Re: bind-chroot is not re-positioning my forward and reverse tables
On 7/1/21 9:10 AM, Petr Menšík wrote:
Hi,
On 6/30/21 5:11 AM, ToddAndMargo via bind-users wrote:
On 6/27/21 4:01 PM, Reindl Harald wrote:
seriosly i am beginning to wonder if you should simply give up bind-chroot
Never quit! :-)
Is is not a bad idea. If you are running SELinux in enforcing mode,
I do, but there are extenuating circumstances. I will explain in a bit.
it
already limits named service in more restrictive way than bind-chroot. I
think there is no real advantage running bind-chroot, just more
configuration quirks required. Please try to use SELinux if possible.
When it is enforcing, I think named.service is just fine. No chroot is
needed for additional security.
Hi Petr,
The reason I am running bind-chroot is because I want
my machine to emulate what I have at my customers.
And I have a customer with a $$ piece of software
that despises SELinux and the vendor won't fix it.
It is one of those pieces of software where they stitch
together other pieces of software like legos and then
charge out the nose for it. There is not a lot of
original content. So I run named-chroot on his server
(and mine too).
it's not the job of the chroot bind-mount setup to mount each and
every file and 'file "abc.hosts.rev"' without any path makes no sense
just write your files where they are expected from the viewpoint of
the chroot and ignore "/var/named/chroot" in your configs because it
simply
don't exist from the viewpoint of the process running inside the chroot
anyways, that's not a bind topic at all
Odd, I would have thought that bind-chroot was part of the bind project.
Anyway, I figured it out. I will post it in another reply
No- bind-chroot is a Red Hat provided helper to chroot ability of BIND
to setup chroot easy way. Only smaller part of configuration is specific
to BIND project itself. Larger part of bind-chroot scripts belongs to
Fedora or RHEL, because chroot setup is implementation provided by
Fedora project package, not by any of ISC releases.
Is there a specific support site for bind-chroot?
I think your attempts fail, because setup script
/usr/libexec/setup-named-chroot.sh tests, whether destination directory
is empty.
That means, /var/named would be mounted to /var/named/chroot/var/named
only when /var/named/chroot/var/named directory is empty. It is mounted
on named-chroot-setup.service, started before named-chroot.service. That
means you have to move your backups out of that directory, not only to
different filenames anywhere under that directory. If there are files,
that copies are used instead. It should be reasony why it cannot find
your zone data.
Move it out of chroot as a backup, when bind-chroot.service is stopped.
# mkdir -p /var/named/backup-chroot/var/named
# mv /var/named/chroot/var/named/* /var/named/backup-chroot/var/named
# systemctl restart bind-chroot
# ls -l /var/named/{,chroot/var/named} # check files are the same
Cheers,
Petr
Did you see my other thread in this post? I wrote down
the exact method I used to fix things. You were close,
by the way. I got my ass handed to me in step 2,
which is where all my issues were. Fortunately
they were all easy to fix (all four of them).
If you can't find it, I will send it to you directly.
It is a nice blue print to follow when (re)installing
bind-chroot.
The moral of the story is that is has to work with
regular bind before switching to bind-chroot. No
skirting the problem in regular bind by directly
writing into the chroot, which is were I got into
deep doodoo.
Thank you for all the help on this and my other posting
(in other places) with bind-chroot! Dang you are
good at this stuff! (No getting the big head.)
-T
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot is not re-positioning my forward and reverse tables
Hi,
On 6/30/21 5:11 AM, ToddAndMargo via bind-users wrote:
> On 6/27/21 4:01 PM, Reindl Harald wrote:
>> seriosly i am beginning to wonder if you should simply give up bind-chroot
>>
>
> Never quit! :-)
Is is not a bad idea. If you are running SELinux in enforcing mode, it
already limits named service in more restrictive way than bind-chroot. I
think there is no real advantage running bind-chroot, just more
configuration quirks required. Please try to use SELinux if possible.
When it is enforcing, I think named.service is just fine. No chroot is
needed for additional security.
>
>>
>> it's not the job of the chroot bind-mount setup to mount each and
>> every file and 'file "abc.hosts.rev"' without any path makes no sense
>>
>> just write your files where they are expected from the viewpoint of
>> the chroot and ignore "/var/named/chroot" in your configs because it
>> simply
>> don't exist from the viewpoint of the process running inside the chroot
>>
>> anyways, that's not a bind topic at all
>
> Odd, I would have thought that bind-chroot was part of the bind project.
