# Unable to start bind-9.12.2_p2-r1 in chroot

## hanj

I've been having a variety of problems on various servers. The first issue "OpenSSL pseudorandom number generator issue w/bind" was fixed on one server, but now, I have 2 other production servers that won't start.

Looking at the logs, I see the following...

```

Jan  9 08:49:20 comp named[4415]: configuring command channel from '/etc/bind/rndc.key'

Jan  9 08:49:20 comp named[4415]: socket.c:5681: unexpected error:

Jan  9 08:49:20 comp named[4415]: setsockopt(25, TCP_FASTOPEN) failed with Protocol not available

Jan  9 08:49:20 comp named[4415]: command channel listening on 127.0.0.1#953

Jan  9 08:49:20 comp named[4415]: the working directory is not writable

Jan  9 08:49:20 comp named[4415]: loading configuration: permission denied

Jan  9 08:49:20 comp named[4415]: exiting (due to fatal error)

```

Now, I originally thought it was the TCP_FASTOPEN, but I've been seeing that warning with older versions. The real problem is the vague "the working directory is not writable". That's weird. I've been running chroot named for years, and works fine when I roll back.

This is what I have in /etc/conf.d/named

```

CHROOT="/chroot/dns"

CHROOT_NOMOUNT="1"

CHROOT_NOCHECK=1

PIDFILE="${CHROOT}/var/run/named/named.pid"
```

If I change CHROOT_NOMOUNT then it starts, but named is hosed, since it grabs files from /etc, but I run my chroot enviro, the error. So, I feel like perms somewhere is wrong, but can't find it. Thought I would run strace to see what was up, but that didn't yield any specifics for me...

This is where it breaks:

```
7828  prctl(PR_SET_DUMPABLE, SUID_DUMP_USER) = 0

7828  capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0

7828  capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0

7828  capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_CHOWN|1<<CAP_DAC_READ_SEARCH|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_CHROOT|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0

7828  getuid()                          = 40

7828  capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, permitted=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0

7828  access(".", W_OK|X_OK)            = -1 EACCES (Permission denied)

7828  getpid()                          = 7828

7828  sendto(3, "<27>Jan  9 09:27:14 named[7828]:"..., 71, MSG_NOSIGNAL, NULL, 0) = 71

7828  gettimeofday({tv_sec=1547051234, tv_usec=763630}, NULL) = 0

7828  getpid()                          = 7828

7828  sendto(3, "<26>Jan  9 09:27:14 named[7828]:"..., 74, MSG_NOSIGNAL, NULL, 0) = 74

7828  getpid()                          = 7828

7828  sendto(3, "<26>Jan  9 09:27:14 named[7828]:"..., 62, MSG_NOSIGNAL, NULL, 0) = 62

7828  close(3)                          = 0

7828  unlink("/var/run/named/named.pid") = 0
```

```

7828  access(".", W_OK|X_OK)            = -1 EACCES (Permission denied)
```

I would assume "." is /chroot/dns?

```
ls -al /chroot

drwxrwx---  6 root named 4096 Jul 16  2014 dns
```

So, that's not it.

```
ls -al /chroot/dns

drwxr-xr-x 2 root root  4096 Jan  9 08:09 dev

drwxr-xr-x 3 root root  4096 Mar  2  2012 etc

drwxr-xr-x 3 root root  4096 Jul 16  2014 run

drwxr-xr-x 6 root root  4096 Jan  9 09:18 var
```

Okay, this might be something, but I've changed this to 775 root:named and it still does not start. Comparing to my other box that runs chroot, perms are the same, so I changed ownership/permissions to the way it was.

I thought it might be the pid directory.

```
ls -al /chroot/dns/var/run/

drwxrwx--- 2 root named 4096 Jan  9 09:34 named
```

Here are my USE flags for this version:

```
[ebuild   R    ] net-dns/bind-9.12.2_p2-r1::gentoo  USE="berkdb caps dlz ssl xml zlib -dnsrps -dnstap -doc -fixed-rrset -geoip -gost -gssapi -idn -ipv6 -json -ldap -libidn2 -libressl -lmdb -mysql -odbc -postgres -python -rpz (-seccomp) (-selinux) -static-libs -threads -urandom" PYTHON_TARGETS="python2_7 python3_4 python3_5 python3_6 (-python3_7)" 0 KiB
```

Not sure. If I roll back to net-dns/bind-9.11.2_p1 it fires right back up.

