Hello all together I am not quite sure if I should open a bug report or not as I am not sure if this issue is only me or if others are struggeling too. So let me explain: I set up two Debian 10 (buster) server according to The Perfect Server guide and installed ISP3.2 in a Multi server environment. As in the tutorial described I used bind as a DNS Server, it is installed on both server to use one as a Master and one as a Slave Server. When I was testing this last Weekend I stumbled on a strange behavior from the Slave server, the Server showed me in the bind logs that the Service did not have permission to write to "/etc/bind/slave/", even though the service user has read and write permission. After a lot of troubleshooting with the folder permission I found out that since Debian Buster Apparmor is installed and activated by default. After adding the Path to the bind section it was working. So my question is am I the only one that has this issue or is this a general issue on debian 10? Greetings chnoeli Information: OS Release: Debian Buster 10 ISPConfigVersion: ISPConfig Version: 3.2 Bind version: 9.11.5.P4+dfsg-5.1+deb10u2 Apparmor version: 2.13.2-10
I was not aware that buster activates apparmor by default. I should have read the docs: https://wiki.debian.org/AppArmor/HowToUse But your issue can not be common. I'm sure ISPConfig has been installed on a thousand buster hosts, and I have not seen complaints like yours so far. Are you sure you set up the multiserver setup correctly, following the ISPConfig Manual?
I have followed the tutorial to the best of my knowledge. As I know nothing has to be changed manually in the bind configs during the installation, therefore I was surprised that it did not work.
Bind config do not need changing manually. That is a bit strange. How did you set up the two bind servers? Have you purchased the ISPConfig Manual? https://www.ispconfig.org/documentation/user-manual/ Following that the second DNS server is set up as mirror of the first, and no bind configuration editing is needed. If, however, you set the name servers up the usual BIND way by editing configuration files so one is master and the other is slave, then you need to edit the configurations. My signature has link to DNS tutorial
May you please post the changes that you have to make in the Apparmor config, so we can add them to the perfect server guide?
I saw the same behaviour last week but didn't look into it yet. This happens on both my Ubuntu 20.04 and Debian 10 DNS slave servers: Code: Nov 06 13:37:51 hostname named[652]: dumping master file: /etc/bind/slave/tmp-CNkL5x4sBs: open: permission denied Listing with permissions of the folder: Code: ls -l /etc/bind total 56 -rw-r--r-- 1 root root 2761 Aug 25 10:10 bind.keys -rw-r--r-- 1 root root 237 Aug 25 10:10 db.0 -rw-r--r-- 1 root root 271 Aug 25 10:10 db.127 -rw-r--r-- 1 root root 237 Aug 25 10:10 db.255 -rw-r--r-- 1 root root 353 Aug 25 10:10 db.empty -rw-r--r-- 1 root root 270 Aug 25 10:10 db.local -rw-r--r-- 1 root bind 463 Aug 25 10:10 named.conf -rw-r--r-- 1 root bind 498 Aug 25 10:10 named.conf.default-zones -rw-r--r-- 1 root bind 5792 Nov 5 17:37 named.conf.local -rw-r--r-- 1 root bind 976 Oct 17 13:42 named.conf.options -rw-r----- 1 bind bind 77 Oct 17 13:39 rndc.key drwxrws--- 3 root bind 4096 Oct 30 15:50 slave -rw-r--r-- 1 root root 1317 Aug 25 10:10 zones.rfc1918 Slave folder: Code: ls -la /etc/bind/slave total 12 drwxrws--- 3 root bind 4096 Oct 30 15:50 . drwxr-sr-x 3 root bind 4096 Nov 5 12:31 .. drwxr-s--- 2 root bind 4096 Oct 30 15:50 sec.
I added: Code: "/etc/bind/slave/** rw," to the bind9 apparmor config: Code: /etc/apparmor.d/usr.sbin.named
well, that's odd, dunno about the debian guides, but the ubuntu perfect server guides specifically state to disable and remove apparmor, right near the start of the install process. i've only installed from scratch though, maybe a dist-upgrade from 18.04 to 20.04 re-installs and re-enables apparmor?
It seems like AppArmor isn't causing it, as I have removed AppArmor when installing that Ubuntu server and the issue still exists.