View previous topic :: View next topic |
Author |
Message |
super_7b n00b
Joined: 23 Jun 2021 Posts: 13 Location: South Yorkshire
|
Posted: Thu Jan 04, 2024 8:36 pm Post subject: Difficulty setting up BIND in a chroot jail |
|
|
Hi All,
I am preparing to re-install my home server using Gentoo to replace an old Centos 8 installation. To make this as pain-free as possible, I have built a dummy Gentoo machine under VirtualBox on a Windows 10 Host so I can practise in a safe manner and get it right first time on the real installation.
The Gentoo basic installation (6.1.67-gentoo-x86_64) is working nicely using OpenRC rather than systemd and I began my tests by trying to setup a BIND DNS server under a chroot jail.
I searched for information, but could not find anything very clear to me. The best I could find was in the Gentoo BIND Wiki, which seemed to indicate that I should install BIND in the "unjailed" way, then run an emerge --config.
I did the basic installation and followed the instructions printed out at the end:-
Code: |
*
* You can edit /etc/conf.d/named to customize named settings
*
* If you'd like to run bind in a chroot AND this is a new
* install OR your bind doesn't already run in a chroot:
* 1) Uncomment and set the CHROOT variable in /etc/conf.d/named.
* 2) Run `emerge --config '=net-dns/bind-9.16.42'`
* |
I then investigated if the system was setup correctly by issuing the following commands:-
Code: | [root@localhost:/]$$ rc-service named checkconfig
* Checking named configuration ...
* No /chroot/dns/etc/bind/named.conf file exists!
[root@localhost:/]$
[root@localhost:/]$
[root@localhost:/]$
[root@localhost:/]$ rc-service named checkzones
* Checking named configuration and zones ...
open: /etc/bind/named.conf: file not found [ !! ]
[root@localhost:/]$
|
I suspected some file(s) to be missing from the jail file tree because of the checkconfig error, but I knew that /etc/bind/named.conf existed, so I suspected that checkzones was implicitly searching within the jail.
I then investigated the basic installation directories under /etc/bind and compared them to those under /chroot/dns/etc/bind and found that the latter was empty.
The other directories (/chroot/dns/dev and /chroot/dns/var) were populated with what looked to be reasonable files and sub-directories when compared to my Centos chrooted BIND.
Code: | [root@localhost:/]$ ls -l /etc/bind
total 12
-rw-r----- 1 root named 1991 Jan 4 19:32 bind.keys
lrwxrwxrwx 1 root root 18 Jan 4 19:32 dyn -> ../../var/bind/dyn
-rw-r----- 1 root named 4020 Jan 4 19:32 named.conf
lrwxrwxrwx 1 root root 18 Jan 4 19:32 pri -> ../../var/bind/pri
-rw-r----- 1 root named 100 Jan 4 16:10 rndc.key
lrwxrwxrwx 1 root root 18 Jan 4 19:32 sec -> ../../var/bind/sec
[root@localhost:/]$
[root@localhost:/]$
[root@localhost:/]$
[root@localhost:/]$ ls -lR /chroot/dns
/chroot/dns:
total 16
drwxr-xr-x 2 root root 4096 Jan 4 19:39 dev
drwxr-xr-x 3 root root 4096 Jan 4 19:39 etc
drwxr-xr-x 3 root root 4096 Jan 4 19:39 run
drwxr-xr-x 4 root root 4096 Jan 4 19:39 var
/chroot/dns/dev:
total 0
crw-rw-rw- 1 root root 1, 3 Jan 4 19:39 null
crw-rw-rw- 1 root root 1, 9 Jan 4 19:39 urandom
crw-rw-rw- 1 root root 1, 5 Jan 4 19:39 zero
/chroot/dns/etc:
total 4
drwxr-x--- 2 root named 4096 Jan 4 19:39 bind
/chroot/dns/etc/bind:
total 0
/chroot/dns/run:
total 4
drwxrwx--- 2 root named 4096 Jan 4 19:39 named
/chroot/dns/run/named:
total 0
/chroot/dns/var:
total 8
drwxrwx--- 2 root named 4096 Jan 4 19:39 bind
drwxr-xr-x 3 root root 4096 Jan 4 19:39 log
/chroot/dns/var/bind:
total 0
/chroot/dns/var/log:
total 4
drwxrwx--- 2 root named 4096 Jan 4 19:39 named
/chroot/dns/var/log/named:
total 0 |
I could copy/create the missing files, but I'm a bit confused why the emerge --config seems to only set up part of what I'd expect.
I'm also not sure why there are files left outside of the jail. I thought they would all be in the jail, with just /etc/bind/named.conf remaining in the normal tree, perhaps as a symlink to the "real" one in the jail.
I'm not any kind of BIND expert, so I would appreciate any help in configuring my BIND correctly.
BR
Mick |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3918
|
Posted: Thu Jan 04, 2024 9:37 pm Post subject: |
|
|
I only tried running named in chroot once and i had the exact same problem.
Namely i had to copy
/etc/bind and /var/bind
to <chroot>/etc/bind and <chroot>/var/bind.
It is like that.Maybe a glitch.
