# [SOLVED] Unable to start net-dns/bind via rc-service

## anrock

So my old homeserver died and I'm slowly setting it up on new hardware.

After installing fresh gentoo on new hardware I'm having unexpected issue: bind refuses to start via rc-service command

```

$ rc-service named start

named             | * Caching service dependencies ...                                                                            [ ok ]

named             | * Starting named ...

named             | * Checking named configuration ...                                                                            [ ok ]

named             | * start-stop-daemon: failed to start `/usr/sbin/named'                                                        [ !! ]

named             | * ERROR: named failed to start

```

I've increased verbosity of start-stop-daemon invocation in init script and run it with debug option:

```

$ rc-service -d named start

+ sourcex -e /etc/rc.conf

+ '[' -e = -e ']'

+ shift

+ '[' -e /etc/rc.conf ']'

+ . /etc/rc.conf

++ rc_parallel=YES

++ rc_shell=/sbin/sulogin

++ rc_logger=YES

++ rc_log_path=/var/log/rc.log

++ unicode=YES

++ rc_tty_number=12

+ '[' -d /etc/rc.conf.d ']'

+ _conf_d=/etc/init.d/../conf.d

+ _c=named

+ '[' -n named -a named '!=' named ']'

+ unset _c

+ sourcex -e /etc/init.d/../conf.d/named.default

+ '[' -e = -e ']'

+ shift

+ '[' -e /etc/init.d/../conf.d/named.default ']'

+ return 1

+ sourcex -e /etc/init.d/../conf.d/named

+ '[' -e = -e ']'

+ shift

+ '[' -e /etc/init.d/../conf.d/named ']'

+ . /etc/init.d/../conf.d/named

++ PIDFILE=/run/named/named.pid

+ unset _conf_d

+ sourcex /lib/rc/sh/runit.sh

+ '[' /lib/rc/sh/runit.sh = -e ']'

+ . /lib/rc/sh/runit.sh

+ sourcex /lib/rc/sh/s6.sh

+ '[' /lib/rc/sh/s6.sh = -e ']'

+ . /lib/rc/sh/s6.sh

++ '[' -z '' ']'

++ s6_service_path=/var/svc.d/named

+ sourcex /lib/rc/sh/start-stop-daemon.sh

+ '[' /lib/rc/sh/start-stop-daemon.sh = -e ']'

+ . /lib/rc/sh/start-stop-daemon.sh

+ sourcex /lib/rc/sh/supervise-daemon.sh

+ '[' /lib/rc/sh/supervise-daemon.sh = -e ']'

+ . /lib/rc/sh/supervise-daemon.sh

++ extra_commands='healthcheck unhealthy '

+ sourcex /etc/init.d/named

+ '[' /etc/init.d/named = -e ']'

+ . /etc/init.d/named

++ extra_commands='checkconfig checkzones'

++ extra_started_commands=reload

++ NAMED_CONF=/etc/bind/named.conf

++ OPENSSL_LIBGOST=0

++ MOUNT_CHECK_TIMEOUT=60

+ yesno ''

+ '[' -z '' ']'

+ return 1

+ for _cmd in "$@"

+ '[' start '!=' status -a start '!=' describe ']'

+ '[' -n '' ']'

++ command -v cgroup_add_service

+ '[' cgroup_add_service = cgroup_add_service ']'

+ grep -qs /sys/fs/cgroup /proc/1/mountinfo

+ '[' -d /sys/fs/cgroup -a '!' -w /sys/fs/cgroup ']'

+ cgroup_add_service

+ for d in /sys/fs/cgroup/*

+ '[' -w /sys/fs/cgroup/cpu/tasks ']'

+ printf %d 0

+ for d in /sys/fs/cgroup/*

+ '[' -w /sys/fs/cgroup/cpuacct/tasks ']'

+ printf %d 0

+ for d in /sys/fs/cgroup/*

+ '[' -w /sys/fs/cgroup/cpuset/tasks ']'

+ printf %d 0

+ for d in /sys/fs/cgroup/*

+ '[' -w /sys/fs/cgroup/freezer/tasks ']'

+ printf %d 0

+ for d in /sys/fs/cgroup/*

+ '[' -w /sys/fs/cgroup/openrc/tasks ']'

+ printf %d 0

+ for d in /sys/fs/cgroup/*

+ '[' -w /sys/fs/cgroup/unified/tasks ']'

+ openrc_cgroup=/sys/fs/cgroup/openrc

+ '[' -d /sys/fs/cgroup/openrc ']'

+ cgroup=/sys/fs/cgroup/openrc/named

+ mkdir -p /sys/fs/cgroup/openrc/named

+ '[' -w /sys/fs/cgroup/openrc/named/tasks ']'

