Re: bind-chroot is not re-positioning my forward and reverse tables
On 7/1/21 9:10 AM, Petr Menšík wrote: Hi, On 6/30/21 5:11 AM, ToddAndMargo via bind-users wrote: On 6/27/21 4:01 PM, Reindl Harald wrote: seriosly i am beginning to wonder if you should simply give up bind-chroot Never quit! :-) Is is not a bad idea. If you are running SELinux in enforcing mode, I do, but there are extenuating circumstances. I will explain in a bit. it already limits named service in more restrictive way than bind-chroot. I think there is no real advantage running bind-chroot, just more configuration quirks required. Please try to use SELinux if possible. When it is enforcing, I think named.service is just fine. No chroot is needed for additional security. Hi Petr, The reason I am running bind-chroot is because I want my machine to emulate what I have at my customers. And I have a customer with a $$ piece of software that despises SELinux and the vendor won't fix it. It is one of those pieces of software where they stitch together other pieces of software like legos and then charge out the nose for it. There is not a lot of original content. So I run named-chroot on his server (and mine too). it's not the job of the chroot bind-mount setup to mount each and every file and 'file "abc.hosts.rev"' without any path makes no sense just write your files where they are expected from the viewpoint of the chroot and ignore "/var/named/chroot" in your configs because it simply don't exist from the viewpoint of the process running inside the chroot anyways, that's not a bind topic at all Odd, I would have thought that bind-chroot was part of the bind project. Anyway, I figured it out. I will post it in another reply No- bind-chroot is a Red Hat provided helper to chroot ability of BIND to setup chroot easy way. Only smaller part of configuration is specific to BIND project itself. Larger part of bind-chroot scripts belongs to Fedora or RHEL, because chroot setup is implementation provided by Fedora project package, not by any of ISC releases. Is there a specific support site for bind-chroot? I think your attempts fail, because setup script /usr/libexec/setup-named-chroot.sh tests, whether destination directory is empty. That means, /var/named would be mounted to /var/named/chroot/var/named only when /var/named/chroot/var/named directory is empty. It is mounted on named-chroot-setup.service, started before named-chroot.service. That means you have to move your backups out of that directory, not only to different filenames anywhere under that directory. If there are files, that copies are used instead. It should be reasony why it cannot find your zone data. Move it out of chroot as a backup, when bind-chroot.service is stopped. # mkdir -p /var/named/backup-chroot/var/named # mv /var/named/chroot/var/named/* /var/named/backup-chroot/var/named # systemctl restart bind-chroot # ls -l /var/named/{,chroot/var/named} # check files are the same Cheers, Petr Did you see my other thread in this post? I wrote down the exact method I used to fix things. You were close, by the way. I got my ass handed to me in step 2, which is where all my issues were. Fortunately they were all easy to fix (all four of them). If you can't find it, I will send it to you directly. It is a nice blue print to follow when (re)installing bind-chroot. The moral of the story is that is has to work with regular bind before switching to bind-chroot. No skirting the problem in regular bind by directly writing into the chroot, which is were I got into deep doodoo. Thank you for all the help on this and my other posting (in other places) with bind-chroot! Dang you are good at this stuff! (No getting the big head.) -T ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Address match lists syntax, was Managing localhost
No, there is no need to redefine localhost acl. It is built-in and already specifies localhost IPv4 and IPv6 address. similar to localnets (networks directly connected to the server), any or none names. Read a great ARM documentation about BIND [1], it has section about ACLs describing build-in names. Just use localhost, whatever should not be served to outside network. The best way to protect your service is to listen only to localhost address however. Cheers, Petr 1. https://bind9.readthedocs.io/ On 6/25/21 1:04 PM, Alessandro Vesely wrote: > Ooops, sorry. Please forget that. > > On Fri 25/Jun/2021 12:50:55 +0200 Alessandro Vesely wrote: >> However, named-checkconf doesn't complain. I could fix that by >> defining an acl named localhost. But do I need to? > > > Now I tried to redefine and got: > > /etc/bind/named.conf.options:37: attempt to redefine builtin acl > 'localhost' > > > >> >> Best >> Ale -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot is not re-positioning my forward and reverse tables
Hi, On 6/30/21 5:11 AM, ToddAndMargo via bind-users wrote: > On 6/27/21 4:01 PM, Reindl Harald wrote: >> seriosly i am beginning to wonder if you should simply give up bind-chroot >> > > Never quit! :-) Is is not a bad idea. If you are running SELinux in enforcing mode, it already limits named service in more restrictive way than bind-chroot. I think there is no real advantage running bind-chroot, just more configuration quirks required. Please try to use SELinux if possible. When it is enforcing, I think named.service is just fine. No chroot is needed for additional security. > >> >> it's not the job of the chroot bind-mount setup to mount each and >> every file and 'file "abc.hosts.rev"' without any path makes no sense >> >> just write your files where they are expected from the viewpoint of >> the chroot and ignore "/var/named/chroot" in your configs because it >> simply >> don't exist from the viewpoint of the process running inside the chroot >> >> anyways, that's not a bind topic at all > > Odd, I would have thought that bind-chroot was part of the bind project. > > Anyway, I figured it out. I will post it in another reply No- bind-chroot is a Red Hat provided helper to chroot ability of BIND to setup chroot easy way. Only smaller part of configuration is specific to BIND project itself. Larger part of bind-chroot scripts belongs to Fedora or RHEL, because chroot setup is implementation provided by Fedora project package, not by any of ISC releases. I think your attempts fail, because setup script /usr/libexec/setup-named-chroot.sh tests, whether destination directory is empty. That means, /var/named would be mounted to /var/named/chroot/var/named only when /var/named/chroot/var/named directory is empty. It is mounted on named-chroot-setup.service, started before named-chroot.service. That means you have to move your backups out of that directory, not only to different filenames anywhere under that directory. If there are files, that copies are used instead. It should be reasony why it cannot find your zone data. Move it out of chroot as a backup, when bind-chroot.service is stopped. # mkdir -p /var/named/backup-chroot/var/named # mv /var/named/chroot/var/named/* /var/named/backup-chroot/var/named # systemctl restart bind-chroot # ls -l /var/named/{,chroot/var/named} # check files are the same Cheers, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users