Thanks!

hanji

----------

## mike155

 *Quote:*   

> I would assume "." is /chroot/dns? 

 

1) Why don't you search upwards in the strace file for the last chdir()? Sometimes you can also guess the current directory from prior open() or stat() statements (if they use relative paths).

2) Why do you want to install BIND? Do you really want BIND? Or do you just need a local DNS server (authoritative and/or resolving)? BIND is a huge and complex software package and difficult to handle. If you just need a local DNS server, look at something smaller. I switched from BIND to dnsmasq a while ago and I'm very happy with it. Much smaller and much easier to handle.

----------

## hanj

 *mike155 wrote:*   

>  *Quote:*   I would assume "." is /chroot/dns?  
> 
> 1) Why don't you search upwards in the strace file for the last chdir()? Sometimes you can also guess the current directory from prior open() or stat() statements (if they use relative paths).

 

I actually looked at older logs, and see mention of this error in the older version. What's unique to this

```
Jan  9 08:49:20 comp named[4415]: loading configuration: permission denied 
```

 *mike155 wrote:*   

> 
> 
> 2) Why do you want to install BIND? Do you really want BIND? Or do you just need a local DNS server (authoritative and/or resolving)? BIND is a huge and complex software package and difficult to handle. If you just need a local DNS server, look at something smaller. I switched from BIND to dnsmasq a while ago and I'm very happy with it. Much smaller and much easier to handle.

 

Not an internal DNS server.. just been using it for years.

Thanks!

hanji

----------

## Duncan Mac Leod

 *hanj wrote:*   

> Not sure. If I roll back to net-dns/bind-9.11.2_p1 it fires right back up.

 

Same problem here - also reverted back.

----------

## deagol

Just a tip, I did not look deeper into it:

I'm also running net-dns/bind-9.12.2_p2-r1 chrooted with openrc, but works for me...

So it could be that you are hit by the issue reported in Bug 601510 and I sidestepped that by having applied the patch from the bug years ago.

The "official" init script for openrc is broken when running chroot, some checks are done against "/" instead of the pid dir.

Which could explain the problem you observe.

----------

## Schnulli

well......

last time i was working also a few with Bind9

here i am running my fully chrooted DNS in the LAN with my TLD Domains bound... seems to work..... even if it is on test on a dynamic IPv4 & IPv6

A hint.....

Get a provider that will allow you to use TLD at dynamic Ips and get it working  :Wink: 

I will next time develope a Raspberry Pi Image for free & Download that will work as a DNS Server, the only thing that must be done ist to add ur own TLDs and Keys and it will work

I will add a readme as well to get the own TLDs bound than....

Regards

----------

## hanj

Digging further. I thought I would run start-stop-daemon from hand:

```
 start-stop-daemon -v --start --pidfile /chroot/dns/var/run/named/named.pid --exec /usr/sbin/named -- -u named -t /chroot/dns

 * start-stop-daemon: fopen `/chroot/dns/var/run/named/named.pid': No such file or directory

 * Detaching to start `/usr/sbin/named' ...

 *   start-stop-daemon: failed to start `/usr/sbin/named
```

So, it's unable to write the pid file?

Here is what that directory looks like:

```
/chroot/dns/var/run/named # ls -al  /chroot/dns/var/run/named

total 16

drwxrwx--- 2 root  named 4096 Jan 24 21:33 .

drwxr-xr-x 3 root  root  4096 Mar  2  2012 ..

-rw------- 1 named named  102 Jan 24 21:33 session.key
```

Again, this works fine with the older version of bind in chroot. I just rolled back and verified that the named.pid was in this directory and it is.

----------

## hanj

 *deagol wrote:*   

> Just a tip, I did not look deeper into it:
> 
> I'm also running net-dns/bind-9.12.2_p2-r1 chrooted with openrc, but works for me...
> 
> So it could be that you are hit by the issue reported in Bug 601510 and I sidestepped that by having applied the patch from the bug years ago.
> ...

 

I tried some of this, but it was getting me any where. Could you post your /etc/init.d/named file?

I am running openrc, but when I issue debug statements, it seems like it's seeing the chroot properly.

