Re: bind-chroot is not re-positioning my forward and reverse tables
On 7/1/21 9:10 AM, Petr Menšík wrote:
Hi,
On 6/30/21 5:11 AM, ToddAndMargo via bind-users wrote:
On 6/27/21 4:01 PM, Reindl Harald wrote:
seriosly i am beginning to wonder if you should simply give up bind-chroot
Never quit! :-)
Is is not a bad idea. If you are running SELinux in enforcing mode,
I do, but there are extenuating circumstances. I will explain in a bit.
it
already limits named service in more restrictive way than bind-chroot. I
think there is no real advantage running bind-chroot, just more
configuration quirks required. Please try to use SELinux if possible.
When it is enforcing, I think named.service is just fine. No chroot is
needed for additional security.
Hi Petr,
The reason I am running bind-chroot is because I want
my machine to emulate what I have at my customers.
And I have a customer with a $$ piece of software
that despises SELinux and the vendor won't fix it.
It is one of those pieces of software where they stitch
together other pieces of software like legos and then
charge out the nose for it. There is not a lot of
original content. So I run named-chroot on his server
(and mine too).
it's not the job of the chroot bind-mount setup to mount each and
every file and 'file "abc.hosts.rev"' without any path makes no sense
just write your files where they are expected from the viewpoint of
the chroot and ignore "/var/named/chroot" in your configs because it
simply
don't exist from the viewpoint of the process running inside the chroot
anyways, that's not a bind topic at all
Odd, I would have thought that bind-chroot was part of the bind project.
Anyway, I figured it out. I will post it in another reply
No- bind-chroot is a Red Hat provided helper to chroot ability of BIND
to setup chroot easy way. Only smaller part of configuration is specific
to BIND project itself. Larger part of bind-chroot scripts belongs to
Fedora or RHEL, because chroot setup is implementation provided by
Fedora project package, not by any of ISC releases.
Is there a specific support site for bind-chroot?
I think your attempts fail, because setup script
/usr/libexec/setup-named-chroot.sh tests, whether destination directory
is empty.
That means, /var/named would be mounted to /var/named/chroot/var/named
only when /var/named/chroot/var/named directory is empty. It is mounted
on named-chroot-setup.service, started before named-chroot.service. That
means you have to move your backups out of that directory, not only to
different filenames anywhere under that directory. If there are files,
that copies are used instead. It should be reasony why it cannot find
your zone data.
Move it out of chroot as a backup, when bind-chroot.service is stopped.
# mkdir -p /var/named/backup-chroot/var/named
# mv /var/named/chroot/var/named/* /var/named/backup-chroot/var/named
# systemctl restart bind-chroot
# ls -l /var/named/{,chroot/var/named} # check files are the same
Cheers,
Petr
Did you see my other thread in this post? I wrote down
the exact method I used to fix things. You were close,
by the way. I got my ass handed to me in step 2,
which is where all my issues were. Fortunately
they were all easy to fix (all four of them).
If you can't find it, I will send it to you directly.
It is a nice blue print to follow when (re)installing
bind-chroot.
The moral of the story is that is has to work with
regular bind before switching to bind-chroot. No
skirting the problem in regular bind by directly
writing into the chroot, which is were I got into
deep doodoo.
Thank you for all the help on this and my other posting
(in other places) with bind-chroot! Dang you are
good at this stuff! (No getting the big head.)
-T
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Address match lists syntax, was Managing localhost
No, there is no need to redefine localhost acl. It is built-in and already specifies localhost IPv4 and IPv6 address. similar to localnets (networks directly connected to the server), any or none names. Read a great ARM documentation about BIND [1], it has section about ACLs describing build-in names. Just use localhost, whatever should not be served to outside network. The best way to protect your service is to listen only to localhost address however. Cheers, Petr 1. https://bind9.readthedocs.io/ On 6/25/21 1:04 PM, Alessandro Vesely wrote: > Ooops, sorry. Please forget that. > > On Fri 25/Jun/2021 12:50:55 +0200 Alessandro Vesely wrote: >> However, named-checkconf doesn't complain. I could fix that by >> defining an acl named localhost. But do I need to? > > > Now I tried to redefine and got: > > /etc/bind/named.conf.options:37: attempt to redefine builtin acl > 'localhost' > > > >> >> Best >> Ale -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot is not re-positioning my forward and reverse tables
Hi,
On 6/30/21 5:11 AM, ToddAndMargo via bind-users wrote:
> On 6/27/21 4:01 PM, Reindl Harald wrote:
>> seriosly i am beginning to wonder if you should simply give up bind-chroot
>>
>
> Never quit! :-)
Is is not a bad idea. If you are running SELinux in enforcing mode, it
already limits named service in more restrictive way than bind-chroot. I
think there is no real advantage running bind-chroot, just more
configuration quirks required. Please try to use SELinux if possible.
When it is enforcing, I think named.service is just fine. No chroot is
needed for additional security.
>
>>
>> it's not the job of the chroot bind-mount setup to mount each and
>> every file and 'file "abc.hosts.rev"' without any path makes no sense
>>
>> just write your files where they are expected from the viewpoint of
>> the chroot and ignore "/var/named/chroot" in your configs because it
>> simply
>> don't exist from the viewpoint of the process running inside the chroot
>>
>> anyways, that's not a bind topic at all
>
> Odd, I would have thought that bind-chroot was part of the bind project.
>
> Anyway, I figured it out. I will post it in another reply
No- bind-chroot is a Red Hat provided helper to chroot ability of BIND
to setup chroot easy way. Only smaller part of configuration is specific
to BIND project itself. Larger part of bind-chroot scripts belongs to
Fedora or RHEL, because chroot setup is implementation provided by
Fedora project package, not by any of ISC releases.
I think your attempts fail, because setup script
/usr/libexec/setup-named-chroot.sh tests, whether destination directory
is empty.
That means, /var/named would be mounted to /var/named/chroot/var/named
only when /var/named/chroot/var/named directory is empty. It is mounted
on named-chroot-setup.service, started before named-chroot.service. That
means you have to move your backups out of that directory, not only to
different filenames anywhere under that directory. If there are files,
that copies are used instead. It should be reasony why it cannot find
your zone data.
Move it out of chroot as a backup, when bind-chroot.service is stopped.
# mkdir -p /var/named/backup-chroot/var/named
# mv /var/named/chroot/var/named/* /var/named/backup-chroot/var/named
# systemctl restart bind-chroot
# ls -l /var/named/{,chroot/var/named} # check files are the same
Cheers,
Petr
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