Why don't you open a bug report? _________________
|
|
Back to top |
|
|
super_7b n00b
Joined: 23 Jun 2021 Posts: 13 Location: South Yorkshire
|
Posted: Thu Jan 04, 2024 10:13 pm Post subject: |
|
|
I could copy the files, as I originally mentioned, but I wondered if this was the "official" way. Perhaps I was missing some step(s) that would set it up correctly automatically.
I will copy the files and see if that allows BIND to fire up.
I'd still like confirmation if anyone has a firm answer. |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 882
|
Posted: Fri Jan 05, 2024 10:34 am Post subject: |
|
|
I'm not sure about the official way, but i've been running BIND on Gentoo in a chroot for as long as i can remember
My setup:
/etc/conf.d/named (relevant parts only)
Code: |
CHROOT="/opt/chroot/named"
CHROOT_NOMOUNT="1"
PIDFILE="${CHROOT}/var/run/named/named.pid"
|
Files in /opt/chroot/named (some files have been removed from the listing because they are specific to my setup)
Code: |
/opt/chroot/named # ls -lR
.:
total 16
drwxr-xr-x 2 root root 4096 Aug 12 2019 dev
drwxr-xr-x 3 root root 4096 Oct 16 2017 etc
drwxr-xr-x 3 root root 4096 Oct 15 2017 run
drwxr-xr-x 6 root root 4096 Oct 21 2017 var
./dev:
total 0
crw-rw-rw- 1 root root 1, 3 Oct 15 2017 null
crw-rw-rw- 1 root root 1, 8 Oct 15 2017 random
crw-r--r-- 1 root root 1, 9 Oct 12 2017 urandom
crw-rw-rw- 1 root root 1, 5 Oct 15 2017 zero
./etc:
total 8
drwxr-x--- 2 root named 4096 Sep 4 15:45 bind
-rw-r--r-- 1 root root 2933 Dec 16 13:12 localtime
./etc/bind:
total 96
-rw-r--r-- 1 root root 5392 Feb 5 2022 named.conf
< removed from listing: Key files >
./run:
total 4
drwxrwx--- 2 root named 4096 Oct 19 2017 named
./run/named:
total 0
./var:
total 16
drwxr-xr-x 2 root root 4096 Oct 16 2017 bind
drwxr-xr-x 3 root root 4096 Oct 15 2017 log
drwxrwx--- 5 root named 4096 Jan 5 10:42 named
drwxrwx--- 3 root named 4096 Oct 21 2017 run
./var/bind:
total 0
./var/log:
total 4
drwxrwx--- 2 root named 4096 Oct 15 2017 named
./var/log/named:
total 0
./var/named:
total 112
< Removed from listing: my zone files + dnssec keys >
./var/run:
total 4
drwxrwx--- 2 root named 4096 Dec 23 10:33 named
./var/run/named:
total 8
-rw-r--r-- 1 named named 4 Dec 23 10:33 named.pid
-rw------- 1 named named 102 Dec 23 10:33 session.key
|
For a basic configuration copying the shipped files into the chroot should give you a good starting point. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
super_7b n00b
Joined: 23 Jun 2021 Posts: 13 Location: South Yorkshire
|
Posted: Fri Jan 05, 2024 3:24 pm Post subject: |
|
|
Thanks to alamahant and pa4wdh for the pointers.
I have done as pa4wdh suggested and also added a couple of zone files. As a result, "rc-service named checkconfig" and "rc-service named checkzones" return good results.
My further questions to pa4wdh are:-
1) Do you still have the directories and associated files "/var/bind" and "/etc/bind"? If they are not needed, I would rather remove them so there can be no confusion if later editing is needed.
2) I wonder if there needs to be an external link to the working "/etc/bind/named.conf" in the chroot jail? Perhaps a symlink in a top-level "/etc/bind" directory to the file in the chroot jail, in case other applications need to be able to access the working file?
Thanks
Mick |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 882
|
Posted: Wed Jan 10, 2024 9:27 am Post subject: |
|
|
Sorry for my late response
Quote: | 1) Do you still have the directories and associated files "/var/bind" and "/etc/bind"? If they are not needed, I would rather remove them so there can be no confusion if later editing is needed. |
You don't need these directories if you do not intend to run bind outside a chroot jail. Keep in mind that they might be created by the ebuild, so you'll probably have to INSTALL_MASK them to make sure they don't come back after a bind update.
Quote: | 2) I wonder if there needs to be an external link to the working "/etc/bind/named.conf" in the chroot jail? Perhaps a symlink in a top-level "/etc/bind" directory to the file in the chroot jail, in case other applications need to be able to access the working file? |
This is not needed for named.conf, but it is often done for the rndc key when you wish to use rndc to control the bind instance inside the chroot. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
super_7b n00b
Joined: 23 Jun 2021 Posts: 13 Location: South Yorkshire
|
Posted: Wed Jan 10, 2024 7:38 pm Post subject: |
|
|
Hi pa4wdh
Thanks for the reply.That's very clear.
I will tidy up as you suggest and make the link for the rndc key
BR
Mick |
|
Back to top |
|
|
|