DNS Server (Bind9)

[Lindsay@]

After the migration to the new server bind9 wont start.How can i fix it?I have searched google and this site with no answer

 

[Ragefast]

First search your syslog for any error messages from named, for example

grep named /var/log/messages

If you can't figure out whats wrong after taking a look in the messages, try pasting the messages here so we can try and help you.

 

[Lindsay@]

Sep 20 23:56:21 OPTERON named[7696]: loading configuration from '/etc/named.conf '
Sep 20 23:56:21 OPTERON named[7696]: none:0: open: /etc/named.conf: permission d enied
Sep 20 23:56:21 OPTERON named[7696]: loading configuration: permission denied
S

this is with tail -f /var/log/syslog

also

ls -l /etc/named.conf"
"ls -l /var/named/run-root/etc/named.conf

OPTERON:~# ls -l /etc/named.conf
lrwxrwxrwx 1 root root 34 2008-09-05 09:01 /etc/named.conf -> /var/named/run-root/etc/named.conf


OPTERON:~# ls -l /var/named/run-root/etc/named.conf
-rw-r--r-- 1 root root 5704 2008-09-20 20:31 /var/named/run-root/etc/named.conf

 

[Lindsay@]

grep named /var/log/messages

OPTERON:~# Sep 21 14:27:05 OPTERON kernel: [60659.865364] audit(1222000025.364:104): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/localtime" pid=3604 profile="/usr/sbin/named" namespace="default"
::r" name="/var/named/run-root/etc/localtime" pid=5068 profile="/usr/sbin/named" namespace="default"
Sep 22 13:41:06 OPTERON kernel: [82284.928154] audit(1222083666.886:16): type=1503 operation="inode_permission" requested_mask="::r" denied_mask=":-bash: syntax error near unexpected token `('
OPTERON:~# Sep 21 14:27:05 OPTERON kernel: [60659.865544] audit(1222000025.364:105): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/localtime" pid=3604 profile="/usr/sbin/named" namespace="default"
:r" name="/var/named/run-root/etc/localtime" pid=29485 profile="/usr/sbin/named" namespace="default"
Sep 22 13:41:06 OPTERON kernel: [82284.928282] audit(1222083666.886:17): type=1503 operation="inode_permission" requested_mask="::r" denied_mask=":-bash: syntax error near unexpected token `('
OPTERON:~# Sep 21 14:27:05 OPTERON kernel: [60659.865570] audit(1222000025.364:106): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/localtime" pid=3604 profile="/usr/sbin/named" namespace="default"
:r" name="/var/named/run-root/etc/localtime" pid=29485 profile="/usr/sbin/named" namespace="default"
Sep 22 13:41:06 OPTERON kernel: [82284.931590] audit(1222083666.886:18): type=1503 operation="inode_permission" requested_mask="::r" denied_mask=":-bash: syntax error near unexpected token `('
OPTERON:~# Sep 21 14:48:26 OPTERON kernel: [ 54.062139] audit(1222001306.283:2): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/localtime" pid=4490 profile="/usr/sbin/named" namespace="default"
:r" name="/var/named/run-root/etc/localtime" pid=29486 profile="/usr/sbin/named" namespace="default"
Sep 22 13:41:06 OPTERON kernel: [82284.931640] audit(1222083666.886:19): type=1503 operation="inode_permission" requested_mask="::r" denied_mask=-bash: syntax error near unexpected token `('
OPTERON:~# Sep 21 14:48:26 OPTERON kernel: [ 54.062259] audit(1222001306.283:3): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/localtime" pid=4490 profile="/usr/sbin/named" namespace="default"

 

[Ragefast]

Those kernel messages seems like AppArmor messages, from what I have searched. do you have it installed? I'm assuming you're running Debian or Ubuntu?