Thanks!

hanji

----------

## deagol

You can get my init script by downloading this patch https://601510.bugs.gentoo.org/attachment.cgi?id=473634 and apply it to the "official" init script.

If you have custom modifications: The official script is also in portage, /usr/portage/net-dns/bind/files/named.init-r13.

With those commands you can get exactly my script:

```
cd /tmp

wget 'https://601510.bugs.gentoo.org/attachment.cgi?id=473634' -O patch.txt

cp /usr/portage/net-dns/bind/files/named.init-r13 /tmp

patch named.init-r13 < patch.txt 
```

----------

## Duncan Mac Leod

Don't try to patch /etc/init.d/named

...just try my solution: https://forums.gentoo.org/viewtopic-t-1090564.html

----------

## hanj

 *Duncan Mac Leod wrote:*   

> Don't try to patch /etc/init.d/named
> 
> ...just try my solution: https://forums.gentoo.org/viewtopic-t-1090564.html

 

I'm still having problems on all of my servers in chroot with this version. I did try the init.d/named patch.. no dice. I have urandom. Still not starting in chroot.

```
/chroot/dns/dev # ls -al

total 0

drwxr-xr-x 2 named named  144 Mar 20 21:18 .

drwx------ 7 root  named  168 Jun 27  2014 ..

crw-rw-rw- 1 named named 1, 3 Mar 20 21:18 null

crw-rw-rw- 1 named named 1, 8 Sep 16  2005 random

crw-rw-rw- 1 named named 1, 9 Mar 20 21:18 urandom

crw-rw-rw- 1 named named 1, 5 Mar 20 21:18 zero
```

/etc/conf.d/named:

```
CHROOT="/chroot/dns"

CHROOT_NOMOUNT="1"

PIDFILE="${CHROOT}/var/run/named/named.pid"
```

```
 /etc/init.d/named restart

 * Caching service dependencies ...                                                                                                                        [ ok ]

 * Starting chrooted named ...

 * Checking named configuration ...                                                                                                                        [ ok ]

 * start-stop-daemon: failed to start `/usr/sbin/named'                                                                                                    [ !! ]
```

output in logs...

```
Mar 23 09:12:43 comp named[31391]: starting BIND 9.12.2-P2 <id:b2bf278>

Mar 23 09:12:43 comp named[31391]: running on Linux i686 4.14.63-gentoo #3 Fri Sep 7 09:30:56 MDT 2018

Mar 23 09:12:43 comp named[31391]: built with '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.12.2_p2-r1' '--htmldir=/usr/share/doc/bind-9.12.2_p2-r1/html' '--with-sysroot=/' '--libdir=/usr/lib' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-dnsrps' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--disable-threads' '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gost' '--without-gssapi' '--without-idnkit' '--without-libidn2' '--without-libjson' '--without-dlz-ldap' '--with-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--with-ecdsa' '--with-openssl=/usr' '--without-libxml2' '--with-zlib' '--with-randomdev=/dev/urandom' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CFLAGS=-O2 -march=pentium4 -pipe -I/usr/include/db5.3' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'

Mar 23 09:12:43 comp named[31391]: running as: named -u named -t /chroot/dns

Mar 23 09:12:43 comp named[31391]: compiled by GCC 6.4.0

Mar 23 09:12:43 comp named[31391]: compiled with OpenSSL version: OpenSSL 1.0.2p  14 Aug 2018

Mar 23 09:12:43 comp named[31391]: linked to OpenSSL version: OpenSSL 1.0.2r  26 Feb 2019

Mar 23 09:12:43 comp named[31391]: compiled with zlib version: 1.2.11

Mar 23 09:12:43 comp named[31391]: linked to zlib version: 1.2.11

Mar 23 09:12:43 comp named[31391]: threads support is disabled

Mar 23 09:12:43 comp named[31391]: ----------------------------------------------------

Mar 23 09:12:43 comp named[31391]: BIND 9 is maintained by Internet Systems Consortium,

Mar 23 09:12:43 comp named[31391]: Inc. (ISC), a non-profit 501(c)(3) public-benefit

Mar 23 09:12:43 comp named[31391]: corporation.  Support and training for BIND 9 are

Mar 23 09:12:43 comp named[31391]: available at https://www.isc.org/support

Mar 23 09:12:43 comp named[31391]: ----------------------------------------------------

Mar 23 09:12:43 comp named[31391]: using up to 4096 sockets

Mar 23 09:12:43 comp named[31391]: loading configuration from '/etc/bind/named.conf'

Mar 23 09:12:43 comp named[31391]: directory '/var/named' is not writable

Mar 23 09:12:43 comp named[31391]: /etc/bind/named.conf:3: parsing failed: permission denied

Mar 23 09:12:43 comp named[31391]: loading configuration: permission denied

Mar 23 09:12:43 comp named[31391]: exiting (due to fatal error)

Mar 23 09:12:43 comp /etc/init.d/named[31389]: start-stop-daemon: failed to start `/usr/sbin/named'

Mar 23 09:12:43 comp /etc/init.d/named[31145]: ERROR: named failed to start
```

