Ubuntu Hardy chrooted bind9 fails to start

As I indicated in the previous /etc/bind is symlinked to /var/lib/named/bind/, so...

Code:

root@wonder:/var/lib/named/etc/bind# ls -la
total 56
drwxr-sr-x 2 root root 4096 2008-12-21 13:51 .
drwx------ 3 root root 4096 2008-12-20 16:23 ..
-rw-r--r-- 1 bind bind  237 2008-04-09 15:44 db.0
-rw-r--r-- 1 bind bind  271 2008-04-09 15:44 db.127
-rw-r--r-- 1 bind bind  237 2008-04-09 15:44 db.255
-rw-r--r-- 1 bind bind  353 2008-04-09 15:44 db.empty
-rw-r--r-- 1 bind bind  270 2008-04-09 15:44 db.local
-rw-r--r-- 1 bind bind 2878 2008-04-09 15:44 db.root
-rw-r--r-- 1 bind bind  907 2008-04-09 15:44 named.conf
-rw-r--r-- 1 bind bind  165 2008-04-09 15:44 named.conf.local
-rw-r--r-- 1 bind bind 3041 2008-12-21 13:51 named.conf.options
-rw------- 1 root root  695 2008-12-21 13:51 named.conf.options~
-rw-r----- 1 bind bind   77 2008-05-26 17:26 rndc.key
-rw-r--r-- 1 bind bind 1317 2008-04-09 15:44 zones.rfc1918

named.conf is virgin:

Code:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";

I have not yet modified named.conf.local, but I have made mods to named.conf.options (using the bind acls/options from the current RH webserver which will be retired when I get this box up). However, bind9 is/was failing on this chrooted setup B4 I did anything to options, nevertheless:

Code:

// acls added TB 12.21.2008
acl "xfer" {    
        127.0.0.1; //localhost
        localhost;
        192.168.5.11; //temp new wonder IP
        69.54.194.91; //wonder.what-if.com
        69.54.194.92; //imagine.what-if.com
};

acl "trusted" {
        127.0.0.1; //localhost
        localhost;
        192.168.5.11; //temp new wonder IP
        66.255.223.103; //local IFI netw
        69.54.194.91; //wonder.what-if.com
        69.54.194.92; //imagine.what-if.com
};

acl "bogon" {
    // Filter out the bogon networks.  These are networks
    // listed by IANA as test, RFC1918, Multicast, experi-
    // mental, etc.  If you see DNS queries or updates with
    // a source address within these networks, this is likely
    // of malicious origin. CAUTION: If you are using RFC1918
    // netblocks on your network, remove those netblocks from
    // this list of blackhole ACLs!
    0.0.0.0/8;
    1.0.0.0/8;
    2.0.0.0/8;
    5.0.0.0/8;
...
    197.0.0.0/8;
    223.0.0.0/8;
    224.0.0.0/3;
};


options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you might need to uncomment the query-source
        // directive below.  Previous versions of BIND always asked
        // questions using port 53, but BIND 8.1 and later use an unprivileged
        // port by default.

        // query-source address * port 53;

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

// additional options TB 12.21.2008
        check-names master ignore;
        check-names response ignore;
        check-names slave warn;
        version "<Phhhhhbbt!>";
        notify yes;
        allow-recursion {
                trusted;
        };
        allow-transfer {
                xfer;
        };
        allow-query {
                trusted;
        };
        blackhole {
                bogon;
        };
};

 

Try this:

Code:

chmod 755 /var/lib/named/etc

 

still no go

thanks, but no difference... bind still fails

Code:

root@wonder:/var/lib/named# ls -la
total 20
drwx------  5 root root 4096 2008-12-20 16:23 .
drwxr-xr-x 33 root root 4096 2008-12-21 12:50 ..
drwx------  2 root root 4096 2008-12-21 13:05 dev
drwxr-xr-x  3 root root 4096 2008-12-20 16:23 etc
drwx------  4 root root 4096 2008-12-20 16:23 var

syslog:

Code:

Dec 23 09:04:27 wonder named[10310]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 09:04:27 wonder named[10310]: found 1 CPU, using 1 worker thread
Dec 23 09:04:27 wonder named[10310]: loading configuration from '/etc/bind/named.conf'
Dec 23 09:04:27 wonder named[10310]: none:0: open: /etc/bind/named.conf: permission denied
Dec 23 09:04:27 wonder named[10310]: loading configuration: permission denied
Dec 23 09:04:27 wonder named[10310]: exiting (due to fatal error)

more ideas for me to check?

 

more info

just for grins, I also tried chmod 755 /var/lib/named. Bind still failed, but now w/ new errors:

Code:

Dec 23 09:11:24 wonder named[10340]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 09:11:24 wonder named[10340]: found 1 CPU, using 1 worker thread
Dec 23 09:11:24 wonder named[10340]: loading configuration from '/etc/bind/named.conf'
Dec 23 09:11:24 wonder named[10340]: /etc/bind/named.conf.options:93: change directory to '/var/cache/bind' failed: permission denied
Dec 23 09:11:24 wonder named[10340]: /etc/bind/named.conf.options:93: parsing failed
Dec 23 09:11:24 wonder named[10340]: loading configuration: permission denied
Dec 23 09:11:24 wonder named[10340]: exiting (due to fatal error)

var is owned 755 root:root, /var/cache is 755 root:root, and /var/cache/bind is 755 bind:bind (also tried 755 root:bind for the last dir, but bind still failed).