+ printf %d 0

++ command -v cgroup_set_limits

+ '[' cgroup_set_limits = cgroup_set_limits ']'

+ cgroup_set_limits

+ local blkio=

+ '[' -n '' ']'

+ local cpu=

+ '[' -n '' ']'

+ local cpuacct=

+ '[' -n '' ']'

+ local cpuset=

+ '[' -n '' ']'

+ local devices=

+ '[' -n '' ']'

+ local hugetlb=

+ '[' -n '' ']'

+ local memory=

+ '[' -n '' ']'

+ local net_cls=

+ '[' -n '' ']'

+ local net_prio=

+ '[' -n '' ']'

+ local pids=

+ '[' -n '' ']'

+ return 0

++ command -v cgroup2_set_limits

+ '[' cgroup2_set_limits = cgroup2_set_limits ']'

+ '[' start = start ']'

+ cgroup2_set_limits

+ local cgroup_path

++ cgroup2_find_path

++ grep -qw cgroup2 /proc/filesystems

++ case "${rc_cgroup_mode:-hybrid}" in

++ printf /sys/fs/cgroup/unified

++ return 0

+ cgroup_path=/sys/fs/cgroup/unified

+ '[' -d /sys/fs/cgroup/unified ']'

+ rc_cgroup_path=/sys/fs/cgroup/unified/named

+ '[' '!' -d /sys/fs/cgroup/unified/named ']'

+ '[' -f /sys/fs/cgroup/unified/named/cgroup.procs ']'

+ printf 0

+ '[' -z '' ']'

+ return 0

+ break

+ eval 'printf '\''%s\n'\'' '

++ printf '%s\n'

+ read _d

+ '[' -n '' ']'

+ read _d

+ '[' 0 -ne 0 ']'

+ unset _d

+ eval 'printf '\''%s\n'\'' '

++ printf '%s\n'

+ read _f

+ '[' -n '' ']'

+ read _f

+ '[' 0 -ne 0 ']'

+ unset _f

+ '[' -n '' ']'

+ '[' -n start ']'

+ '[' start = depend ']'

+ for _cmd in describe start stop status ${extra_commands:-$opts} $extra_started_commands $extra_stopped_commands

+ '[' describe = start ']'

+ for _cmd in describe start stop status ${extra_commands:-$opts} $extra_started_commands $extra_stopped_commands

+ '[' start = start ']'

++ command -v start

+ '[' start = start ']'

+ yesno

+ '[' -z '' ']'

+ return 1

+ for _cmd in $extra_started_commands

+ '[' reload = start ']'

+ for _cmd in $extra_stopped_commands

+ '[' cgroup_cleanup = start ']'

+ unset _cmd

+ case $1 in

+ verify_boot

+ '[' '!' -e /run/openrc/softlevel ']'

+ return 0

++ command -v start_pre

+ '[' '' = start_pre ']'

+ start

+ local piddir

+ ebegin 'Starting named'

+ local _r

+ command ebegin 'Starting named'

+ ebegin 'Starting named'

 * Starting named ...+ _r=0

+ EINFO_LASTCMD=ebegin

+ export EINFO_LASTCMD

+ return 0

+ '[' -n '' ']'

+ checkconfig

+ ebegin 'Checking named configuration'

+ local _r

+ command ebegin 'Checking named configuration'

+ ebegin 'Checking named configuration'

 * Checking named configuration ...+ _r=0

+ EINFO_LASTCMD=ebegin

+ export EINFO_LASTCMD

+ return 0

+ '[' '!' -f /etc/bind/named.conf ']'

+ /usr/sbin/named-checkconf /etc/bind/named.conf

+ eend 0

+ local _r

+ command eend 0

+ eend 0

 [ ok ]

+ _r=0

+ EINFO_LASTCMD=eend

+ export EINFO_LASTCMD

+ return 0

+ return 0

+ _get_pidfile

+ '[' -n /run/named/named.pid ']'

+ '[' -z /run/named/named.pid ']'

+ piddir=/run/named

+ checkpath -q -d -o root:named -m 0770 /run/named

+ '[' -n '' ']'

+ start-stop-daemon -v --start --pidfile /run/named/named.pid --nicelevel 0 --exec /usr/sbin/named -- -u named

 * start-stop-daemon: fopen `/run/named/named.pid': No such file or directory *   start-stop-daemon: failed to start `/usr/sbin/named'

 * Detaching to start `/usr/sbin/named' ...+ eend 1

+ local _r

+ command eend 1

+ eend 1

 [ !! ]

+ _r=1

+ EINFO_LASTCMD=eend

+ export EINFO_LASTCMD

+ return 1

+ exit 1

named             | * ERROR: named failed to start

named             | * Caching service dependencies ... [ ok ]

