Ubuntu Hardy chrooted bind9 fails to start > FIXED Preparing to move my server to LTS Ubuntu Hardy, just testing using vmware I've found a weird issue while chrooting bind. ( following The Perfect Server Setup ) So I guess this will popup sooner or later anyway... What I did so far -all as root-: Code: apt-get install bind9 /etc/init.d/bind9 stop changed 1st line of /etc/default/bind9 Code: vim /etc/default/bind9 > changed first line to > OPTIONS="-u bind -t /var/lib/named" creating some directories & a link to move /etc/bind to /var/lib/named/etc/bind creating null & random devices fixing permissions Code: mkdir -p /var/lib/named/etc mkdir /var/lib/named/dev mkdir -p /var/lib/named/var/cache/bind mkdir -p /var/lib/named/var/run/bind/run mv /etc/bind /var/lib/named/etc ln -s /var/lib/named/etc/bind /etc/bind mknod /var/lib/named/dev/null c 1 3 mknod /var/lib/named/dev/random c 1 8 chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random chown -R bind:bind /var/lib/named/var/* chown -R bind:bind /var/lib/named/etc/bind fixed /etc/default/syslogd Code: vim /etc/default/syslogd > SYSLOGD="-a /var/lib/named/dev/log" This has always worked in the past.. but doesn't on Hardy 8.04 if I try to start > /etc/bind9 start it simply fails stopping it > Code: rndc: connect failed: 127.0.0.1#953: connection refused vim /var/log/syslog reveals Code: Mar 25 08:06:57 hardy-server named[11824]: starting BIND 9.4.2 -u bind -t /var/lib/named Mar 25 08:06:57 hardy-server named[11824]: found 1 CPU, using 1 worker thread Mar 25 08:06:57 hardy-server named[11824]: loading configuration from '/etc/bind/named.conf' Mar 25 08:06:57 hardy-server named[11824]: none:0: open: /etc/bind/named.conf: permission denied Mar 25 08:06:57 hardy-server named[11824]: loading configuration: permission denied Mar 25 08:06:57 hardy-server named[11824]: exiting (due to fatal error) Mar 25 08:06:57 hardy-server kernel: [ 9136.933011] audit(1206428817.898:3): operation="inode_permission" request_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=11825 profile="/usr/sbin/named" namespace="default" anybody any idea ?, I've checked permissions, locations.... and with feisty / gutsy this just worked... thx..
As you can see from the error messages this is a permissions issue the config file can not be read by named.
Come to think of it looking at the last line it could be apparmor that is blocking access to the file.
Woohoo cool that was it, after purging this package it worked, obviously this is not the way to do this, but now I know for certain... apparmor is something new on ubuntu, wasn't aware of it... I'll take a look in the Suse community for a decent manual thank you,
Fixed here's the fix, don't know if it makes much sense to chroot and use apparmor at the same time.. guess there's no harm either... follow above described procedure & end with Code: vim /etc/apparmor.d/usr.sbin.named and change marked lines Code: # vim:syntax=apparmor # Last Modified: Fri Jun 1 16:43:22 2007 #include <tunables/global> /usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, # Dynamic updates needs zone and journal files rw. We just allow rw for all # in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind [COLOR="SeaGreen"] /var/lib/named/etc/bind/* rw,[/COLOR] /proc/net/if_inet6 r, /usr/sbin/named mr, /var/cache/bind/* rw, [COLOR="SeaGreen"] /var/lib/named/var/run/bind/run/named.pid w, # /var/run/bind/run/named.pid w,[/COLOR] # support for resolvconf [COLOR="SeaGreen"] /var/lib/named/var/run/bind/named.options r, # /var/run/bind/named.options r,[/COLOR] [COLOR="SeaGreen"]# add also following lines thanks to Spezi2u /var/lib/named/dev/null rw, /var/lib/named/dev/random rw, [/COLOR] } don't forget to (re)start services Code: /etc/init.d/sysklogd restart /etc/init.d/apparmor start /etc/init.d/bind9 start
I wonder why they would ship a policy that does not work. Am not sure if it will work in the chroot, as most MAC systems use the real file path test if you can and let us know.