These seem to be the problem...

```
Mar 23 09:12:43 comp named[31391]: directory '/var/named' is not writable

Mar 23 09:12:43 comp named[31391]: /etc/bind/named.conf:3: parsing failed: permission denied

Mar 23 09:12:43 comp named[31391]: loading configuration: permission denied
```

But.. perms look good. Again, in chroot.

```
/chroot/dns # ls -al

total 0

drwx------ 7 root  named 168 Jun 27  2014 .

drwxr-xr-x 3 root  root   72 Jan  4  2007 ..

drwxr-xr-x 2 named named 144 Mar 20 21:18 dev

drwxr-xr-x 3 named named 104 Jan 14  2013 etc

drwxr-xr-x 3 named named  72 Jun 27  2014 run

drwxrwxrwx 7 named named 168 Nov  7  2016 var <= I changed it to 777 for testing
```

```
/chroot/dns/etc/bind # ls -al

total 64

drwxr-xr-x 2 named named   240 Mar 20 21:25 .

drwxr-xr-x 3 named named   104 Jan 14  2013 ..

-rw-r----- 1 named named  2761 Dec 14 09:11 bind.keys

lrwxrwxrwx 1 named named    13 Dec 14 09:11 dyn -> /var/bind/dyn

-rw-r--r-- 1 named named 34967 Dec  8  2010 named.conf

lrwxrwxrwx 1 named named    13 Dec 14 09:11 pri -> /var/bind/pri

-rw------- 1 named named    77 Sep 16  2005 rndc.key

lrwxrwxrwx 1 named named    13 Dec 14 09:11 sec -> /var/bind/sec
```

hanji

----------

## Duncan Mac Leod

maybe you have a permission problem in chroot...

my permissions are:

```

ls -l /chroot/dns/

insgesamt 16

drwxr-xr-x 2 root root 4096 23. Mär 15:36 dev

drwxr-xr-x 3 root root 4096 11. Aug 2018  etc

drwxr-xr-x 3 root root 4096  6. Aug 2018  run

drwxr-xr-x 5 root root 4096 11. Aug 2018  var

```

```

ls -l /chroot/dns/dev/

insgesamt 0

crw-rw-rw- 1 root root 1, 3  6. Aug 2018  null

crw-rw-rw- 1 root root 1, 8  6. Aug 2018  random

crw-rw-rw- 1 root root 1, 9 23. Mär 15:36 urandom

crw-rw-rw- 1 root root 1, 5  6. Aug 2018  zero

```

```

ls -l /chroot/dns/etc/

insgesamt 8

drwxr-xr-x 2 named root 4096 23. Mär 15:27 bind

-rw-r--r-- 1 root  root 2326 24. Jan 18:19 localtime

```

```

ls -l /chroot/dns/run/

insgesamt 4

drwxrwx--- 2 root named 4096 23. Mär 15:44 named

```

```

ls -l /chroot/dns/var/

insgesamt 12

drwxrwx--- 5 root  named 4096 23. Mär 15:45 bind

drwxr-xr-x 3 root  root  4096  6. Aug 2018  log

drwxr-xr-x 2 named named 4096 11. Aug 2018  run