/etc/apparmor.d/usr.sbin.named shows:

Code:

 # Dynamic updates needs zone and journal files rw. We just allow rw for all
  # in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
  /var/lib/named/etc/bind/* rw,

  # if local zones are in a subdirectory
  /var/lib/named/etc/bind/zones/* rw,
  /var/lib/named/etc/bind/zones/external/* rw,
  /var/lib/named/etc/bind/zones/internal/* rw,

  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** rw,
  /var/cache/bind/ rw,

  # some people like to put logs in /var/log/named/
  /var/log/named/** rw,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  /proc/net/if_inet6 r,
  /usr/sbin/named mr,
  /var/lib/named/var/run/bind/run/named.pid w,
  #/var/run/bind/run/named.pid w,
  # support for resolvconf
  /var/lib/named/var/run/bind/named.options r,
  #/var/run/bind/named.options r,

# add also following lines thanks to Spezi2u
  /var/lib/named/dev/null rw,
  /var/lib/named/dev/random rw,

 

ok... a bit more info

I tried commenting out the original default directory string in named.conf.options. Bind still fails, but w/ this error now...

Code:

Dec 23 10:37:19 wonder named[10423]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 10:37:19 wonder named[10423]: found 1 CPU, using 1 worker thread
Dec 23 10:37:19 wonder named[10423]: loading configuration from '/etc/bind/named.conf'
Dec 23 10:37:19 wonder named[10423]: listening on IPv6 interfaces, port 53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: D.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: command channel listening on 127.0.0.1#953
Dec 23 10:37:19 wonder named[10423]: command channel listening on ::1#953
Dec 23 10:37:19 wonder named[10423]: could not open entropy source /dev/random: permission denied
Dec 23 10:37:19 wonder named[10423]: using pre-chroot entropy source /dev/random
Dec 23 10:37:19 wonder named[10423]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Dec 23 10:37:19 wonder named[10423]: exiting (due to early fatal error)

permissions for /var/run/bind/run is:

Code:

drwxrwxr-x  2 root bind  40 2008-12-20 17:19 run

and permission for /dev/random is

Code:

crw-rw-rw-  1 root   root      1,   8 2008-12-20 17:18 random

and per the perfect server tutorial, I had made both the null and random devices in /var/lib/named/dev/. Permissions here are:

Code:

srw-rw-rw- 1 root root    0 2008-12-21 13:05 log
crw-rw-rw- 1 root root 1, 3 2008-12-20 16:24 null
crw-rw-rw- 1 root root 1, 8 2008-12-20 16:24 random

 

I think its fixed...

ok... by commenting out the original directory string in named.conf.options (directory "/var/cache/bind", I eliminated that error, but I no longer was specifying where the zone files are...

so, chmod 755 /var/lib/named/var/cache/bind, /var/lib/named/cache fixed the error, but I was still getting errors regarding entropy /dev/random and named.pid...

Code:

Dec 23 10:37:19 wonder named[10423]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 10:37:19 wonder named[10423]: found 1 CPU, using 1 worker thread
Dec 23 10:37:19 wonder named[10423]: loading configuration from '/etc/bind/named.conf'
Dec 23 10:37:19 wonder named[10423]: listening on IPv6 interfaces, port 53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: D.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: command channel listening on 127.0.0.1#953
Dec 23 10:37:19 wonder named[10423]: command channel listening on ::1#953
Dec 23 10:37:19 wonder named[10423]: could not open entropy source /dev/random: permission denied
Dec 23 10:37:19 wonder named[10423]: using pre-chroot entropy source /dev/random
Dec 23 10:37:19 wonder named[10423]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Dec 23 10:37:19 wonder named[10423]: exiting (due to early fatal error)

chmod 755 to /var/lib/named/dev/ seems to fix the 'entropy source' error... ( /dev/random/ is actually /var/lib/named/dev/random due to chroot)

Code:

Dec 23 11:07:29 wonder named[10480]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 11:07:29 wonder named[10480]: found 1 CPU, using 1 worker thread
Dec 23 11:07:29 wonder named[10480]: loading configuration from '/etc/bind/named.conf'
Dec 23 11:07:29 wonder named[10480]: listening on IPv6 interfaces, port 53
Dec 23 11:07:29 wonder named[10480]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 11:07:29 wonder named[10480]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: D.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: command channel listening on 127.0.0.1#953
Dec 23 11:07:29 wonder named[10480]: command channel listening on ::1#953
Dec 23 11:07:29 wonder named[10480]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Dec 23 11:07:29 wonder named[10480]: exiting (due to early fatal error)

chmod 755 to /var/lib/named/var/run/bind/, /var/lib/named/var/run/, and finally /var/lib/named/var/ eliminated the 'permission denied' error for named.pid (again, /var/run/bind/run/named.pid is actually /var/lib/named/var/run/bind/run/named.pid due to chroot)