 

[LaurentR]

Hello,

I'm writing on this post having the same problem with Ubuntu Hardy / Plesk 8.6 : open named.conf : permission denied

ls -alh /etc/named.conf
lrwxrwxrwx 1 root root 34 2008-09-22 22:34 /etc/named.conf -> /var/named/run-root/etc/named.conf
laurent@madonie:~$ ls -alh /var/named/run-root/etc/named.conf
-rw-r--r-- 1 root root 4,4K 2008-09-25 20:34 /var/named/run-root/etc/named.conf


---

Sep 26 11:05:16 madonie named[5704]: found 1 CPU, using 1 worker thread
Sep 26 11:05:16 madonie named[5704]: loading configuration from '/etc/named.conf'
Sep 26 11:05:16 madonie named[5704]: none:0: open: /etc/named.conf: permission denied
Sep 26 11:05:16 madonie named[5704]: loading configuration: permission denied
Sep 26 11:05:16 madonie named[5704]: exiting (due to fatal error)
Sep 26 11:05:16 madonie kernel: [ 918.919419] audit(1222419916.657:39): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/localtime" pid=5705 profile="/usr/sbin/named" namespace="default"
Sep 26 11:05:16 madonie kernel: [ 918.919480] audit(1222419916.657:40): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/named.conf" pid=5705 profile="/usr/sbin/named" namespace="default"
Sep 26 11:05:16 madonie kernel: [ 918.919510] audit(1222419916.657:41): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/localtime" pid=5705 profile="/usr/sbin/named" namespace="default"
Sep 26 11:05:16 madonie kernel: [ 918.919716] audit(1222419916.657:42): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/localtime" pid=5705 profile="/usr/sbin/named" namespace="default"
Sep 26 11:05:16 madonie kernel: [ 918.919743] audit(1222419916.657:43): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/named/run-root/etc/localtime" pid=5705 profile="/usr/sbin/named" namespace="default"

thank you

 

[LaurentR]

I've tried to run rndc reload and get that :

none:0: open: /etc/bind/rndc.key: permission denied
Sep 26 11:48:18 madonie named[6102]: couldn't add command channel ::1#953: permission denied
Sep 26 11:48:18 madonie named[6102]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Sep 26 11:48:18 madonie named[6102]: exiting (due to early fatal error)
Sep 26 11:50:01 madonie /USR/SBIN/CRON[6133]: (www-data) CMD ([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null)

in fact named.pid doesn't exist. Should I create it by hand ? I've seen that bind could be better than bind9 ? Is it true ?

Thank you

 

[LaurentR]

I've tried to create namd.pid this way :
ls -alh /var/named/run-root/var/run/named/
total 8,0K
drwxr-xr-t 2 bind root 4,0K 2008-09-26 12:01 .
drwxr-xr-x 3 bind bind 4,0K 2001-11-14 14:33 ..
-rw-r--r-- 1 bind bind 0 2008-09-26 12:01 named.pid

I get this :

/etc/init.d/bind9 start
* Starting domain name service... bind
chmod: changing permissions of `/var/run/bind/run': Operation not permitted
named: chroot(): Operation not permitted
...fail!


---

 

[breun]

You probably need to disable AppArmor when installing Plesk, just like SELinux needs to be disabled when installing Plesk.

 

[LaurentR]

I hope that doesn't mean I have to reinstall everything ?

 

[LaurentR]

For the moment, I have this :

sudo /etc/init.d/apparmor status
apparmor module is loaded.
2 profiles are loaded.
2 profiles are in enforce mode.
/usr/sbin/mysqld
/usr/sbin/named
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode :
/usr/sbin/mysqld (4622)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

 

[LaurentR]

It is apparmor :

sudo /etc/init.d/apparmor stop
Unloading AppArmor profiles : done.
laurent@madonie:~$ sudo /etc/init.d/bind9 start
* Starting domain name service... bind
...done.

What should I do then, let things like that with apparmor stopped ?

 

[breun]

I guess so. I'd also make sure AppArmor is not set to start on boot.

I believe you should be able to enable SELinux after Plesk has been installed, but I don't know about AppArmor (we run on CentOS, which doesn't come with AppArmor). It seems Parallels hasn't prepared their software for use with AppArmor enabled (yet?).

 

[LaurentR]

It seems from this howto that a perfect server shouldn't use apparmor

http://www.howtoforge.com/perfect-server-ubuntu8.04-lts-p3

 

[breun]

I searched the installation guide, but it doesn't seem to mention either AppArmor or SELinux. There are some articles in the knowledge base that mention SELinux, but none mentioning AppArmor. I believe AppArmor is new in Ubuntu 8.04?

 

[kosjak]

Thank You LaurentR for your question and answers. It worked fine for me, disabling and removing apparmor

 

[benlake]

Adding the following to the AppArmor named profile (/etc/apparmor.d/usr.sbin.named) would also solve the problem:

# plesk runs bind in chroot, need perms
/var/named/run-root/** rw,