```

```

ls -l /chroot/dns/etc/bind/

insgesamt 24

-rw-r----- 1 root named  2761 23. Mär 15:24 bind.keys

lrwxrwxrwx 1 root root     13 23. Mär 15:24 dyn -> /var/bind/dyn

-rw-r----- 1 root named 13228  7. Okt 16:29 named.conf

lrwxrwxrwx 1 root root     13 23. Mär 15:24 pri -> /var/bind/pri

-rw-r----- 1 root named    77  6. Aug 2018  rndc.key

lrwxrwxrwx 1 root root     13 23. Mär 15:24 sec -> /var/bind/sec

```

----------

## hanj

Okay.. thought I would work on this again with the newer version of bind. Currently having the same issue with net-dns/bind-9.12.3_p4

So I nuked the entire chroot, and run --config to build it from scratch.  I compared it permissions above.. and it's the same now. I also updated my config to be super simple, and it's still not starting. This is the case on 3 different servers, all running chroot. If I roll back to 9.11.2_p1 it works. 

The server that I'm currently testing on is development server with a simple set up.

```
Apr 11 08:51:14 server.comp.net named[27373]: automatic empty zone: B.E.F.IP6.ARPA

Apr 11 08:51:14 server.comp.net named[27373]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA

Apr 11 08:51:14 server.comp.net named[27373]: automatic empty zone: EMPTY.AS112.ARPA

Apr 11 08:51:14 server.comp.net named[27373]: automatic empty zone: HOME.ARPA

Apr 11 08:51:14 server.comp.net named[27373]: none:103: 'max-cache-size 90%' - setting to 1814MB (out of 2015MB)

Apr 11 08:51:14 server.comp.net named[27373]: configuring command channel from '/etc/bind/rndc.key'

Apr 11 08:51:14 server.comp.net named[27373]: command channel listening on 127.0.0.1#953

Apr 11 08:51:14 server.comp.net named[27373]: the working directory is not writable

Apr 11 08:51:14 server.comp.net named[27373]: loading configuration: permission denied

Apr 11 08:51:14 server.comp.net named[27373]: exiting (due to fatal error)
```

Build USE flags

```
[ebuild   R    ] net-dns/bind-9.12.3_p4::gentoo  USE="berkdb caps dlz mysql ssl static-libs urandom zlib -dnsrps -dnstap -doc -fixed-rrset -geoip -gost -gssapi -ipv6 -json -ldap -libressl -lmdb -odbc -postgres -python -rpz (-seccomp) (-selinux) -threads -xml" PYTHON_TARGETS="python2_7 python3_5 python3_6 (-python3_7)" 8426 KiB
```

/etc/conf.d/named

```
CHROOT="/chroot/dns"

CHROOT_NOMOUNT="1"

CHROOT_NOCHECK=1

PIDFILE="${CHROOT}/var/run/named/named.pid"
```

/chroot/dns/etc/bind/named.conf

```
acl comp { 127.0.0.1;};

options {

        directory "/var/named";

        notify yes;

        auth-nxdomain no;

        allow-recursion { comp; };

        allow-query { comp; };

        allow-transfer { comp; };

};
```

My permissions on directories match Duncan Mac Leod's post exactly. I did have to mknod for 'random' in /chroot/dns/dev/. I've added a debug level -d 2 in start up, but no additional clues. Googling around I see that following references...

Apr 11 08:51:14 server.comp.net named[27373]: the working directory is not writable

Apr 11 08:51:14 server.comp.net named[27373]: loading configuration: permission denied

Are usually the cause of an error prior to this. In other examples, I see specific issues - config issues, unable to write logs, etc.. but I don't see any other problems before this. Looks like normal start up info. I did try an strace as well, but nothing stood out.

Thanks!

h

----------

## Duncan Mac Leod

Please check /etc/conf.d/named

```

CHROOT="/chroot/dns"

PIDFILE="${CHROOT}/run/named/named.pid"

```

I only have these 2 lines in /etc/conf.d/named - just a guess...

----------

## hanj

 *Duncan Mac Leod wrote:*   

> Please check /etc/conf.d/named
> 
> ```
> 
> CHROOT="/chroot/dns"
> ...

 

Okay.. I went with those lines. Typically in the past, I stored my configs in the /chroot, so I don't want it to mount /etc/bind/, etc.. that's why I had CHROOT_NOMOUNT=1. I tried the CHROOT_NOCHECK=1 today to see if that was causing the writable notice.

Regardless.. going with CHROOT and PIDFILE only.. I still get the same failed start.

Thanks!

h

----------

