Jump to content
Sign in to follow this  
AccessD

Кеширующий DNS

Recommended Posts

поднимаю сабж в образовательных целях.

сервер сидит в песочнице, запускаться должен от named'а.

вот в чём проблема - при запуске системы он стартует, пытается открыть свои логи, обнаруживает, что у него нет на них прав и благополучно пропадает. без всяких предупреждений. вот что в /var/log/messages:

Цитата:

Feb 8 18:16:34 deck named[3738]: starting BIND 9.3.2 -t /var/lib/named -u named

Feb 8 18:16:34 deck named[3738]: found 1 CPU, using 1 worker thread

Feb 8 18:16:34 deck named[3738]: loading configuration from '/etc/named.conf'

Feb 8 18:16:34 deck named[3738]: listening on IPv4 interface lo, 127.0.0.1#53

Feb 8 18:16:34 deck named[3738]: listening on IPv4 interface eth0, 192.168.38.242#53

Feb 8 18:16:34 deck named[3738]: command channel listening on 127.0.0.1#953

Feb 8 18:16:34 deck named[3738]: command channel listening on ::1#953

Feb 8 18:16:34 deck named[3738]: logging channel 'log_file' file '/var/lib/named/log/named.log': permission denied

Feb 8 18:16:34 deck named[3738]: isc_log_open '/var/lib/named/log/named.log' failed: permission denied

всё, нет named'а. при этом nscd работает.

хорошо, запускаю сам:

deck:/var/lib/named/log # named -u named

смотрю лог:

Цитата:

Feb 8 18:27:06 deck named[6206]: starting BIND 9.3.2 -u named

Feb 8 18:27:06 deck named[6206]: found 1 CPU, using 1 worker thread

Feb 8 18:27:06 deck named[6206]: loading configuration from '/etc/named.conf'

Feb 8 18:27:06 deck named[6206]: listening on IPv4 interface lo, 127.0.0.1#53

Feb 8 18:27:06 deck named[6206]: listening on IPv4 interface eth0, 192.168.38.242#53

Feb 8 18:27:06 deck named[6206]: listening on IPv4 interface vmnet1, 172.16.134.1#53

Feb 8 18:27:06 deck named[6206]: listening on IPv4 interface vmnet8, 192.168.70.1#53

Feb 8 18:27:06 deck named[6206]: listening on IPv4 interface dsl0, 89.bla.bla.bla#53

Feb 8 18:27:06 deck named[6206]: command channel listening on 127.0.0.1#953

Feb 8 18:27:06 deck named[6206]: command channel listening on ::1#953

в логе named'а:

Цитата:

zone 0.0.127.in-addr.arpa/IN: loaded serial 42

zone localhost/IN: loaded serial 42

running

логи открыл, работает.

Самое главное, что владелец /var/lib/named и всего, что ниже - named. а при загрузке считает что прав нет..

в чём тут может быть дело?

конфиг named.conf:

Цитата:

acl "endnets" { 127.0.0.1; 192.168.0.0/16; };

options {

directory "/var/lib/named";

pid-file "named.pid";

allow-query { "endnets"; };

dump-file "/var/log/named_dump.db";

statistics-file "/var/log/named.stats";

notify no;

include "/etc/named.d/forwarders.conf";

};

zone "." in {

type hint;

file "named.root";

};

zone "localhost" in {

type master;

file "localhost.zone";

};

zone "0.0.127.in-addr.arpa" in {

type master;

file "127.0.0.zone";

notify no;

};

logging {

category queries { log_file; };

category xfer-in { log_file; };

category xfer-out { log_file; };

category default { log_file; };

channel log_file { file "/var/lib/named/log/named.log" size 0M; };

};

Share this post


Link to post
Share on other sites

accessd@deck:/var/lib>sudo -u named /usr/sbin/named

accessd@deck:/var/lib> ps -e | grep named

8168 ? 00:00:00 named

вот выдержка из /var/log/messages:

Цитата:

Feb 8 23:09:09 deck sudo: accessd : TTY=pts/2 ; PWD=/var/lib ; USER=named ; COMMAND=/usr/sbin/named

Feb 8 23:09:09 deck named[8168]: starting BIND 9.3.2

Feb 8 23:09:09 deck named[8168]: found 1 CPU, using 1 worker thread

Feb 8 23:09:10 deck named[8168]: loading configuration from '/etc/named.conf'