Well the policy did work until I moved & chrooted it... so IMHO that makes sense .. because that's part of what apparmor is supposed to do ( my rudimentary understanding of creating a hat ) I used a symbolic link for all libraries that have path's hard coded ( if I understand you correct ), Bind seems to behave properly so until now all is well. I still don't know if there's a point in using chrooting & apparmor at the same time, as it might as well weaken security instead of additional hardening... If someone knows of a deprecated package with known weaknesses I might be able to test those in this kind of environment ( why aren't there 48h days ). But before that I have to solve another issue with compiling the ISPconfig package, as it's complaining about wrong syntaxes in an empty httpd.conf ...
Still some problems Thanks for the help on apparmor. I have noticed that bind will still not access the random device and apparmor seems to go out of the chroot jail and take the old one so I have just added two lines at the end to /etc/apparmor.d/usr.bin.named Code: [...] /var/lib/named/dev/null rw, /var/lib/named/dev/random rw, [...] that seemed to do the trick. Bind starts perfectly now.
K thx, didn't notice yet ( stopped working on it ), pretty busy debugging a bogus driver.. I'll add it to the howto...
I just ran into this problem as well after upgrading to 8.04LTS also and this fixed it perfectly! Thanks for the info guys!
just one more little thing ... if you happen to put your local zones in a subdirectory of i.e. /etc/bind don't forget to add all dirs into the apparmor file. Code: [...] /etc/bind/zones/* rw, /etc/bind/zones/external/* rw, /etc/bind/zones/internal/* rw, [...] ...have fun. Michael
sorry ... ... I think I am still on WE. The last post should be reading: Code: [...] /var/lib/named/etc/bind/zones/* rw, /var/lib/named/etc/bind/zones/external/* rw, /var/lib/named/etc/bind/zones/internal/* rw, [...]
for some reason, it doesn't work here.. i even copied the whole sample into my file. only when i stop apparmor it works again. any ideas? ubuntu 8.04 perfect server + ispconfig etc. thank you
It's strongly recommended to disable AppArmor. See chapter 10 on http://www.howtoforge.com/perfect-server-ubuntu8.04-lts-p3
Do you mind to tell why that is ( aside from the troubles with installing ISPconfig ) ? Shouldn't that line then read as > It's strongly recommended to disable AppArmor when installing ISPconfig.... Currently I have no troubles whatsoever keeping it installed... I do have some thoughts on the combination chroot / apparmor as it might well be that instead of adding security, security might get actually weaker. A simple " it's recommended " definitely won't do for an answer....
