On 2021-12-26 06:09, Robert Waldner wrote:
Package: bind9
Version: 1:9.16.22-1~deb11u1
Severity: important
Dear Maintainers,
I upgraded my nameserver from buster to bullseye, afterwards named wouldn't
start anymore.
Looking at syslog, the relevant part seems to be:
...
Dec 26 11:36:01 fsck named[128029]: configuring command channel from
'/etc/bind/rndc.key'
Dec 26 11:36:01 fsck named[128029]: command channel listening on 127.0.0.1#953
Dec 26 11:36:01 fsck named[128029]: configuring command channel from
'/etc/bind/rndc.key'
Dec 26 11:36:01 fsck named[128029]: command channel listening on ::1#953
Dec 26 11:36:01 fsck named[128029]: the working directory is not writable
^^^^^^^^^^^^^^^^^
Dec 26 11:36:01 fsck named[128029]: loading configuration: permission denied
Dec 26 11:36:01 fsck named[128029]: exiting (due to fatal error)
Dec 26 11:36:01 fsck systemd[1]: named.service: Main process exited,
code=exited, status=1/FAILURE
Dec 26 11:36:01 fsck systemd[1]: named.service: Failed with result 'exit-code'.
Note that this is straight from systemd trying to start it.
Running named as `named -g -u bind` got the same result (CWD: /home/myuser).
But! starting it manually with a CWD that's writable by group bind (eg. `cd
/etc/bind; named -g -u bind`) works:
...
26-Dec-2021 11:44:10.434 configuring command channel from '/etc/bind/rndc.key'
26-Dec-2021 11:44:10.434 command channel listening on 127.0.0.1#953
26-Dec-2021 11:44:10.434 configuring command channel from '/etc/bind/rndc.key'
26-Dec-2021 11:44:10.434 command channel listening on ::1#953
26-Dec-2021 11:44:10.434 not using config file logging statement for logging
due to -g option
26-Dec-2021 11:44:10.434 zone 10.in-addr.arpa/IN: loaded serial 2002041301
...
Now this wouldn't be a problem is systemd could start named, but it can't:
root@fsckv2:/etc/bind# systemctl start named
root@fsckv2:/etc/bind# systemctl status named
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor
preset: enabled)
Active: failed (Result: exit-code) since Sun 2021-12-26 11:46:23 CET; 1s
ago
Docs: man:named(8)
Process: 130605 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited,
status=1/FAILURE)
Main PID: 130605 (code=exited, status=1/FAILURE)
CPU: 51ms
Dec 26 11:46:23 fsckv2 systemd[1]: named.service: Scheduled restart job,
restart counter is at 5.
Dec 26 11:46:23 fsckv2 systemd[1]: Stopped BIND Domain Name Server.
Dec 26 11:46:23 fsckv2 systemd[1]: named.service: Start request repeated too
quickly.
Dec 26 11:46:23 fsckv2 systemd[1]: named.service: Failed with result
'exit-code'.
Dec 26 11:46:23 fsckv2 systemd[1]: Failed to start BIND Domain Name Server.
For testing, I also `apt-get -b source`d bind9 from testing/unstable
(9.17.21-1) but it exhibits the
same non-working bevaviour.
(If needed I can provide all config in private mail, but am loathe to disclose
them publicly as it's quite
extensive (this is a nameserver for quite some domains, plus the resolver for
all my internal networks).)
What's in /etc/default/named? Chroot'ing could cause some issues.
Since you are hitting permission issues, I'd also check dmesg for
AppArmor denial messages (`dmesg | grep apparmor`).
Simon
