Date: Tue, 11 Mar 2003 08:43:33 -0600 From: Stephen Hilton <nospam@hiltonbsd.com> To: IAccounts <iaccounts@northnetworks.ca> Cc: ms@probsd.org, freebsd-questions@FreeBSD.ORG Subject: Re: difficulties with BIND going from 8.* to 9.* Message-ID: <20030311084333.1eb80a3e.nospam@hiltonbsd.com> In-Reply-To: <20030311090848.G66368-100000@diana.northnetworks.ca> References: <1086.192.168.1.4.1047347865.squirrel@webmail.probsd.org> <20030311090848.G66368-100000@diana.northnetworks.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Mar 2003 09:12:35 -0500 (EST) IAccounts <iaccounts@northnetworks.ca> wrote: > > I decided today it was time to install bind9 from ports and I am have > > having some issues I need help with. Under 8.* I started BIND with the -u > > bind -g bind flags and a sockstat -4 showed named running as user bind. > > However, in 9.* I understand the -u bind flag is enough, but the server > > fails to start since it can open /var/run/named.pid. If I simply run the > > server with no -u flag, the server starts fine ( except denote below ). > > Although BIND is running in a jail() by itself, I'd still like for the > > server to run non-root. > > First, I would check to see who owns the named.pid file. Sounds like you > are logged in as root and when you start it with no -u flag, there is no > issue. This may be because root is the only one with write access on the > file. > > > 1. Mar 10 20:32:13 darken named[796]: couldn't add command channel > > 127.0.0.1#953: not found > > This one has to do with configuring rndc keys (as far as I know). I began > this process of doing this, but gave up when I ran out of time. BIND will > continue to run normally, but you will not be able to use the rndc > controls for it. (At least I cant). There are many docs on configuring > this in google. > > > > > 2. Mar 10 20:32:13 darken named[796]: dns_master_load: > > /usr/local/etc/namedb/192.168.0.in-addr.arpa.conf:1: extra input text > > Mar 10 20:32:13 darken named[796]: zone 0.168.192.in-addr.arpa/IN: loading > > master file /usr/local/etc/namedb/192.168.0.in-addr.arpa.conf: extra input > > text > > > > It is also important to note that I am using the same named.conf and zone > > files I did under 8.* > > Extract the conf files from 9 source, input your info manually and see if > that clears up these issues. Here is some information from a previous discussion of this topic. HTH ---------------- One thing that I have not resolved is the issue with man pages. The Bind 9 docs are in HTML so that should be your main reference. /usr/local/share/doc/bind9/arm/Bv9ARM.html Also a very good idea is to run Bind 9 chroot , my /etc/rc.conf entry looks like this: named_flags="-u bind -t /var/chroot/named" # Flags for chrooted named And then this link should help with basic setup (the file list I provided is more up2date, the email is old so some files locations to rename/remove have changed for FreeBSD 4.7) http://groups.google.com/groups?q=chroot+bind+group:mailing.freebsd.*&start=10&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=aadvma%24ngg%241%40FreeBSD.csie.NCTU.edu.tw&rnum=12 ---------------------------snip------------------------------- CHROOT OVERVIEW What chroot essentially does is to create a "fake root" directory - from the perspective of the daemon, the whole file system is rooted at this "chroot" directory. Therefore the only files/directories the daemon can see, are those located within this directory. (In some ways this is not unlike the view of the filesystem given to ftp users when the default "ftp root" of an ftp server is set to something other than the "real" root directory.) FREEBSD DETAILS On FreeBSD, the default location for Bind's configuration files is /etc/namedb. Sometimes we also use a subdirectory /etc/namedb/s, this is used to create a "sandbox", which limits some of the access the named daemon has but not nearly as securely as using chroot. Bind9 now has a special feature which makes it a little easier to chroot, among other things eliminating the need to place shared libraries and other executables in the "chroot jail". Since Bind already exists in the base FreeBSD system, for thoroughness we should consider renaming the existing files in order to minimize confusion and mixed versions. Here is a list of files to consider renaming or removing: /usr/bin/dig /usr/bin/dnsquery /usr/bin/host /usr/libexec/dnskeygen /usr/libexec/named-xfer /usr/sbin/named /usr/sbin/ndc /usr/sbin/nslookup /usr/sbin/nsupdate For those who regularly rebuild their system from source, once you've installed an independent version of Bind it's best to configure your system to no longer build the version in the base system. This is done by adding