Feb 8 23:09:10 deck named[8168]: listening on IPv4 interface lo, 127.0.0.1#53

Feb 8 23:09:10 deck named[8168]: could not listen on UDP socket: permission denied

Feb 8 23:09:10 deck named[8168]: creating IPv4 interface lo failed; interface ignored

Feb 8 23:09:10 deck named[8168]: listening on IPv4 interface eth0, 192.168.38.242#53

Feb 8 23:09:10 deck named[8168]: could not listen on UDP socket: permission denied

Feb 8 23:09:10 deck named[8168]: creating IPv4 interface eth0 failed; interface ignored

Feb 8 23:09:10 deck named[8168]: listening on IPv4 interface vmnet1, 172.16.134.1#53

Feb 8 23:09:10 deck named[8168]: could not listen on UDP socket: permission denied

Feb 8 23:09:10 deck named[8168]: creating IPv4 interface vmnet1 failed; interface ignored

Feb 8 23:09:10 deck named[8168]: listening on IPv4 interface vmnet8, 192.168.70.1#53

Feb 8 23:09:10 deck named[8168]: could not listen on UDP socket: permission denied

Feb 8 23:09:10 deck named[8168]: creating IPv4 interface vmnet8 failed; interface ignored

Feb 8 23:09:10 deck named[8168]: listening on IPv4 interface dsl0, 89.169.133.56#53

Feb 8 23:09:10 deck named[8168]: could not listen on UDP socket: permission denied

Feb 8 23:09:10 deck named[8168]: creating IPv4 interface dsl0 failed; interface ignored

Feb 8 23:09:10 deck named[8168]: not listening on any interfaces

Feb 8 23:09:10 deck named[8168]: couldn't add command channel 127.0.0.1#953: permission denied

Feb 8 23:09:10 deck named[8168]: couldn't add command channel ::1#953: permission denied

запущен, но не работает.

тут ещё вот какая проблема:

если я named запускаю как

#named -u named

он сначала резолвит, всё нормально, но спустя некот. время начинает тупить - то есть резолвит адреса, кот. нет в кэше с третьего, четвёртого раза, а потом перестаёт вообще. в логах - ни слова. даже уцепиться не за что..

Share this post


Link to post
Share on other sites

Похоже, что при запуске как named -u named он сначала биндует сокеты, открывает логи, а потом уже дропает рутовские права. Значит, и в системном стартовом скрипте он должен запускаться в такой же форме. Кстати, в гентушных скриптах пользователь тоже указывается в аргументах самого нэймда, а не опцией старт-стоп-демона.

Цитата:

он сначала резолвит, всё нормально, но спустя некот. время начинает тупить - то есть резолвит адреса, кот. нет в кэше с третьего, четвёртого раза, а потом перестаёт вообще. в логах - ни слова. даже уцепиться не за что..

А в логах что? Если лог/дебаглевел увеличить в конфиге.

Share this post


Link to post
Share on other sites

вот какая петрушка получается:

Цитата:

accessd@deck:/var/lib/named> sudo -u named /usr/sbin/named -d 3

named's password:

accessd@deck:/var/lib/named> ps -e | grep named

7658 ? 00:00:00 named

accessd@deck:/var/lib/named> cat named.run

09-Feb-2007 22:48:12.134 set maximum stack size to 4294967295: success

09-Feb-2007 22:48:12.135 set maximum data size to 4294967295: success

09-Feb-2007 22:48:12.135 set maximum core size to 4294967295: success

09-Feb-2007 22:48:12.135 set maximum open files to 8192: success

09-Feb-2007 22:48:12.136 listening on IPv4 interface lo, 127.0.0.1#53

09-Feb-2007 22:48:12.136 clientmgr @0x80075020: create

09-Feb-2007 22:48:12.136 could not listen on UDP socket: permission denied

09-Feb-2007 22:48:12.136 clientmgr @0x80075020: destroy

09-Feb-2007 22:48:12.136 clientmgr @0x80075020: clientmgr_destroy

09-Feb-2007 22:48:12.136 creating IPv4 interface lo failed; interface ignored

09-Feb-2007 22:48:12.136 listening on IPv4 interface eth0, 192.168.38.242#53

09-Feb-2007 22:48:12.136 clientmgr @0x80075020: create

09-Feb-2007 22:48:12.136 could not listen on UDP socket: permission denied

09-Feb-2007 22:48:12.137 clientmgr @0x80075020: destroy

09-Feb-2007 22:48:12.137 clientmgr @0x80075020: clientmgr_destroy

09-Feb-2007 22:48:12.137 creating IPv4 interface eth0 failed; interface ignored

09-Feb-2007 22:48:12.137 listening on IPv4 interface vmnet1, 172.16.134.1#53

09-Feb-2007 22:48:12.137 clientmgr @0x80075020: create

09-Feb-2007 22:48:12.137 could not listen on UDP socket: permission denied

09-Feb-2007 22:48:12.137 clientmgr @0x80075020: destroy

09-Feb-2007 22:48:12.137 clientmgr @0x80075020: clientmgr_destroy

09-Feb-2007 22:48:12.137 creating IPv4 interface vmnet1 failed; interface ignored