I still can't get bind9 to start...I've tried the suggestions in this post as well as several others I've found and I'm still getting a permission denied error... the biggest problem is that I've been using linux for about a week now, so I still know enough to barely fill a thimble-full the other thing I noticed is that even though I followed falko's instructions on disabling apparmor, it restarts every time I reboot the machine...but I don't think the bind9 error has anything to do with apparmor considering the error is the same whether apparmor is running or not I know...I probably sound like an idiot...but I'm a confused idiot and would love a little help here
k. well I suggest continuing learning linux coz it's a wonderful thing... ... now, your problem at hand... the chances of getting proper help on the forums grows as you provide good info.. so before anything else > what Linux flavour are you using ( they all differ a little > places of configs / commands etc... ) are you familiar with file permissions ( does 777 / 644 ring a bell ? ) owner permissions ? ( not all users can run all services )... I've got to go for a couple of hours, but will be back in 2-3 from now on
Bind9 still failing... Installed Hardy updated to 8.04.1LTS w/LVM All was well, Code: Dec 20 16:21:14 wonder named[31642]: starting BIND 9.4.2-P2 -u bind Dec 20 16:21:14 wonder named[31642]: found 1 CPU, using 1 worker thread Dec 20 16:21:14 wonder named[31642]: loading configuration from '/etc/bind/named.conf' Dec 20 16:21:14 wonder named[31642]: listening on IPv6 interfaces, port 53 then I started going thru the Howtoforge "perfect server" tutorial. Got to the part where bind gets chrooted and... Bind 9 fails - acc'd to /var/log/syslog: Code: Dec 21 14:00:54 wonder named[6828]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named Dec 21 14:00:54 wonder named[6828]: found 1 CPU, using 1 worker thread Dec 21 14:00:54 wonder named[6828]: loading configuration from '/etc/bind/named.conf' Dec 21 14:00:54 wonder named[6828]: none:0: open: /etc/bind/named.conf: permission denied Dec 21 14:00:54 wonder named[6828]: loading configuration: permission denied Dec 21 14:00:54 wonder named[6828]: exiting (due to fatal error) Have tried it, per the tutorial ( w/ AppArmor disabled/purged ) as well as per Ubuntu Forum ( ubuntuforums.org/showthread.php?t=735188&highlight=bind9+fail ). AppArmor is currently running and my usr.sbin.named is: Code: # vim:syntax=apparmor # Last Modified: Fri Jun 1 16:43:22 2007 #include <tunables/global> /usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, # /etc/bind should be read-only for bind # /var/lib/bind is for dynamically updated zone (and journal) files. # /var/cache/bind is for slave/stub data, since we're not the origin of it. # See /usr/share/doc/bind9/README.Debian.gz # /etc/bind/** r, # Dynamic updates needs zone and journal files rw. We just allow rw for all # in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind /var/lib/named/etc/bind/* rw, # if local zones are in a subdirectory /var/lib/named/etc/bind/zones/* rw, /var/lib/named/etc/bind/zones/external/* rw, /var/lib/named/etc/bind/zones/internal/* rw, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** rw, /var/cache/bind/ rw, # some people like to put logs in /var/log/named/ /var/log/named/** rw, # dnscvsutil package /var/lib/dnscvsutil/compiled/** rw, /proc/net/if_inet6 r, /usr/sbin/named mr, /var/lib/named/var/run/bind/run/named.pid w, #/var/run/bind/run/named.pid w, # support for resolvconf /var/lib/named/var/run/bind/named.options r, #/var/run/bind/named.options r, # add also following lines thanks to Spezi2u /var/lib/named/dev/null rw, /var/lib/named/dev/random rw, } Contents of /etc/bind/ aka /var/lib/named/etc/bind/ are: Code: -rw-r--r-- 1 bind bind 237 2008-04-09 15:44 db.0 -rw-r--r-- 1 bind bind 271 2008-04-09 15:44 db.127 -rw-r--r-- 1 bind bind 237 2008-04-09 15:44 db.255 -rw-r--r-- 1 bind bind 353 2008-04-09 15:44 db.empty -rw-r--r-- 1 bind bind 270 2008-04-09 15:44 db.local -rw-r--r-- 1 bind bind 2878 2008-04-09 15:44 db.root -rw-r--r-- 1 bind bind 907 2008-04-09 15:44 named.conf -rw-r--r-- 1 bind bind 165 2008-04-09 15:44 named.conf.local -rw-r--r-- 1 bind bind 3041 2008-12-21 13:51 named.conf.options -rw------- 1 root root 695 2008-12-21 13:51 named.conf.options~ -rw-r----- 1 bind bind 77 2008-05-26 17:26 rndc.key -rw-r--r-- 1 bind bind 1317 2008-04-09 15:44 zones.rfc1918 and still bind9 refuses to start from CLI or during reboot... It doesn't see to make any difference if I use OPTIONS="-u bind -t /var/lib/named" or OPTIONS="-u bind". Any suggestions would greatly appreciated.