>
> Anyway, I figured it out. I will post it in another reply
No- bind-chroot is a Red Hat provided helper to chroot ability of BIND
to setup chroot easy way. Only smaller part of configuration is specific
to BIND project itself. Larger part of bind-chroot scripts belongs to
Fedora or RHEL, because chroot setup is implementation provided by
Fedora project package, not by any of ISC releases.
I think your attempts fail, because setup script
/usr/libexec/setup-named-chroot.sh tests, whether destination directory
is empty.
That means, /var/named would be mounted to /var/named/chroot/var/named
only when /var/named/chroot/var/named directory is empty. It is mounted
on named-chroot-setup.service, started before named-chroot.service. That
means you have to move your backups out of that directory, not only to
different filenames anywhere under that directory. If there are files,
that copies are used instead. It should be reasony why it cannot find
your zone data.
Move it out of chroot as a backup, when bind-chroot.service is stopped.
# mkdir -p /var/named/backup-chroot/var/named
# mv /var/named/chroot/var/named/* /var/named/backup-chroot/var/named
# systemctl restart bind-chroot
# ls -l /var/named/{,chroot/var/named} # check files are the same
Cheers,
Petr
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot is not re-positioning my forward and reverse tables
On 6/24/21 9:00 PM, ToddAndMargo via bind-users wrote:
Hi All,
Fedora 34
bind-chroot-9.16.16-1.fc34.x86_64
I am trying to clean up my bind-chroot forward and reverse files.
The goal is to have bind-chroot do its thing by duplicating these two
files over into
/var/named/chroot/var/named/slaves/
with the identical inodes like it does with named.root and named.root.key:
# stat /etc/named.root.key /var/named/chroot/etc/named.root.key
...
File: /etc/named.root.key
Inode: 60033354
...
File: /var/named/chroot/etc/named.root.key
...
Inode: 60033354
In my /etc/named.conf, I have
zone "abc.local" {
type master;
# file "/var/named/chroot/var/named/slaves/abc.hosts";
file "slaves/abc.hosts";
allow-update { key DHCP_UPDATER; };
};
zone "255.168.192.in-addr.arpa" {
type master;
# file "/var/named/chroot/var/named/slaves/abc.hosts.rev";
file "slaves/abc.hosts.rev";
allow-update { key DHCP_UPDATER; };
};
After I stopped
# systemctl start named-chroot
I copied and moved the following:
Before:
# find /var/named/ -iname abc.hosts\*
/var/named/chroot/var/named/slaves/abc.hosts.000
/var/named/chroot/var/named/slaves/abc.hosts.rev.000
# cp /var/named/chroot/var/named/slaves/abc.hosts
/var/named/chroot/var/named/slaves/abc.hosts.000
# mv /var/named/chroot/var/named/slaves/abc.hosts .
# cp /var/named/chroot/var/named/slaves/abc.hosts.rev
/var/named/chroot/var/named/slaves/abc.hosts.rev.000
# mv /var/named/chroot/var/named/slaves/abc.hosts.rev .
# find /var/named/ -iname abc.hosts*
After:
# find /var/named/ -iname abc.hosts\*
/var/named/slaves/abc.hosts.rev
/var/named/slaves/abc.hosts
/var/named/chroot/var/named/slaves/abc.hosts.000
/var/named/chroot/var/named/slaves/abc.hosts.rev.000
But when I restarted named-chroot, my great plans got dashed:
# systemctl start named-chroot
...
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone abc.local/IN:
loading from master file /slaves/abc.hosts faile>
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone abc.local/IN: not
loaded due to errors.
Jun 24 20:35:45 rn6.abc.local bash[83464]: _default/abc.local/IN:
file not found
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone
255.168.192.in-addr.arpa/IN: loading from master file /slaves/abc.host>
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone
255.168.192.in-addr.arpa/IN: not loaded due to errors.
Jun 24 20:35:45 rn6.abc.local bash[83464]:
_default/255.168.192.in-addr.arpa/IN: file not found
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone
0.0.127.in-addr.arpa/IN: loaded serial 1997022700
named-chroot can't find abc.hosts or abc.hosts.rev in
/var/named/chroot/var/named/slaves
And in case they got copied to somewhere else I did another find:
# find /var/named/ -iname abc.hosts\*
/var/named/slaves/abc.hosts.rev
/var/named/slaves/abc.hosts
/var/named/chroot/var/named/slaves/abc.hosts.000
/var/named/chroot/var/named/slaves/abc.hosts.rev.000
No change.
What am I missing?
Many thanks,
-T
Along with some excellent help for Ed over on the
Fedora mailing list, I did get it figured out.
I got my ass handed to me on step 2.
