bind update keeps messing up write-rights
Gijs
info at boer-software-en-webservices.nl
Sun Jul 20 19:44:28 UTC 2008
Ed Warner wrote:
>> Message: 9
>> Date: Sat, 19 Jul 2008 19:50:26 +0200
>> From: Gijs <info at boer-software-en-webservices.nl>
>> Subject: Re: bind update keeps messing up write-rights
>> To: For users of Fedora <fedora-list at redhat.com>
>> Message-ID:
>> <48822962.5080202 at boer-software-en-webservices.nl>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Ed Warner wrote:
>>
>>> Message: 7
>>> Date: Sat, 19 Jul 2008 06:26:53 -0400
>>> From: "Christopher K. Johnson"
>>>
>> <ckjohnson at gwi.net>
>>
>>> Subject: Re: bind update keeps messing up write-rights
>>> To: For users of Fedora <fedora-list at redhat.com>
>>> Message-ID: <4881C16D.7010606 at gwi.net>
>>> Content-Type: text/plain; charset=ISO-8859-1;
>>>
>> format=flowed
>>
>>> Gijs wrote:
>>>
>>>
>>>> Sam Varshavchik wrote:
>>>>
>>>>
>>>>> Gijs writes:
>>>>>
>>>>>
>>>>>
>>>>>> Hey List,
>>>>>>
>>>>>> Not sure why this is happening so perhaps
>>>>>>
>> someone can explain this
>>
>>>>>>
>>>>>>
>>>
>>>
>>>>>> to me.
>>>>>> Whenever I update bind it messes up/resets
>>>>>>
>> access rights on my
>>
>>>>>>
>>>>>>
>>> zone
>>>
>>>
>>>>>> files. Now normally this wouldn't be a
>>>>>>
>> bad thing, but because
>>
>>>>>>
>>>>>>
>>> I have
>>>
>>>
>>>>>> dynamic updates on, for which named
>>>>>>
>> creates journalizing files, I
>>
>>>>>> end up having non-writeable journalizing
>>>>>>
>> files. So after every
>>
>>>>>> update I end up having to manually change
>>>>>>
>> the access rights on my
>>
>>>>>> jnl files.
>>>>>>
>>>>>> Is anyone else having the same problem
>>>>>>
>> and/or is it supposed to be
>>
>>>>>>
>>>>>>
>>>
>>>
>>>>>> like this?
>>>>>>
>>>>>>
>>>>> You must have bind configured to run in
>>>>>
>> chroot.
>>
>>>>> rpm's %post script runs
>>>>>
>> /usr/sbin/bind-chroot-admin where, if you
>>
>>>>> have chroot configured, it runs this lovely
>>>>>
>> bit of code:
>>
>>>>> chown -h root:named /var/named/*
>>>>>
>>> /dev/null 2>&1;
>>>
>>>>> chown -h root:named
>>>>>
>> ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null
>>
>>>>>
>>>>>
>>>
>>>
>>>>> 2>&1;
>>>>> chown -h root:named /etc/{named,rndc}.*
>>>>>
>>> /dev/null 2>&1;
>>>
>>>>> chown -h root:named
>>>>>
>> ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.*
>>
>>>>>
>>>>>
>>>>>> /dev/null 2>&1;
>>>>>>
>>>>>>
>>>>> chown -h named:named /var/log/named.log
>>>>>
>>> /dev/null 2>&1;
>>>
>>>>> chown -h named:named
>>>>>
>> ${BIND_CHROOT_PREFIX}/var/log/named.log
>>
>>>>>
>>>>>
>>>>>> /dev/null 2>&1;
>>>>>>
>>>>>>
>>>>> chmod 750 ${pfx}/var/named >/dev/null
>>>>>
>> 2>&1;
>>
>>>>> chmod 640 ${pfx}/var/named/* >/dev/null
>>>>>
>> 2>&1;
>>
>>>>> chmod 750 ${pfx}/var/named/*/.