Code:

Dec 23 11:14:37 wonder named[10604]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 11:14:37 wonder named[10604]: found 1 CPU, using 1 worker thread
Dec 23 11:14:37 wonder named[10604]: loading configuration from '/etc/bind/named.conf'
Dec 23 11:14:37 wonder named[10604]: listening on IPv6 interfaces, port 53
Dec 23 11:14:37 wonder named[10604]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 11:14:37 wonder named[10604]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: D.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: command channel listening on 127.0.0.1#953
Dec 23 11:14:37 wonder named[10604]: command channel listening on ::1#953
Dec 23 11:14:37 wonder named[10604]: zone 0.in-addr.arpa/IN: loaded serial 1
Dec 23 11:14:37 wonder named[10604]: zone 127.in-addr.arpa/IN: loaded serial 1
Dec 23 11:14:37 wonder named[10604]: zone 255.in-addr.arpa/IN: loaded serial 1
Dec 23 11:14:37 wonder named[10604]: zone localhost/IN: loaded serial 2
Dec 23 11:14:37 wonder named[10604]: running

so is this unique to my install... did I miss a permissions step somewhere in the tutorial... should this be added to the 'perfect server' tutor?

 

I strongly recommend to disable AppArmor - that might have been the reason for your problems.

 

but...

While I appreciate your views/opinion on AppArmor, the problem started w/ chrooting bind. I did, indeed, follow the steps exactly by stopping and purging AppArmor from the system.

With AppArmor purged AND later w/ it re-installed (w/ the appropriate lines added to the AppArmor named profile - at NO point did I get any error suggesting it was related to AppArmor ie:

Code:

... kernel: [ 9136.933011] audit(1206428817.898:3): operation="inode_permission" request_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=11825 profile="/usr/sbin/named" namespace="default"

However, under both scenarios, I only obtained syslog errors directly related to and fixed by assigning 755 permissions to the chrooted directories created in step #13, page #4 of the tutorial (specifically those in /var/lib/named/... ) In ferreting thru the various threads, it seems an equal number trying the tutorial, run into either the AppArmor errors OR the same Bind9 permission errors, ie:

Code:

... named[11824]: starting BIND 9.4.2 -u bind -t /var/lib/named
... named[11824]: found 1 CPU, using 1 worker thread
... named[11824]: loading configuration from '/etc/bind/named.conf'
... named[11824]: none:0: open: /etc/bind/named.conf: permission denied
... named[11824]: loading configuration: permission denied
... named[11824]: exiting (due to fatal error)

Which is why I posted the permission issues I found on a virgin install.

Bind9 failed in the same way when the server was gutted, AppArmor stopped/purged, and rebooted as when AppArmor was re-installed and correctly configured - so I'm not thinking it is/was a AppArmor issue.

AppArmor may well get purged before I'm done setting up the server completely, but I don't think the issues w/ chrooting bind can all be dismissed as AppArmor as the sole culprit.

 

Hi there, was away for a while ( Christmas & stuff )
did you get to fix it ?

I mostly dumped ubuntu-server crap in favor of plain debian and on the one server that still has it I purged ( apt-get purge package ) apparmor...
( but still do use ubuntu as desktop )

anyway if you still need assistance...

happy Christmas & NY to all...

 

Truly weird.
Has anyone solved this?
My talents seem to have been expired.

 

Well I got it solved ( 1st page ), seems docfx got his problem fixed too ...

 

Yes, my issue w/ bind is fixed...

per

HTML:

http://www.howtoforge.com/forums/showthread.php?t=21699&page=3

mine appeared NOT to ApArmor related but directory permissions not specified to be changed in the perfect server tutorial.

 

I just solved a similar issue, not so much regarding permissions but when you chroot bind to a new directory such as /var/lib/named, then bind considers /var/lib/named as it's new root home directory.

In otherwords, in the config files if you set /var/named/.... for any files, it ignores the /var/lib/named/ as it considers that it's root. So any new configuration files or the named.pid file must all be in the same directory structure within /var/lib/named.

My issue was getting an error: "couldn't open pid file '/var/run/bind/run/named.pid': No such file or directory" - yet that directory existed in the literal structure of /var/run/bind/run but NOT in /var/lib/named/var/run/bind/run

Once i created this structure within /var/lib/named and set the permissions, all was right with the world again.

I hope this helps others.

 

Thnks Very much...
It works on ubuntu

thanks thanks thanks thanks

 

Thanks a lot for this.

very happy now.

 

hello thank everybody for this help but just i want to ask i stop my Apparmor and chroot work but from what i can see there is another solution but i didnt get it why this problem Occur and this last solution is not clear can anybody make it more clear btw i am using ubuntu karmic