[SOLVED] Hardy chrooted bind9 fails to start

[djamu]

Preparing to move my server to LTS hardy, ( just testing on a vmware )
I've found a weird issue while chrooting bind.

What I did so far -all as root-:

Code:

apt-get install bind9
/etc/init.d/bind9 stop

changed 1st line of /etc/default/bind9

Code:

vim /etc/default/bind9
> changed first line to > OPTIONS="-u bind -t /var/lib/named"

creating some directories & a link to move /etc/bind to /var/lib/named/etc/bind
creating null & random devices
fixing permissions

Code:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

fixed /etc/default/syslogd

Code:

vim /etc/default/syslogd
> SYSLOGD="-a /var/lib/named/dev/log"

This has always worked in the past.. but doesn't on Hardy 8.04

if I try to start > /etc/bind9 start it simply fails
stopping it >

Code:

 rndc: connect failed: 127.0.0.1#953: connection refused

vim /var/log/syslog reveals

Code:

Mar 25 08:06:57 hardy-server named[11824]: starting BIND 9.4.2 -u bind -t /var/lib/named
Mar 25 08:06:57 hardy-server named[11824]: found 1 CPU, using 1 worker thread
Mar 25 08:06:57 hardy-server named[11824]: loading configuration from '/etc/bind/named.conf'
Mar 25 08:06:57 hardy-server named[11824]: none:0: open: /etc/bind/named.conf: permission denied
Mar 25 08:06:57 hardy-server named[11824]: loading configuration: permission denied
Mar 25 08:06:57 hardy-server named[11824]: exiting (due to fatal error)
Mar 25 08:06:57 hardy-server kernel: [ 9136.933011] audit(1206428817.898:3): operation="inode_permission" request_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=11825 profile="/usr/sbin/named" namespace="default"

anybody any idea ?, I've checked permissions, locations.... and with feisty / gutsy this just worked...

thx..

EDIT > this is fixed
complete procedure at my last thread post

[penguin2008]

Hi guys

I have the same problem! Is there a solution for this?
Thank you

[djamu]

Well I think I have a clue of what's going on... & undoubtedly this will pop up as soon as other admins start upgrading their servers ( or at least the ones using chroots ) ..

But since they moved this thread from the server forum ( well I understand it's hardy, but it's doomed to move back there ) and on this forum it's unlikely someone will come with a real explanation...
( the very reason why I didn't post it here )

Hardy Heron Development Forum

Please note that developers aren't very active here, and will most likely not receive the feedback you post here. If you'd like to notify them of bugs, please do so via the Ubuntu bug tracker. If you'd like to write specifications for possible new features, start here.

I don't think it's a bug, most likely a feature of a new package...
So far my digging leads me to a new package ported from Suse ( ? ) > AppArmor.... Unfortunately I don't have much time right now.. So if someone feels like toying with it, or a good AppArmor howto ...

I'll take a look at it again this evening... uninstalling it seems a bad option as I want to be able to use the new featues, but just for sake off verifying, I'll try it on a Vmware snapshot...

[djamu]

Apparmor is causing this, removing ( & purging )

Code:

apt-get purge apparmor

"fixes" the issue....
but since apparmor is a feature... this shouldn't be the right way, I'll look at the Suse site for more info...

[taavikko]

Apparmor is causing this, removing ( & purging )

Code:

apt-get purge apparmor

"fixes" the issue....
but since apparmor is a feature... this shouldn't be the right way, I'll look at the Suse site for more info...

You don't have to remove apparmor, you can just disable it using tool like "sysv-rc-conf"

Code:

sudo apt-get install sysv-rc-conf

Code:

sudo sysv-rc-conf

but be careful with it!!!

And remove ticks from apparmor line.

[djamu]

Mind to tell me where I can find the ported manual, since I want to know the ins & outs of this apparmor package
Do I have to disable it for chrooting services ?, or is this just a replacemnt for chrooting ?

Thx

[taavikko]

Mind to tell me where I can find the ported manual, since I want to know the ins & outs of this apparmor package
Do I have to disable it for chrooting services ?, or is this just a replacemnt for chrooting ?

Thx

https://wiki.ubuntu.com/AppArmor
and of course man apparmor

[djamu]

mmm oops sorry, couldn't find apparmor only apparmor_status & apparmor_parser did a man on those.... & it wasn't very helpfull....

[djamu]

K fixed, interesting that apparmor stuff, don't know if it makes much sense to chroot and use apparmor at the same time ... guess there's no harm either...

So for completeness the complete procedure here
( all as root, if you don't use/have root start every line with sudo )

Code:

apt-get install bind9
/etc/init.d/bind9 stop
/etc/init.d/apparmor stop
vim /etc/default/bind9

change first line to

Code:

OPTIONS="-u bind -t /var/lib/named"

create some directories & a link to move /etc/bind to /var/lib/named/etc/bind, creating null & random devices, fixing permissions

Code:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

edit /etc/default/syslogd

Code:

vim /etc/default/syslogd
> SYSLOGD="-a /var/lib/named/dev/log"

now edit the bind9 apparmor profile

Code:

vim /etc/apparmor.d/usr.sbin.named

and change marked lines

UPDATED

Code:

# vim:syntax=apparmor
# Last Modified: Fri Jun  1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,

  # Dynamic updates needs zone and journal files rw. We just allow rw for all
  # in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
  /var/lib/named/etc/bind/* rw,

  /proc/net/if_inet6 r,
  /usr/sbin/named mr,
  /var/cache/bind/* rw,
  /var/lib/named/var/run/bind/run/named.pid w,
  # /var/run/bind/run/named.pid w,
  # support for resolvconf
  /var/lib/named/var/run/bind/named.options r,
  # /var/run/bind/named.options r,

# add also following lines thanks to Spezi2u 
  /var/lib/named/dev/null rw,
  /var/lib/named/dev/random rw,


}

if you happen to put your local zones in a subdirectory of i.e. /etc/bind don't forget to add all dirs into the apparmor file.

Code:

/var/lib/named/etc/bind/zones/* rw,
/var/lib/named/etc/bind/zones/external/* rw,
/var/lib/named/etc/bind/zones/internal/* rw,

then restart services

Code:

/etc/init.d/sysklogd restart
/etc/init.d/apparmor start
/etc/init.d/bind9 start

[jmandawg]

Thanks, this solved my problem.

DO we even need to chroot bind anymore, since it's running inside apparmor?