Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 01 Jan 2010 11:58:06 -0800
From:      Doug Barton <dougb@FreeBSD.org>
To:        Oliver Lehmann <lehmann@ans-netz.de>
Cc:        stable@freebsd.org
Subject:   Re: RELENG_7 changes for rc.d/named
Message-ID:  <4B3E53CE.3070403@FreeBSD.org>
In-Reply-To: <20100101120548.dc06edfb.lehmann@ans-netz.de>
References:  <20100101120548.dc06edfb.lehmann@ans-netz.de>

next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Lehmann wrote:
> Hi,
> 
> since my last RELENG_7 update a new rc.conf variable named_conf appeared.
> 
> How is this supposted to work with a chroot named? I guess not at all?

I realize that you're frustrated and upset, so I will disregard the
mildly obnoxious tone of your message, and this comment in particular.

FWIW, I have been maintaining BIND bits in FreeBSD for 9 years. I have
15 years experience as a DNS administrator, and have donated literally
hundreds of hours to make the default BIND configuration conform to
best practices in terms of both security and operations. Your
suggestion that I've simply foisted some untested crap onto the
FreeBSD community is at best, rude. At worst, it's just plain stupid
given that named is chroot'ed by default, and has been for years.

Furthermore, you might want to reconsider your tone the next time you
ask people who are volunteering their time to help you with problems
that you've created for yourself.

I say "created for yourself" because the default configuration
directory in FreeBSD (and I believe most/all of the other *BSDs too)
is "/etc/namedb," not "/etc/named." You are of course free to change
it if you like, but you should be aware that there are numerous places
where this assumption is hard-coded and cannot easily be changed at
runtime. The expectation is that if you deviate from the defaults that
you had better know what you're doing, and more importantly why.

Now that said, testing your case did point out a problem in the rc.d
script which is that it had "/etc/namedb" hard-coded where it did not
have to be. I've updated that, please give the latest version in HEAD
a try. You should be able to use it on 7-stable without any problems
(once the caveats that I will insert below are taken into account).

The named_chrootdir on the other hand is fully dynamic, and you can
change THAT to anything you want and things should still work
transparently.

> I have in my rc.conf:
> 
> named_enable="YES"
> named_program="/usr/local/sbin/named"

These are good.

> named_flags="-u bind -c /etc/named/named.conf"

Neither of those are necessary, and they should be removed. I've
updated the comments in /etc/defaults/rc.conf to indicate that
named_flags should not be used for -u and -c. I'll MFC that ASAP.

> named_chrootdir="/usr/chroot/named"
> named_symlink_enable="YES"

These are good.

> named_conf="/usr/chroot/named/etc/named/named.conf"
> #named_conf="/etc/named/named.conf"

The latter is correct. Everything should be specified relative to the
chroot directory.

> When I now try to start named:
> 
> # /etc/rc.d/named start
> /usr/chroot/named/etc/named/named.conf:12: change directory to '/etc/named' failed: file not found
> 
> /usr/chroot/named/etc/named/named.conf:12: parsing failed
> /etc/rc.d/named: ERROR: named-checkconf for $named_conf failed
> Exit 3
> #
> 
> Of cource /etc/named does not exists because when the configuration file
> is used, /etc/named is for named in reality /usr/chroot/named/etc/named...

You've created a chicken and egg problem here. The script will create
or update the symlink in /etc for you, however the required_files
option in the script needs to be able to "see" the named.conf file or
else it errors out before the symlink can get created. You can fix
this in your situation by removing whatever is there for /etc/named
and creating the symlink yourself before trying to start it up again.

For the long term I need to think more about whether or not to remove
the required_files option. In the default case it works fine since the
symlink from /etc/namedb to /var/named/etc/namedb already exists.
Without required_files the named_checkconf in the script will still
guarantee that named cannot start if there is no viable conf file, so
I'm leaning towards removing it.

I'm snipping the rest of your message because this should be enough to
get you going. My recommendation is that unless you've got a really
good reason to use /etc/named that you change your configuration
directory to /etc/namedb. Assuming you're up to date on RELENG_7 and
you've run mergemaster, you'll also want to update the directory
option in named.conf to $confdir/working and fully qualify the path
names to your files in named.conf. What I recommend to people is that
they start with the default named.conf and then use include statements
for local options. Also, if you want everything to work seamlessly
you'll need some symlinks in /usr/chroot/usr/local/etc. See the end of
the Makefile for the BIND port you're using for what to create. There
are probably other things that I'm forgetting, please feel free to
report back if you find something interesting.


Good luck,

Doug

-- 

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

	Computers are useless. They can only give you answers.
			-- Pablo Picasso




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B3E53CE.3070403>