when my monitoring application >> told me I was running out of disk space. >> >> ACK! Log rolling on my servers stopped. >> >> My named.conf has lines like: >> file "query.log" versions 10 size 1000m; >> >> In my directory, I have: >> query.log.9 >> query.log.8 >> query.log.7 >> query.log.6 >> query.log.5 >> query.log.4 >> query.log.3 >> query.log.2 >> query.log.1 >> query.log.0 >> query.log >> >> Log numbers 0-9 are 1001M (as expected). >> The current log is 28G and growing :( >> >> I've looked over the BIND release notes and don't see anything about a >> change to the logging behavior. Did I miss something? >> >> Or maybe some kernel (or other package) patch broke some dependency? >> >> >> I'm looking for ideas here. >> >> >> -- >> Do things because you should, not just because you can. >> >> John Thurston907-465-8591 >> john.thurs...@alaska.gov >> Department of Administration >> State of Alaska >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Log rolling stopped working in 9.11.12 ?
There have been no changes. I would be checking directory permissions. Anything that would stop rename() succeeding. > On 19 Nov 2019, at 08:53, John Thurston wrote: > > I recently updated from 9.11.10 to 9.11.12 with the ISC-provided package for > CentOS 7. Everything looked ok, until today when my monitoring application > told me I was running out of disk space. > > ACK! Log rolling on my servers stopped. > > My named.conf has lines like: > file "query.log" versions 10 size 1000m; > > In my directory, I have: > query.log.9 > query.log.8 > query.log.7 > query.log.6 > query.log.5 > query.log.4 > query.log.3 > query.log.2 > query.log.1 > query.log.0 > query.log > > Log numbers 0-9 are 1001M (as expected). > The current log is 28G and growing :( > > I've looked over the BIND release notes and don't see anything about a change > to the logging behavior. Did I miss something? > > Or maybe some kernel (or other package) patch broke some dependency? > > > I'm looking for ideas here. > > > -- > Do things because you should, not just because you can. > > John Thurston907-465-8591 > john.thurs...@alaska.gov > Department of Administration > State of Alaska > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Log rolling stopped working in 9.11.12 ?
I recently updated from 9.11.10 to 9.11.12 with the ISC-provided package for CentOS 7. Everything looked ok, until today when my monitoring application told me I was running out of disk space. ACK! Log rolling on my servers stopped. My named.conf has lines like: file "query.log" versions 10 size 1000m; In my directory, I have: query.log.9 query.log.8 query.log.7 query.log.6 query.log.5 query.log.4 query.log.3 query.log.2 query.log.1 query.log.0 query.log Log numbers 0-9 are 1001M (as expected). The current log is 28G and growing :( I've looked over the BIND release notes and don't see anything about a change to the logging behavior. Did I miss something? Or maybe some kernel (or other package) patch broke some dependency? I'm looking for ideas here. -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