```

The interesting piece here is

```
 * start-stop-daemon: fopen `/run/named/named.pid': No such file or directory
```

Directory itself seems fine:

```

$ ls -l /run | grep named

drwxrwx---  2 root     named      40 Oct 17 14:24 named

```

So I've tried to create named.pid file just in case

```

$ touch /run/named/named.pid && chown root:named /run/named/named.pid && chmod 770 /run/named/named.pid

```

and run rc-service again and output log is the same except now start-stop-daemon errors with

```

* start-stop-daemon: no pid found in `/run/named/named.pid' 

```

And here I'm stuck. start-stop-daemon appears to be a binary and I have no idea how to debug it further.Last edited by anrock on Wed Oct 23, 2019 9:10 pm; edited 1 time in total

----------

## mike155

You got the first error, because '/run/named/' did not exist. This is understandable.

You got the second error, because '/run/named/named.pid' existed, but it did NOT contain a PID. Named tried to read a PID from the file, but it couldn't, so it aborted with an error. This is also understandable.

What happens if you create the directory '/run/named/', but NOT the pid file inside of it?

----------

## anrock

@mike155 init script takes care of creating /run/named as far as I can tell after reading it and rerunning it after I've deleted /run/named. So I'm still getting the first error regardless if /run/named exists or not.

Upd. I mean the first time script created a /run/named directory even if it didn't exist and I still get first error with /run/named existing and without named.pid in it. Hope it's clearer now.

----------

## mike155

yes, you're right   :Smile: 

As far as I can see, '/run/named' should be created by systemd or opentmpfiles when you boot your machine and before bind gets started. 

Please look at the file '/usr/lib/tmpfiles.d/named.conf':

```
d /run/named 0750 named named -
```

So it seems owner and group of '/run/named' should be "named:named". 

What happens if you run:

```
rm -rf /run/named

mkdir /run/named

chown named:named /run/named

/etc/init.d/named start
```

----------

## anrock

 *mike155 wrote:*   

> Please look at the file '/usr/lib/tmpfiles.d/named.conf':
> 
> ```
> d /run/named 0750 named named -
> ```
> ...

 

Yup, same contents on my machine

 *mike155 wrote:*   

> 
> 
> What happens if you run:
> 
> ```
> ...

 

First error and /run/named becomes owned by root:named. I did another rerun with chown named:named added to init script before start-stop-daemon invocation and directory remained owned by named:named, but error was the same.

I'm thinking about filing a bug to bugs.gentoo.org. Pros: fresh install should at least launch okay. Cons: I've googled a couple of days before posting here and haven't seen anyone with this issue and same (run a diff over backed up files) init script was working fine on old machine. What do you think?

----------

## freke

What if you turn on/up logging from named?

Is it crashing with some sort of error?

I have this in /etc/bind/named.conf

```
logging {

        channel default_log {

                syslog daemon;

                severity info;

        };

        category default { default_log; };

        category general { default_log; };

        category resolver { default_log; };

        category network { default_log; };

};
```

 for logging to syslog.