09-Feb-2007 22:48:12.159 listening on IPv4 interface vmnet8, 192.168.70.1#53

09-Feb-2007 22:48:12.160 clientmgr @0x80075020: create

09-Feb-2007 22:48:12.160 could not listen on UDP socket: permission denied

09-Feb-2007 22:48:12.160 clientmgr @0x80075020: destroy

09-Feb-2007 22:48:12.160 clientmgr @0x80075020: clientmgr_destroy

09-Feb-2007 22:48:12.160 creating IPv4 interface vmnet8 failed; interface ignored

09-Feb-2007 22:48:12.160 listening on IPv4 interface dsl0, 89.169.133.56#53

09-Feb-2007 22:48:12.160 clientmgr @0x80075020: create

09-Feb-2007 22:48:12.160 could not listen on UDP socket: permission denied

09-Feb-2007 22:48:12.160 clientmgr @0x80075020: destroy

09-Feb-2007 22:48:12.160 clientmgr @0x80075020: clientmgr_destroy

09-Feb-2007 22:48:12.160 creating IPv4 interface dsl0 failed; interface ignored

09-Feb-2007 22:48:12.160 not listening on any interfaces

09-Feb-2007 22:48:12.163 res 0x8008bc90: create

09-Feb-2007 22:48:12.164 dns_requestmgr_create

09-Feb-2007 22:48:12.164 dns_requestmgr_create: 0x800a31e8

09-Feb-2007 22:48:12.164 dns_requestmgr_whenshutdown

09-Feb-2007 22:48:12.165 res 0x800a8380: create

09-Feb-2007 22:48:12.165 dns_requestmgr_create

09-Feb-2007 22:48:12.165 dns_requestmgr_create: 0x800abca8

09-Feb-2007 22:48:12.165 dns_requestmgr_whenshutdown

09-Feb-2007 22:48:12.166 couldn't add command channel 127.0.0.1#953: permission denied

09-Feb-2007 22:48:12.166 couldn't add command channel ::1#953: permission denied

09-Feb-2007 22:50:15.821 starting BIND 9.3.2 -d 3

09-Feb-2007 22:50:15.822 found 1 CPU, using 1 worker thread

09-Feb-2007 22:50:15.829 loading configuration from '/etc/named.conf'

09-Feb-2007 22:50:15.830 set maximum stack size to 4294967295: success

09-Feb-2007 22:50:15.831 set maximum data size to 4294967295: success

09-Feb-2007 22:50:15.831 set maximum core size to 4294967295: success

09-Feb-2007 22:50:15.831 set maximum open files to 8192: success

09-Feb-2007 22:50:15.831 listening on IPv4 interface lo, 127.0.0.1#53

09-Feb-2007 22:50:15.832 clientmgr @0x80075218: create

09-Feb-2007 22:50:15.833 could not listen on UDP socket: permission denied

09-Feb-2007 22:50:15.833 clientmgr @0x80075218: destroy

09-Feb-2007 22:50:15.833 clientmgr @0x80075218: clientmgr_destroy

09-Feb-2007 22:50:15.833 creating IPv4 interface lo failed; interface ignored

09-Feb-2007 22:50:15.833 listening on IPv4 interface eth0, 192.168.38.242#53

09-Feb-2007 22:50:15.833 clientmgr @0x80075218: create

09-Feb-2007 22:50:15.834 could not listen on UDP socket: permission denied

09-Feb-2007 22:50:15.834 clientmgr @0x80075218: destroy

09-Feb-2007 22:50:15.834 clientmgr @0x80075218: clientmgr_destroy

09-Feb-2007 22:50:15.834 creating IPv4 interface eth0 failed; interface ignored

09-Feb-2007 22:50:15.834 listening on IPv4 interface vmnet1, 172.16.134.1#53

09-Feb-2007 22:50:15.834 clientmgr @0x80075218: create

09-Feb-2007 22:50:15.834 could not listen on UDP socket: permission denied

09-Feb-2007 22:50:15.834 clientmgr @0x80075218: destroy

09-Feb-2007 22:50:15.834 clientmgr @0x80075218: clientmgr_destroy

09-Feb-2007 22:50:15.834 creating IPv4 interface vmnet1 failed; interface ignored