the following entry to /etc/make.conf (if this file doesn't exist, just create it and add the following line - like rc.conf it only contains items which override default settings): NO_BIND= true We will move our configuration and other necessary files to /var/chroot/named, which will allow us to create logfiles within the chroot jail without filling up ie the / filesystem. Create the necessary directories and permissions: mkdir /var/chroot mkdir /var/chroot/named chown bind.bind /var/chroot/named chmod 750 /var/chroot/named cd /var/chroot/named mkdir etc mkdir etc/namedb mkdir var mkdir dev Create the special files and set permissions: cp -p /etc/localtime /var/chroot/named/etc cp -p /etc/syslog.conf /var/chroot/named/etc cd /var/chroot/named/dev mknod zero c 2 12 chmod 666 zero mknod random c 2 4 chmod 644 random mknod null c 2 2 chmod 666 null Create a chrooted syslog socket by adding or editing syslog parameters in /etc/rc.conf thusly: syslogd_flags="-s -l /var/chroot/named/dev/log" Build the distribution: - Extract the distribution into a suitable directory (I use /usr/local/src) - run ./configure and customize the destination paths if necessary. ./configure --sysconfdir=/etc/namedb Bear in mind that the "sysconfdir" is from the perspective of the chrooted daemon - thus make sure it is *relative* to the chrooted directory. Actually if you create a directory structure in the chrooted directory which is identical to the normal one as seen from /, you can leave all the path declarations at their defaults. I just chose to emulate the default named.conf location in FreeBSD. In my case the build process did not put any default files in /var/chroot/named/etc/namedb, so I copied the ones from the Bind8 installation in /etc/namedb: make-localhost, PROTO.localhost.rev, named.root. (make-localhost is used to create a localhost reverse zone) Setup rndc: rndc-confgen -a -t /var/chroot/named -u bind The above should create a rndc-key file under /etc and the chrooted configuration directory. Create rndc configuration strings: rndc-confgen >rndc.out Inside the file just created above are 2 clearly marked sections: one to place inside your named.conf file, and the other to form a new configuration file /etc/rndc.conf. If these files don't exist when Bind is started it will complain and exit. BIND9 CONFIGURATION DETAILS Most of Bind9 is similiar syntax-wise to Bind8, with a few notable exceptions. If you are customizing the logging parameters, bear in mind that Bind9 does not parse customized logging parameters immediately on startup. This means that regardless your customizations, startup messages will always go to the Bind default location. (syslog) Also the logging categories have changed, if you've customized the defaults don't forget to look at this. Check in section 6.2 of the Bind9 Administrators Reference Manual for complete details. Quick summary as of v9.2.0: Removed cname, db, eventlib, insists, load, maintenance, ncache, os, packet, panic, parser, response-checks, statistics New client, database, dispatch, dnssec, general, network, resolver, unmatched Remember that when you're running chrooted, logfiles need to be located somewhere under the chroot directory, and paths listed in named.conf are all relative to the chroot directory, not to the "real" root. Make sure the directories that Bind needs to write to (to backup zone files for secondary zones, and update the named.pid file) are writable to the user the daemon is running under. LAUNCHING THE DAEMON I prefer to stick with existing scripts so I can continue to use rc.conf to enable/disable Bind or modify launch parameters. To adapt it to our needs, make sure the following appears in rc.conf: named_enable="YES" named_program="/usr/local/sbin/named" named_flags="-u bind -t /var/chroot/named" (Bind9 has changed the meaning of the "-g" param, so make sure to remove it if it was there for Bind8. "-t" activates Bind9's special chroot feature.) Acknowledgements: Information on the necessary steps for this project was acquired from both ISC Bind documentation and certain posters on the comp.protocols.dns.bind newsgroup. In particular I want to acknowledge Will Yardley, Mark Andrews, Joseph Begumisa, "Exile" and Ralf Hildebrandt for his excellent piece on chrooting Bind on HP-UX 9/10 at http://www.stahl.bau.tu-bs.de/~hildeb/bind/. Bind9_FreeBSD_chroot.txt v0.9 2002-04-27 Phil Koenig <pjklist@ekahuna.com> ================================================= -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium ---------------------------snip------------------------------- Regards, Stephen Hilton nospam@hiltonbsd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030311084333.1eb80a3e.nospam>