----------

## anrock

@freke it's not even starting via init script, so no logs. Launching it manually works okay, tho

----------

## mike155

 *anrock wrote:*   

> I'm thinking about filing a bug to bugs.gentoo.org. Pros: fresh install should at least launch okay. Cons: I've googled a couple of days before posting here and haven't seen anyone with this issue and same (run a diff over backed up files) init script was working fine on old machine. What do you think?

 

I tried to reproduce the problem on my machine. It's difficult, because I switched to dnsmasq and I also switched to Systemd. Switching back to OpenRC just to test this is not an option, since it would be too difficult and time-consuming.

I'm unsure what to do... If I think about it... Yes, please file a bug. 

Do you really need BIND? It works well and it's the DNS server reference implementation - but it grew bigger and bigger. That's why I switched to dnsmasq (http://www.thekelleys.org.uk/dnsmasq/doc.html) 2 years ago. I can really recommend dnsmasq.

----------

## anrock

@mike155 okay, will file a bug. And yes, I guess I need bind - if I read correctly dnsmasq provides only local dns while I have a domain and I need my server to be reachable from outside.

----------

## freke

/run/named is owned by root:named on my openrc-setup

```
drwxrwx---  2 root  named   80 Oct 23 16:07 named
```

Could you post named.conf so I could try it?

AFAIK I haven't touched /etc/init.d/named nor /etc/conf.d/named.

Dunno if USE-flags could be a factor, too.

Mine is built with

```
ns ~ # eix -v net-dns/bind

* net-dns/bind

     Available versions:  9.14.7^t **9.15.5^t

     IUSE (all versions): -berkdb +caps dlz dnsrps dnstap doc fixed-rrset geoip geoip2 gssapi json ldap libressl lmdb mysql odbc postgres python selinux static-libs urandom xml +zlib PYTHON_TARGETS="python2_7 python3_5 python3_6 python3_7"

     Installed versions:  Version:   9.14.7^t

                          Date:      18:26:26 10/21/19

                          USE:       berkdb caps dlz geoip2 xml zlib -dnsrps -dnstap -doc -fixed-rrset -geoip -gssapi -json -ldap -libressl -lmdb -mysql -odbc -postgres -python -selinux -static-libs -urandom PYTHON_TARGETS="python2_7 python3_6 -python3_5 -python3_7"
```

----------

## alamahant

Double check your named.conf and your zone definition files......Also oftentime in /var/log you should manually create the desired log file and chown to named.

Would you plz post your named.conf and your zone definitions?

Also plz use named-checkconf to see if there are misconfigured files...

----------

## anrock

@freke @alamahant As I said earlier this is fresh install and I haven't touched any configs of bind. So I don't have any zone files and named.conf is standard one out-of-the-box.

Use flags are +caps +zlib.

There is /var/log/named/named.log owned by named:named and if I start bind manually it writes logs there just fine.

named-checkconf is run by init script before trying to start bind and never reported an error (ran it manually just in case and no errors reported)

