lier une erreur fatale ne peut pas ouvrir le journal personnalisé

Question

J'ai eu des problèmes avec bind9 sur 14.04 LTS

Sudo service bind9 start produit le journal suivant

May 20 21:47:46 c1 named[1110]: starting BIND 9.9.5-3-Ubuntu -u bind May 20 21:47:46 c1 named[1110]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' May 20 21:47:46 c1 named[1110]: ---------------------------------------------------- May 20 21:47:46 c1 named[1110]: BIND 9 is maintained by Internet Systems Consortium, May 20 21:47:46 c1 named[1110]: Inc. (ISC), a non-profit 501(c)(3) public-benefit May 20 21:47:46 c1 named[1110]: corporation. Support and training for BIND 9 are May 20 21:47:46 c1 named[1110]: available at https://www.isc.org/support May 20 21:47:46 c1 named[1110]: ---------------------------------------------------- May 20 21:47:46 c1 named[1110]: adjusted limit on open files from 4096 to 1048576 May 20 21:47:46 c1 named[1110]: found 2 CPUs, using 2 worker threads May 20 21:47:46 c1 named[1110]: using 2 UDP listeners per interface May 20 21:47:46 c1 named[1110]: using up to 4096 sockets May 20 21:47:46 c1 named[1110]: loading configuration from '/etc/bind/named.conf' May 20 21:47:46 c1 named[1110]: reading built-in trusted keys from file '/etc/bind/bind.keys' May 20 21:47:46 c1 named[1110]: using default UDP/IPv4 port range: [1024, 65535] May 20 21:47:46 c1 named[1110]: using default UDP/IPv6 port range: [1024, 65535] May 20 21:47:46 c1 named[1110]: listening on IPv4 interface lo, 127.0.0.1#53 May 20 21:47:46 c1 named[1110]: generating session key for dynamic DNS May 20 21:47:46 c1 named[1110]: sizing zone task pool based on 25 zones May 20 21:47:46 c1 named[1110]: using built-in DLV key for view _default May 20 21:47:46 c1 named[1110]: using built-in root key for view _default May 20 21:47:46 c1 named[1110]: set up managed keys zone for view _default, file 'managed-keys.bind' May 20 21:47:46 c1 named[1110]: command channel listening on 127.0.0.1#953 May 20 21:47:46 c1 named[1110]: isc_file_isplainfile '/var/log/named/query.log' failed: permission denied May 20 21:47:46 c1 named[1110]: configuring logging: permission denied May 20 21:47:46 c1 named[1110]: loading configuration: permission denied May 20 21:47:46 c1 named[1110]: exiting (due to fatal error)

named.conf.log prevew

root@c1:/etc/bind# cat named.conf.log logging { channel query_log { file "/var/log/named/query.log" versions 3 size 5m; // Set the severity to dynamic to see all the debug messages. print-category yes; print-severity yes; print-time yes; severity dynamic; }; channel update_debug { file "/var/log/named/update_debug.log" versions 3 size 5m; severity debug ; print-category yes; print-severity yes; print-time yes; }; channel security_info { file "/var/log/named/security_info.log" versions 3 size 5m; severity info; print-category yes; print-severity yes; print-time yes; }; channel bind_log { file "/var/log/named/bind.log" versions 3 size 5m; severity info; print-category yes; print-severity yes; print-time yes; }; category queries { query_log; }; category security { security_info; }; category update-security { update_debug; }; category update { update_debug; }; category lame-servers { null; }; category default { bind_log; }; };

la commande named-checkconf ne renvoie aucune erreur

nkvnkv · Accepted Answer

Le problème est résolu dans les permitions de fichier et apparmor

correctif Apparmor

copier-coller de fichier complet exclure la première ligne

root@c1:/etc/bind# cat /etc/apparmor.d/usr.sbin.named # vim:syntax=apparmor # Last Modified: Fri Jun 1 16:43:22 2007 #include <tunables/global> /usr/sbin/named flags=(complain) { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, # /etc/bind should be read-only for bind # /var/lib/bind is for dynamically updated zone (and journal) files. # /var/cache/bind is for slave/stub data, since we're not the Origin of it. # See /usr/share/doc/bind9/README.Debian.gz /etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** lrw, /var/cache/bind/ rw, # gssapi /etc/krb5.keytab kr, /etc/bind/krb5.keytab kr, # ssl /etc/ssl/openssl.cnf r, # GeoIP data files for GeoIP ACLs /usr/share/GeoIP/** r, # dnscvsutil package /var/lib/dnscvsutil/compiled/** rw, /proc/net/if_inet6 r, /proc/*/net/if_inet6 r, /usr/sbin/named mr, /{,var/}run/named/named.pid w, /{,var/}run/named/session.key w, # support for resolvconf /{,var/}run/named/named.options r, # some people like to put logs in /var/log/named/ instead of having # syslog do the heavy lifting. /var/log/named/** rw, #added line here /var/log/named/* rw, /var/log/named/ rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.named> }