Here are my notes:
-T
bind-chroot: how to start over clean:
On 6/27/21 5:34 PM, Ed Greshko wrote (with additions from T):
0) backup your zone tables (3+), named.config,
named.root.key, named.local files
1) stop named-chroot,
# systemctl stopnamed-chroot.service
Verify it is dead:
# systemctl status named-chroot.service
2) start the named server
# systemctl start named.service
make sure it doesn't produced errors. Fix any you do find
To check errors:
# systemctl statusnamed.service
3) If that check ok, then stop named.
# systemctl stopnamed.service
4) Then do
Remove:
# rpm -e --nodeps bind-chroot
# rm -rf /var/named/chroot
Reinstall:
# dnf install bind-chroot
# systemctl enable named-chroot.service
5) Then, without moving any files or doing anything, start named-chroot
# systemctl start named-chroot.service
6) double check your mount --bind's
# stat /etc/named.root.key | grepInode | awk '{print $3 " " $4}'
Inode: 60033354
# stat /var/named/chroot/etc/named.root.key | grepInode | awk
'{print $3 " " $4}'
Inode: 60033354
# stat /etc/named.conf | grepInode | awk '{print $3 " " $4}'
Inode: 27396278
# stat /var/named/chroot/etc/named.conf | grepInode | awk
'{print $3 " " $4}'
Inode: 27396278
# stat /var/named/named.local | grepInode | awk '{print $3 " " $4}'
Inode: 20186605
# stat /var/named/chroot/var/named/named.local | grepInode | awk
'{print $3 " " $4}'
Inode: 20186605
# stat /var/named/ abc.hosts | grepInode | awk
Re: bind-chroot is not re-positioning my forward and reverse tables
On 6/27/21 4:01 PM, Reindl Harald wrote: seriosly i am beginning to wonder if you should simply give up bind-chroot Never quit! :-) it's not the job of the chroot bind-mount setup to mount each and every file and 'file "abc.hosts.rev"' without any path makes no sense just write your files where they are expected from the viewpoint of the chroot and ignore "/var/named/chroot" in your configs because it simply don't exist from the viewpoint of the process running inside the chroot anyways, that's not a bind topic at all Odd, I would have thought that bind-chroot was part of the bind project. Anyway, I figured it out. I will post it in another reply ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot is not re-positioning my forward and reverse tables
Am 28.06.21 um 00:44 schrieb ToddAndMargo via bind-users:
On 6/27/21 3:40 PM, ToddAndMargo via bind-users wrote:
On 6/26/21 7:31 PM, ToddAndMargo via bind-users wrote:
On 6/24/21 9:00 PM, ToddAndMargo via bind-users wrote:
The goal is to have bind-chroot do its thing
mount --bind
https://bugzilla.redhat.com/show_bug.cgi?id=1972022#c3
It is not occurring on my zone files. Is it suppose to?
I have moved my zone fines to /var/named
Mount bind still does not get them. I had to
manually copy them over.
zone "abc.local" {
type master;
# file "/var/named/chroot/var/named/abc.hosts";
file "abc.hosts";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
zone "255.168.192.in-addr.arpa" {
type master;
# file "/var/named/chroot/var/named/abc.hosts.rev";
file "abc.hosts.rev";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
I am beginning to wonder if mount bind does not
mount bind your zone files, only /etc/named.conf and
named.root.key
seriosly i am beginning to wonder if you should simply give up bind-chroot
it's not the job of the chroot bind-mount setup to mount each and every
file and 'file "abc.hosts.rev"' without any path makes no sense
just write your files where they are expected from the viewpoint of the
chroot and ignore "/var/named/chroot" in your configs because it simply
don't exist from the viewpoint of the process running inside the chroot
anyways, that's not a bind topic at all
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot is not re-positioning my forward and reverse tables
On 6/27/21 3:40 PM, ToddAndMargo via bind-users wrote:
On 6/26/21 7:31 PM, ToddAndMargo via bind-users wrote:
On 6/24/21 9:00 PM, ToddAndMargo via bind-users wrote:
The goal is to have bind-chroot do its thing
mount --bind
https://bugzilla.redhat.com/show_bug.cgi?id=1972022#c3
It is not occurring on my zone files. Is it suppose to?
