I just wanted to say thanks heaps for this thread. All I had to do was reboot my server and bind started properly!
I just wanted to say thanks heaps for this thread. All I had to do was reboot my server and bind started properly!
almost seems stupidly easy huh? imagine how I felt, having it be mine.
I have followed the directions on that page three times on a virtual machine. I have changed permissions in /etc and /var and all subdirectories to 777. I have rebooted. I still have the problem:
The funny part is that when I simply install bind and modify named.conf.local and named.conf.options to set up my zones, it works perfectly.Code:root@thunderbolt:/home/david# tail -f /var/log/syslog Jul 13 14:10:19 thunderbolt /usr/sbin/cron[4516]: (CRON) INFO (pidfile fd = 3) Jul 13 14:10:19 thunderbolt /usr/sbin/cron[4517]: (CRON) STARTUP (fork ok) Jul 13 14:10:19 thunderbolt /usr/sbin/cron[4517]: (CRON) INFO (Running @reboot jobs) Jul 13 14:15:41 thunderbolt named[4605]: starting BIND 9.4.2 -u bind -t /var/lib/named Jul 13 14:15:41 thunderbolt named[4605]: found 1 CPU, using 1 worker thread Jul 13 14:15:41 thunderbolt named[4605]: loading configuration from '/etc/bind/named.conf' Jul 13 14:15:41 thunderbolt named[4605]: none:0: open: /etc/bind/named.conf: permission denied Jul 13 14:15:41 thunderbolt named[4605]: loading configuration: permission denied Jul 13 14:15:41 thunderbolt named[4605]: exiting (due to fatal error) Jul 13 14:15:41 thunderbolt kernel: [ 1744.019281] audit(1215972941.472:3): type=1503 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=4606 profile="/usr/sbin/named" namespace="default"
EDIT: Umm... think I found what was wrong. I wasn't disabling apparmor.
Last edited by davidshere; July 14th, 2008 at 01:03 AM.
Here is The easiest way to SOLVE THE PROBLEM.
1.BIND9 failed to start with the following reason
---> "/etc/bind/named.conf: permission denied"
Here is the syslog
Aug 21 21:12:10 pacendrix named[19340]: starting BIND 9.4.2-P1 -u bind
Aug 21 21:12:10 pacendrix named[19340]: found 1 CPU, using 1 worker thread
Aug 21 21:12:10 pacendrix named[19340]: loading configuration from '/etc/bind/named.conf'
Aug 21 21:12:10 pacendrix named[19340]: none:0: open: /etc/bind/named.conf: permission denied
Aug 21 21:12:10 pacendrix named[19340]: loading configuration: permission denied
2.The problem is that bind is trying to start as USER (maybe for security reasons which we will pass )
" starting BIND 9.4.2-P1 -u bind "
Unfortunately,the -u option only works when NAMED is run on some definite Kernel versions ... probably not your
3.THE SOLUTION
We just may to change this -u option with
-c that enables to use named.conf as the configuration file instead of the default.
Here is the CODE:
Open the bind9 default file with you favorite editor.
Result :Code:nano /etc/default/bind9
and replace "-u bind" with "-c /etc/bind/named.conf"Code:OPTIONS="-u bind" # Set RESOLVCONF=no to not run resolvconf RESOLVCONF=yes
to looks like:
It's Done.Code:OPTIONS="-c /etc/bind/named.conf" # Set RESOLVCONF=no to not run resolvconf RESOLVCONF=yes
Save the file and restart bind.
I hope I have helped you.
Best regards Pacendrix
Here is The easiest way to SOLVE THE PROBLEM.
1.BIND9 failed to start with the following reason
---> "/etc/bind/named.conf: permission denied"
Here is the syslog
Aug 21 21:12:10 pacendrix named[19340]: starting BIND 9.4.2-P1 -u bind
Aug 21 21:12:10 pacendrix named[19340]: found 1 CPU, using 1 worker thread
Aug 21 21:12:10 pacendrix named[19340]: loading configuration from '/etc/bind/named.conf'
Aug 21 21:12:10 pacendrix named[19340]: none:0: open: /etc/bind/named.conf: permission denied
Aug 21 21:12:10 pacendrix named[19340]: loading configuration: permission denied
2.The problem is that bind is trying to start as USER (maybe for security reasons which we will pass )
" starting BIND 9.4.2-P1 -u bind "
Unfortunately,the -u option only works when NAMED is run on some definite Kernel versions ... probably not your
3.THE SOLUTION
We just may to change this -u option with
-c that enables to use named.conf as the configuration file instead of the default.
Here is the CODE:
Open the bind9 default file with the favorite editor.
Result :Code:nano /etc/default/bind9
and replace "-u bind" with "-c /etc/bind/named.conf"Code:OPTIONS="-u bind" # Set RESOLVCONF=no to not run resolvconf RESOLVCONF=yes
to looks like:
It's Done.Code:OPTIONS="-c /etc/bind/named.conf" # Set RESOLVCONF=no to not run resolvconf RESOLVCONF=yes
Save the file and restart bind.
I hope I have helped you.
Best regards Pacendrix[/QUOTE]
Make sure you at least attemp to change the permissions before going through all this.
I think that was my problem, because after going through this thread and the few others out there with this issue, I was still getting the same error. Then I ran the above command and it restarted without errors.Code:chmod -rw-r--r-- /etc/bind/named.conf
Hope this helps others who experiance this.
I was seeing the same error that you guys are/were seeing:
Sep 20 22:11:00 gaia kernel: [341408.785412] audit(1221973860.689:5): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/etc/named.conf" pid=5263 profile="/usr/sbin/named" namespace="default"
It turns out to be caused by AppArmor.
AppArmor seems to be in "enforcing" mode (rather than "complain" mode or off) by default in Ubuntu Server 8.04.
To get bind to work in an arbitrary chroot jail location you have to modify /etc/apparmor.d/usr.sbin.named to allow bind access to all the relevant files in the chroot jail.
I personally like to chroot named to /var/named (old school, I know). I use the following layout:
/var/named
db.* (zone files)
etc
dev
slave (dir for slave zones)
var/run
To get bind to work with that I had to change my /etc/apparmor.d/usr.sbin.named file to say:
[...]
/var/named/db.* r,
/var/named/etc/** r,
/var/named/dev/log w,
/var/named/dev/null rw,
/var/named/dev/random r,
/var/named/slave/** rw,
/var/named/var/run/named.pid w,
# support for resolvconf
/var/named/var/run/named.options r,
[...]
Normally, bind would create the named.pid file in [/var/named]/var/run/bind/run but I'm telling it to put it into [/var/named]/var/run in my named.conf:
[...]
pid-file "/var/run/named.pid";
[...]
Remember: bind thinks that /var/named is the root whereas AppArmor does not. So what's /var/run/named.pid to bind is /var/named/var/run/named.pid to AppArmor.
I also like to put my named config into /var/named/etc, not /var/named/etc/bind.
...anyway, you get the idea.
So if you insist on getting bind running in a chroot jail you can simply configure AppArmor to work with that. Another alternative would be to disable AppArmor altogether.
However, since you already have AppArmor doing all the restricting that a chroot jail would do you might want to consider using bind as is. Check out this link:
How is AppArmor different from chroot?
Hope this helps.
- Simon
Bookmarks