correctif Bind9

ensuite, j'ai changé les pemitions jusqu'à ce que cela fonctionne

/ var/log/modifications nommées

chown -R bind:root /var/log/named chmod -R 775 /var/log/named

résultat des commandes ci-dessus

root@c1:/etc/bind# ls -lha /var/log/named/ total 196K drwxrwxr-x 2 bind root 4,0K мај 20 20:38 . drwxrwxr-x 18 root syslog 4,0K мај 21 00:46 .. -rwxrwxr-x 1 bind root 6,8K мај 21 01:20 bind.log -rwxrwxr-x 1 bind root 0 мај 20 19:30 bind.log~ -rwxrwxr-x 1 bind root 167K мај 21 01:21 query.log -rwxrwxr-x 1 bind root 1 мај 20 23:14 security_info.log -rwxrwxr-x 1 bind root 0 мај 20 19:30 security_info.log~ -rwxrwxr-x 1 bind root 1 мај 20 23:13 update_debug.log -rwxrwxr-x 1 bind root 0 мај 20 19:23 update_debug.log~

Changements dans/etc/bind

chown -R bind:root /etc/bind chmod -R 774 /etc/bind

résultat des commandes ci-dessus

root@c1:/etc/bind# ls -lha /etc/bind total 120K drwxrwsr-- 3 bind root 4,0K мај 21 00:33 . drwxr-xr-x 150 root root 12K мај 21 00:34 .. -rwxrwxr-- 1 bind root 2,4K мар 24 18:06 bind.keys -rwxrwxr-- 1 bind root 237 мар 24 18:06 db.0 -rwxrwxr-- 1 bind root 271 мар 24 18:06 db.127 -rwxrwxr-- 1 bind root 237 мар 24 18:06 db.255 -rwxrwxr-- 1 bind root 353 мар 24 18:06 db.empty -rwxrwxr-- 1 bind root 270 мар 24 18:06 db.local -rwxrwxr-- 1 bind root 3,0K мар 24 18:06 db.root -rwxrwxr-- 1 bind root 860 мај 20 18:54 named.conf -rwxrwxr-- 1 bind root 1,1K мај 20 18:49 named.conf~ -rwxrwxr-- 1 bind root 490 мар 24 18:06 named.conf.default-zones -rwxrwxr-- 1 bind root 475 мај 20 22:24 named.conf.local -rwxrwxr-- 1 bind root 477 мај 20 22:22 named.conf.local~ -rwxrwxr-- 1 bind root 1002 мај 20 23:12 named.conf.log -rwxrwxr-- 1 bind root 1002 мај 20 23:11 named.conf.log~ -rwxrwxr-- 1 bind root 1,1K мај 21 00:33 named.conf.log.save -rwxrwxr-- 1 bind root 1,4K мај 20 18:50 named.conf.options -rwxrwxr-- 1 bind root 1,4K мај 18 23:23 named.conf.options~ -rwxrwxr-- 1 bind root 77 мај 20 04:25 rndc.key drwxrwxr-- 2 bind root 4,0K мај 18 23:23 zones -rwxrwxr-- 1 bind root 1,3K мар 24 18:06 zones.rfc1918

Avis:

Cette installation de bind9 n'est pas chrootée

maintenant Bind9 travaille

 root@c1:/etc/bind# service bind9 start * Starting domain name service... bind9 [ OK ]

RedScourge · Answer

Je suis venu ici à cause d'un problème général d'autorisation de démarrage de bind.

Il semble que bind consignera qu’il ne lui est pas accordé d’autorisation à named.conf, qu’il s’agisse ou non du fichier à l’origine du problème.

Apparemment, l'utilisateur avec lequel la liaison s'exécute doit disposer d'un accès en lecture/écriture ET exécuter l'accès aux fichiers de zone, mais n'a besoin que d'un accès en lecture aux autres fichiers de configuration.

gone · Answer

J'ai installé apparmor mais je ne l'utilise pas.

Créer le dossier /var/log/named avec les autorisations bind:bind 755 était tout ce que j'avais à faire. Les fichiers journaux eux-mêmes sont générés avec les autorisations bind:bind 644.