I have moved my zone fines to /var/named
Mount bind still does not get them. I had to
manually copy them over.
zone "abc.local" {
type master;
# file "/var/named/chroot/var/named/abc.hosts";
file "abc.hosts";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
zone "255.168.192.in-addr.arpa" {
type master;
# file "/var/named/chroot/var/named/abc.hosts.rev";
file "abc.hosts.rev";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
I am beginning to wonder if mount bind does not
mount bind your zone files, only /etc/named.conf and
named.root.key
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot is not re-positioning my forward and reverse tables
On 6/26/21 7:31 PM, ToddAndMargo via bind-users wrote:
On 6/24/21 9:00 PM, ToddAndMargo via bind-users wrote:
The goal is to have bind-chroot do its thing
mount --bind
https://bugzilla.redhat.com/show_bug.cgi?id=1972022#c3
It is not occurring on my zone files. Is it suppose to?
I have moved my zone fines to /var/named
Mount bind still does not get them. I had to
manually copy them over.
zone "abc.local" {
type master;
# file "/var/named/chroot/var/named/abc.hosts";
file "abc.hosts";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
zone "255.168.192.in-addr.arpa" {
type master;
# file "/var/named/chroot/var/named/abc.hosts.rev";
file "abc.hosts.rev";
allow-update { key DHCP_UPDATER; };
# allow-update { 127.0.0.1; };
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot is not re-positioning my forward and reverse tables
On 6/24/21 9:00 PM, ToddAndMargo via bind-users wrote: The goal is to have bind-chroot do its thing mount --bind https://bugzilla.redhat.com/show_bug.cgi?id=1972022#c3 It is not occurring on my zone files. Is it suppose to? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind-chroot is not re-positioning my forward and reverse tables
Hi All,
Fedora 34
bind-chroot-9.16.16-1.fc34.x86_64
I am trying to clean up my bind-chroot forward and reverse files.
The goal is to have bind-chroot do its thing by duplicating these two
files over into
/var/named/chroot/var/named/slaves/
with the identical inodes like it does with named.root and named.root.key:
# stat /etc/named.root.key /var/named/chroot/etc/named.root.key
...
File: /etc/named.root.key
Inode: 60033354
...
File: /var/named/chroot/etc/named.root.key
...
Inode: 60033354
In my /etc/named.conf, I have
zone "abc.local" {
type master;
# file "/var/named/chroot/var/named/slaves/abc.hosts";
file "slaves/abc.hosts";
allow-update { key DHCP_UPDATER; };
};
zone "255.168.192.in-addr.arpa" {
type master;
# file "/var/named/chroot/var/named/slaves/abc.hosts.rev";
file "slaves/abc.hosts.rev";
allow-update { key DHCP_UPDATER; };
};
After I stopped
# systemctl start named-chroot
I copied and moved the following:
Before:
# find /var/named/ -iname abc.hosts\*
/var/named/chroot/var/named/slaves/abc.hosts.000
/var/named/chroot/var/named/slaves/abc.hosts.rev.000
# cp /var/named/chroot/var/named/slaves/abc.hosts
/var/named/chroot/var/named/slaves/abc.hosts.000
# mv /var/named/chroot/var/named/slaves/abc.hosts .
# cp /var/named/chroot/var/named/slaves/abc.hosts.rev
/var/named/chroot/var/named/slaves/abc.hosts.rev.000
# mv /var/named/chroot/var/named/slaves/abc.hosts.rev .
# find /var/named/ -iname abc.hosts*
After:
# find /var/named/ -iname abc.hosts\*
/var/named/slaves/abc.hosts.rev
/var/named/slaves/abc.hosts
/var/named/chroot/var/named/slaves/abc.hosts.000
/var/named/chroot/var/named/slaves/abc.hosts.rev.000
But when I restarted named-chroot, my great plans got dashed:
# systemctl start named-chroot
...
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone abc.local/IN:
loading from master file /slaves/abc.hosts faile>
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone abc.local/IN: not
loaded due to errors.
Jun 24 20:35:45 rn6.abc.local bash[83464]: _default/abc.local/IN:
file not found
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone
255.168.192.in-addr.arpa/IN: loading from master file /slaves/abc.host>
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone
255.168.192.in-addr.arpa/IN: not loaded due to errors.
Jun 24 20:35:45 rn6.abc.local bash[83464]:
_default/255.168.192.in-addr.arpa/IN: file not found
Jun 24 20:35:45 rn6.abc.local bash[83464]: zone
0.0.127.in-addr.arpa/IN: loaded serial 1997022700
named-chroot can't find abc.hosts or abc.hosts.rev in
/var/named/chroot/var/named/slaves
And in case they got copied to somewhere else I did another find:
# find /var/named/ -iname abc.hosts\*
/var/named/slaves/abc.hosts.rev
/var/named/slaves/abc.hosts
/var/named/chroot/var/named/slaves/abc.hosts.000
/var/named/chroot/var/named/slaves/abc.hosts.rev.000
No change.
What am I missing?
Many thanks,
-T
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
