I'm in over my head a bit on these details, so appreciate the help.
> The smoking gun is in the hand of systemctl ...
Hadn't thought of that, but not surprised to hear it.
I inherited this, and didn't yet monkey with systemd. But I can as needed.
Here's the systemd unit file for named:
cat named.service
[Unit]
Description=Bind9 DNS Server
After=syslog.target network-online.target
Before=named.target
Wants=network-online.target
[Service]
ExecStartPre=/opt/sbin/bind-chroot.sh /var/chroot/named rebuild
ExecStart=/opt/bind9/sbin/named -f -t "/var/chroot/named" -u
named -c /etc/named.conf
ExecReload=/opt/sbin/bind-chroot.sh /var/chroot/named reload
ExecReload=/opt/bind9/sbin/rndc reload
ExecStop=/opt/bind9/sbin/rndc stop
ExecStopPost=/opt/sbin/bind-chroot.sh /var/chroot/named destroy
ReadOnlyDirectories=/etc
InaccessibleDirectories=/boot
InaccessibleDirectories=/home
[Install]
WantedBy=multi-user.target
And here's the chroot setup script. From the notes I did find, this was done
specifically for this opensuse system. I haven't setup a chroot on my own yet,
but I do see the cp back & forth. Wonder if something's missing ...
cat /opt/sbin/bind-chroot.sh
#!/bin/bash
CHROOT="$1"
build_chroot() {
mkdir -p ${CHROOT}/dev
mkdir -p ${CHROOT}/var/{run/named,log}
mkdir -p ${CHROOT}/lib64/engines
mkdir -p ${CHROOT}/etc
mkdir -p ${CHROOT}/namedb/{master,slave,working}
mkdir -p ${CHROOT}/keys/{managed-keys,DNSSEC}
mkdir -p ${CHROOT}/includes
mkdir -p ${CHROOT}/var/lib/GeoIP
populate_chroot
mknod -m 644 ${CHROOT}/dev/null c 1 3
mknod -m 644 ${CHROOT}/dev/random c 1 8
mknod -m 644 ${CHROOT}/dev/urandom c 1 9
chown root:named ${CHROOT}
chmod 750 ${CHROOT}
chown -R named:named
${CHROOT}/namedb/{master,slave,working}
chown named:named ${CHROOT}/var/{run,log}
chown named:named ${CHROOT}/var/run/named
chmod 755 ${CHROOT}/var/run/named
chmod 666 ${CHROOT}/dev/{null,random,urandom}
chown -R named:named ${CHROOT}/dev
}
populate_chroot() {
cp -a /opt/etc/named/includes/*
${CHROOT}/includes/
cp -a /opt/etc/named/keys/* ${CHROOT}/keys/
cp -a /opt/etc/named/named.{conf,cache} ${CHROOT}/etc/
cp -a /opt/etc/named/namedb/*
${CHROOT}/namedb/
cp -a /opt/etc/named/rndc.key ${CHROOT}/
cp -a /var/lib/GeoIP/*
${CHROOT}/var/lib/GeoIP/
cp /lib64/engines/libgost.so
${CHROOT}/lib64/engines/
cp /etc/localtime ${CHROOT}/etc/
}
destroy_chroot() {
cp -af ${CHROOT}/keys/DNSSEC/*
/opt/etc/named/keys/DNSSEC/
cp -af ${CHROOT}/namedb/master/*.signed
/opt/etc/named/namedb/master/
cp -af ${CHROOT}/namedb/slave/*
/opt/etc/named/namedb/slave/
umount --lazy ${CHROOT}/dev
rm -rf ${CHROOT}
}
case "$2" in
build)
build_chroot
;;
destroy)
destroy_chroot
;;
rebuild)
destroy_chroot
build_chroot
;;
reload)
populate_chroot
;;
*)
exit 1
;;
esac
exit 0
At the moment I'm looking suspiciously at that
ReadOnlyDirectories=/etc
Also need to re-read those^ comments about in-zone & out-of-zone ....
Fwiw, afaict the server's working fine otherwise. I'm not seeing, well let's
say not yet, any errors.
Jason
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