>>>>>
>>> /dev/null 2>&1;
>>>
>>>>> chmod 660 ${pfx}/var/log/named.log
>>>>>
>>> /dev/null 2>&1;
>>>
>>>>> chown -h named:named
>>>>>
>>>>>
>> /var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
>>
>>> /dev/null
>>>
>>>>>
>>>>>
>>> 2>&1;
>>>
>>>
>>>>> chown -h named:named
>>>>>
>>>>>
>> ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
>>
>>
>>>>>
>>>>>
>>>>>> /dev/null 2>&1;
>>>>>>
>>>>>>
>>>>> chmod 770
>>>>>
>> ${pfx}/var/named/{data,slaves,dynamic} >/dev/null
>>
>>>>>
>>>>>
>>> 2>&1;
>>>
>>>
>>>>> chmod 660
>>>>>
>> ${pfx}/var/named/{data/*,slaves/*,dynamic/*}
>>
>>>>>
>>>>>
>>>> /dev/null
>>>>
>>>>
>>>>> 2>&1;
>>>>> chmod 770
>>>>>
>> ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.}
>>
>>>>>
>>>>>
>>>>>> /dev/null 2>&1;
>>>>>>
>>>>>>
>>>>> Lovely.
>>>>>
>>>>>
>>>>>
>>>> Heh, that's indeed lovely. And yea, I've
>>>>
>> got named configured to
>>
>>>>
>>>>
>>> run
>>>
>>>
>>>> in chroot as it is the default nowadays (at least
>>>>
>> on Fedora).
>>
>>>> You should note that the 'dynamic'
>>>>
>> subfolder contents are set to mode
>>
>>>> 660.
>>>> Move your updateable zone files there and update
>>>>
>> the referenced paths in
>>
>>>> named.conf accordingly.
>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>> Could you clarify your statement for me please?
>>>
>>> 1. Othe than my zone files, what else goes into
>>>
>> /var/named/chroot/var/named/dynamic ?
>>
>>> 2. My named.conf resides in /var/named/chroot/etc, so
>>>
>> I need to make changes to point to the path -->
>> /var/named/chroot/var/named/dynamic ?
>>
>>> Thanks
>>>
>> I cannot really clarify point 1, but I can somewhat clarify
>> point 2.
>> In my named.conf I now have the following:
>> zone "0.168.192.in-addr.arpa" IN {
>> type master;
>> file "dynamic/named.0.168.192";
>> allow-update { key rndc; };
>> };
>>
>> zone "home" IN {
>> type master;
>> file "dynamic/home.zone";
>> allow-update { key rndc; };
>> };
>>
>> This allows named to find the zone files inside the dynamic
>> folder.
>> Also, /var/named/chroot/etc/named.conf has a hardlink to
>> /etc/named.conf
>> so that might be somewhat easier to type next time you want
>> to edit that
>> file :). And because named is running inside a chroot, you
>> cannot set
>> the path to "/var/named/chroot/var/named/dynamic"
>> inside the named.conf.
>> For named, the chroot basically means that everything is
>> running from
>> the /var/named/chroot directory. In other words, if you
>> refer to
>> /var/named/dynamic inside your named.conf, it actually
>> refers to
>> /var/named/chroot/var/named/dynamic.
>>
>> Hope this makes sense :)
>>
>
> It made sense thanks. I changed my named.conf file and relocated my zone files and it seems to work except for a message I get when I restart named.
>
> It says my working directory is not writable. My directory in named.conf is "/var/named" Is this the directory the warning is coming from? What should the permissions be?
> Thanks
If you have zone files that need to be changed dynamically (which I
assume you have, since named wants to write something), you need to put
them into /var/named/chroot/var/named/dynamic. And as in my former
reply, change the "file" option of your zone file to
"dynamic/name_of_your_zonefile.zone". After you restart named, it
shouldn't be warning you about a directory not being writeable, since
the dynamic directory is writeable specifically for the purpose of
dynamic zone files.
The permissions I have on my directories should be the same as on your
system, but here they are:
[root at poseidon var]# ls -ld named/
drwxrwx--- 5 root named 4096 2008-07-19 13:20 named/
[root at poseidon var]# ls -l named/ | grep "^d"
drwxrwx--- 2 named named 4096 2004-08-25 22:51 data
drwxrwx--- 2 named named 4096 2008-07-19 13:20 dynamic
drwxrwx--- 2 named named 4096 2004-07-27 16:57 slaves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20080720/315a7049/attachment-0001.html
More information about the users
mailing list