1

Yesterday I installed CentOS 5.4 on one of my servers, and it appears that the official BIND/named package has trouble starting for reasons I cannot deduce.

Here is what happens:

    [root@hal init.d]# service named start
    Starting named: 
    Error in named configuration:
    /etc/named.conf:57: open: named.root.hints: permission denied
                                                       [FAILED]

The line in question, with the directory option for context:

    // further up in the file:
        directory "/var/named";
    // line 57:
        include "named.root.hints";

Like you, my first reaction was to check permissions on /var/named/named.root.hints, /var/named, and /var to make sure the named user would be able to read it. Here are the permissions at each level:

    drwxr-xr-x 19 root root  4096 Nov  3 02:05 var
    drwxr-x---  5 root named 4096 Nov  3 02:36 named
    -rw-r--r-- 1 named named  524 Mar 29  2006 named.root.hints

Everything appears to be fine permission-wise. The same error occurs if the /var/named directory is writable by the named user. I've even temporarily allowed the named user to log in via bash, su'ed from root to named, and checked that I was, in fact, able to cat /var/named/named.root.hints successfully. (Yes, don't worry: I changed the shell back to nologin).

My last endeavor showed that BIND is able to run under the named user account and start up just fine, if done so manually:

    [root@hal ~]# named -u named -g
    03-Nov-2009 16:31:02.021 starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 -u named -g
    03-Nov-2009 16:31:02.021 adjusted limit on open files from 1024 to 1048576
    03-Nov-2009 16:31:02.021 found 2 CPUs, using 2 worker threads
    03-Nov-2009 16:31:02.021 using up to 4096 sockets
    03-Nov-2009 16:31:02.028 loading configuration from '/etc/named.conf'
    03-Nov-2009 16:31:02.030 using default UDP/IPv4 port range: [1024, 65535]
    03-Nov-2009 16:31:02.031 using default UDP/IPv6 port range: [1024, 65535]
    03-Nov-2009 16:31:02.034 listening on IPv4 interface lo, 127.0.0.1#53
    03-Nov-2009 16:31:02.034 listening on IPv4 interface eth0, 10.0.0.5#53
    03-Nov-2009 16:31:02.034 listening on IPv4 interface eth1, ww.xx.yy.zz#53
    03-Nov-2009 16:31:02.040 command channel listening on 127.0.0.1#953
    03-Nov-2009 16:31:02.040 command channel listening on ::1#953
    03-Nov-2009 16:31:02.040 ignoring config file logging statement due to -g option
    03-Nov-2009 16:31:02.041 zone 0.in-addr.arpa/IN/localhost_resolver: loaded serial 42
    03-Nov-2009 16:31:02.042 zone 0.0.127.in-addr.arpa/IN/localhost_resolver: loaded serial 1997022700
    03-Nov-2009 16:31:02.042 zone 255.in-addr.arpa/IN/localhost_resolver: loaded serial 42
    03-Nov-2009 16:31:02.042 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/localhost_resolver: loaded serial 1997022700
    03-Nov-2009 16:31:02.043 zone localdomain/IN/localhost_resolver: loaded serial 42
    03-Nov-2009 16:31:02.043 zone localhost/IN/localhost_resolver: loaded serial 42
    03-Nov-2009 16:31:02.043 zone x.y.z.in-addr.arpa/IN/internal: loaded serial 1
    03-Nov-2009 16:31:02.044 zone x.y.z/IN/internal: loaded serial 2
    03-Nov-2009 16:31:02.045 running

What type and size of firearm should I use to resolve this? I'd prefer something with automatic ammunition, and, at worst, it should be able to fit on my shoulder. Of course I am open to suggestions.

Brian Cline
  • 162
  • 1
  • 3
  • 11
  • Check your /var/log/messages file for SELinux ("avc:...") errors. – Max Alginin Nov 03 '09 at 22:52
  • There are no errors of that type. – Brian Cline Nov 03 '09 at 22:54
  • On my Centos 5.4 I don't have /etc/named.conf as it chroots into /var/named. Have you changed from the default setup at all? – Wayne Nov 03 '09 at 23:14
  • I've put in several zones, but I should also note that installing the bind package via yum did not put a named.conf file anywhere on the system except /usr/share/doc/bind-9.3.6/sample/etc. Since I have always housed named.conf in /etc, that's where I initially moved it. In addition, I had to copy all the root/hint files from the same place as the package did not properly install those either. – Brian Cline Nov 03 '09 at 23:21
  • One other note to make -- I noticed the CentOS deployment guide documentation regarding BIND usage mentions that it will run chrooted only if the bind-chroot package is installed. I have not installed it (and don't wish to), so it appears something else is awry. – Brian Cline Nov 03 '09 at 23:36

2 Answers2

1

In Redhat based systems (quite possibly others) /etc/sysconfig/named can define ROOTDIR=/var/named/chroot which does what you think it does. The bind-chroot package only sets up the directory structure under /var/named/chroot. If ROOTDIR is defined there AND bind-chroot isn't installed I'd expect to see that error.

-Dave

toppledwagon
  • 4,245
  • 25
  • 15
  • The option appears in my /etc/sysconfig/named but is commented out along with all others. Does it use a default value if none is explicitly defined? – Brian Cline Nov 04 '09 at 01:03
0

Wanted to post this in case anyone else has the same issue:

Always reboot immediately after disabling SELinux rather than waiting a day.


BIND now starts without a problem. I am sobbing to sleep now.

Brian Cline
  • 162
  • 1
  • 3
  • 11