09-Feb-2007 22:50:15.834 listening on IPv4 interface vmnet8, 192.168.70.1#53

09-Feb-2007 22:50:15.834 clientmgr @0x80075218: create

09-Feb-2007 22:50:15.834 could not listen on UDP socket: permission denied

09-Feb-2007 22:50:15.834 clientmgr @0x80075218: destroy

09-Feb-2007 22:50:15.834 clientmgr @0x80075218: clientmgr_destroy

09-Feb-2007 22:50:15.834 creating IPv4 interface vmnet8 failed; interface ignored

09-Feb-2007 22:50:15.834 listening on IPv4 interface dsl0, 89.169.133.56#53

09-Feb-2007 22:50:15.834 clientmgr @0x80075218: create

09-Feb-2007 22:50:15.835 could not listen on UDP socket: permission denied

09-Feb-2007 22:50:15.930 clientmgr @0x80075218: destroy

09-Feb-2007 22:50:15.930 clientmgr @0x80075218: clientmgr_destroy

09-Feb-2007 22:50:15.930 creating IPv4 interface dsl0 failed; interface ignored

09-Feb-2007 22:50:15.930 not listening on any interfaces

09-Feb-2007 22:50:15.933 res 0x8008bc90: create

09-Feb-2007 22:50:15.934 dns_requestmgr_create

09-Feb-2007 22:50:15.934 dns_requestmgr_create: 0x800a31e8

09-Feb-2007 22:50:15.934 dns_requestmgr_whenshutdown

09-Feb-2007 22:50:15.934 res 0x800a83e0: create

09-Feb-2007 22:50:15.935 dns_requestmgr_create

09-Feb-2007 22:50:15.935 dns_requestmgr_create: 0x800abcb8

09-Feb-2007 22:50:15.935 dns_requestmgr_whenshutdown

09-Feb-2007 22:50:15.935 couldn't add command channel 127.0.0.1#953: permission denied

09-Feb-2007 22:50:15.936 couldn't add command channel ::1#953: permission denied

то есть демон работает, но not listening on any interfaces

в общем, то же самое, что и в моём пред.сообщении. интересно другое:

(едем дальше)

Цитата:

accessd@deck:/var/lib/named> su

Пароль:

deck:/var/lib/named # kill 7658

deck:/var/lib/named # rm named.run

deck:/var/lib/named # named -d 3 -u named

deck:/var/lib/named # ps -e | grep named

7708 ? 00:00:00 named

deck:/var/lib/named # ls

127.0.0.zone dyn localhost.zone master named.root slave

dev etc log named.pid root.hint var

лога дебага нет! не создаёт он его..

Share this post


Link to post
Share on other sites

Мда... чем угадывать, стоило почитать ман нэймд Smile

-u user

setuid() to user after completing privileged operations, such as creating sockets that listen on privileged ports.

По поводу дебага - он афайк идет в сислог, поэтому ничего он создавать и не должен.

Share this post


Link to post
Share on other sites

ну Семён Семёныч! Smile эх, слона не приметил..

Цитата:

Значит, и в системном стартовом скрипте он должен запускаться в такой же форме.

в нём так и есть

Цитата:

case "$1" in

start)

echo -n "Starting name server BIND "

checkproc -p ${NAMED_PID} ${NAMED_BIN}

case $? in

0) echo -n "- Warning: named already running! " ;;

1) echo -n "- Warning: ${NAMED_PID} exists! " ;;

esac

checkAndCopyConfigFiles

namedCheckConf

initializeNamed

startproc -p ${NAMED_PID} ${NAMED_BIN} ${NAMED_ARGS} -u named

rc_status -v

;;

Share this post


Link to post
Share on other sites

Цитата:

starting BIND 9.3.2 -t /var/lib/named -u named

named стартует в chroot окружении. Для него / это /var/lib/named и логи лежат в /var/lib/named/var/log если настроены на /var/log

Share this post


Link to post
Share on other sites

короче, проблему решил настроив сервак Yast'ом. я заметил, Сусе не нравится, когда что-то делают за её спиной Smile

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...