I recently upgraded my OS from CRUX 2.7 to CRUX 3.0 and am running into a 
problem with getting bind9 to run in a chroot jail.  I had this setup 
working correctly on my old OS, but I cannot recall what versions of 
bind and openssl were running on it.  I can get bind to run without a 
chroot, but I would really prefer not to do so.  I used `ldd` to copy 
the necessary libraries to the chroot dir ('/svc/name'), and copied the 
'hosts', 'group', 'passwd', and 'shadow' files as well.  I've copied 
some extra libraries and etc files so that I could `chroot` from the 
console and test, but that hasn't aided in my troubleshooting.  I'm 
really at a loss on this one.  Any help is much appreciated.  See below 
for further information about my setup.

NOTE: You may notice that the chroot jail name ('/svc/name') is different 
from bind's username (named).  This is not a typo; it is actually set up this 

# uname -a
Linux fortress 3.6.11 #2 Sun May 18 18:46:50 MDT 2014 x86_64 Intel(R) 
Pentium(R) 4 CPU 2.80GHz GenuineIntel GNU/Linux

# openssl version
OpenSSL 1.0.1g 7 Apr 2014

# tail -n18 /var/log/messages

May 20 16:32:15 fortress named[6034]: starting BIND 9.9.4-P2 -c /etc/named.conf 
-t /svc/name -u named
 20 16:32:15 fortress named[6034]: built with '--prefix=/usr' 
'--enable-ipv6' '--enable-threads' '--with-openssl=yes' 
'--sysconfdir=/etc' '--mandir=/usr/man' 'CFLAGS=-O2 -march=x86-64 -pipe'
May 20 16:32:15 fortress named[6034]: 
May 20 16:32:15 fortress named[6034]: BIND 9 is maintained by Internet Systems 
May 20 16:32:15 fortress named[6034]: Inc. (ISC), a non-profit 501(c)(3) 
May 20 16:32:15 fortress named[6034]: corporation.  Support and training for 
BIND 9 are
May 20 16:32:15 fortress named[6034]: available at https://www.isc.org/support
May 20 16:32:15 fortress named[6034]: 
May 20 16:32:15 fortress named[6034]: adjusted limit on open files from
 4096 to 1048576
May 20 16:32:15 fortress named[6034]: found 1 CPU, using 1 worker thread
May 20 16:32:15 fortress named[6034]: using 1 UDP listener per interface
May 20 16:32:15 fortress named[6034]: using up to 4096 sockets
May 20 16:32:15 fortress named[6034]: ENGINE_by_id failed (crypto failure)
 20 16:32:15 fortress named[6034]: error:25070067:DSO support 
routines:DSO_load:could not load the shared library:dso_lib.c:244:
May 20 16:32:15 fortress named[6034]: error:260B6084:engine 
routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
May 20 16:32:15 fortress named[6034]: error:2606A074:engine 
routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost
May 20 16:32:15 fortress named[6034]: initializing DST: crypto failure
May 20 16:32:15 fortress named[6034]:
 exiting (due to fatal error)

# ls /svc/name
bin/  dev/  etc/  lib/  lib64@  usr/  var/

# ls /svc/name/lib/
ld-linux-x86-64.so.2*  libdl.so.2*       libnss_dns.so.2*    libz.so.1*
libattr.so.1           libhistory.so.6*  libnss_files.so.2*
libc.so.6*             libm.so.6*        libpthread.so.0*
libcap.so.2            libncurses.so.5*  libreadline.so.6*

# ls /svc/name/usr/lib/
engines/  libcrypto.so.1.0.0*  liblzma.so.5*  libssl.so.1.0.0*  libxml2.so.2*
# ls /svc/name/usr/lib/engines/
lib4758cca.so*  libcapi.so*    libgmp.so*    libpadlock.so*
libaep.so*      libchil.so*    libgost.so*   libsureware.so*
libatalla.so*   libcswift.so*  libnuron.so*  libubsec.so*
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Reply via email to