Here's my named.conf just in case:

```

/*

 * Refer to the named.conf(5) and named(8) man pages, and the documentation

 * in /usr/share/doc/bind-* for more details.

 * Online versions of the documentation can be found here:

 * https://kb.isc.org/article/AA-01031

 *

 * If you are going to set up an authoritative server, make sure you

 * understand the hairy details of how DNS works. Even with simple mistakes,

 * you can break connectivity for affected parties, or cause huge amounts of

 * useless Internet traffic.

 */

acl "xfer" {

   /* Deny transfers by default except for the listed hosts.

    * If we have other name servers, place them here.

    */

   none;

};

/*

 * You might put in here some ips which are allowed to use the cache or

 * recursive queries

 */

acl "trusted" {

   127.0.0.0/8;

   ::1/128;

};

options {

   directory "/var/bind";

   pid-file "/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

   //bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 { ::1; };

   listen-on { 127.0.0.1; };

   allow-query {

      /*

       * Accept queries from our "trusted" ACL.  We will

       * allow anyone to query our master zones below.

       * This prevents us from becoming a free DNS server

       * to the masses.

       */

      trusted;

   };

   allow-query-cache {

      /* Use the cache for the "trusted" ACL. */

      trusted;

   };

   allow-recursion {

      /* Only trusted addresses are allowed to use recursion. */

      trusted;

   };

   allow-transfer {

      /* Zone tranfers are denied by default. */

      none;

   };

   allow-update {

      /* Don't allow updates, e.g. via nsupdate. */

      none;

   };

   /*

   * If you've got a DNS server around at your upstream provider, enter its

   * IP address here, and enable the line below. This will make you benefit

   * from its cache, thus reduce overall DNS traffic in the Internet.

   *

   * Uncomment the following lines to turn on DNS forwarding, and change

   *  and/or update the forwarding ip address(es):

   */

/*

   forward first;

   forwarders {

   //   123.123.123.123;   // Your ISP NS

   //   124.124.124.124;   // Your ISP NS

   //   4.2.2.1;      // Level3 Public DNS

   //   4.2.2.2;      // Level3 Public DNS

      8.8.8.8;      // Google Open DNS

      8.8.4.4;      // Google Open DNS

   };

*/

   dnssec-enable yes;

   //dnssec-validation yes;

   /*

    * As of bind 9.8.0:

    * "If the root key provided has expired,

    * named will log the expiration and validation will not work."

    */

   dnssec-validation auto;

   /* if you have problems and are behind a firewall: */

   //query-source address * port 53;

};

/*

logging {

   channel default_log {

      file "/var/log/named/named.log" versions 5 size 50M;

      print-time yes;

      print-severity yes;

      print-category yes;

   };

   category default { default_log; };

   category general { default_log; };

};

*/

include "/etc/bind/rndc.key";

controls {

   inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

zone "." in {

   type hint;

   file "/var/bind/named.cache";

};

zone "localhost" IN {

   type master;

   file "pri/localhost.zone";

   notify no;

};

/*

 * Briefly, a zone which has been declared delegation-only will be effectively

 * limited to containing NS RRs for subdomains, but no actual data beyond its

 * own apex (for example, its SOA RR and apex NS RRset). This can be used to

 * filter out "wildcard" or "synthesized" data from NAT boxes or from

 * authoritative name servers whose undelegated (in-zone) data is of no

 * interest.

 * See http://www.isc.org/software/bind/delegation-only for more info

 */

//zone "COM" { type delegation-only; };

//zone "NET" { type delegation-only; };

//zone "YOUR-DOMAIN.TLD" {

//   type master;

//   file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";

//   allow-query { any; };

//   allow-transfer { xfer; };

//};

//zone "YOUR-SLAVE.TLD" {

//   type slave;

//   file "/var/bind/sec/YOUR-SLAVE.TLD.zone";

//   masters { <MASTER>; };

   /* Anybody is allowed to query but transfer should be controlled by the master. */

//   allow-query { any; };

//   allow-transfer { none; };

   /* The master should be the only one who notifies the slaves, shouldn't it? */

//   allow-notify { <MASTER>; };

//   notify no;

//};

```

----------

## anrock

Filed a bug: https://bugs.gentoo.org/698416

----------

## hdcg

Hi anrock,

the following message is a little bit misleading:

```
start-stop-daemon -v --start --pidfile /run/named/named.pid --nicelevel 0 --exec /usr/sbin/named -- -u named 

 * start-stop-daemon: fopen `/run/named/named.pid': No such file or directory *   start-stop-daemon: failed to start `/usr/sbin/named'
```

The command referred by the --exec actually was started (otherwise another error would have been issued) and start-stop-daemon failed to detect a proper pid file in time. The latter should have been created by the command itself.

Which user did you use to run named manually? In case it was root, please check whether any named related files got created during your manual run not accessible by the start-stop-daemon above (which instructs named to switch to user named).

To pin down your issue further you can try to start named the following command:

```
start-stop-daemon --start --pidfile /run/named/named.pid --nicelevel 0 --exec /usr/sbin/named -- -u named -g -d 9
```

-g forces named to stay in foreground and log to stdout/err (as a result the command above will not return if named starts)

-d 9 increases the log level

Best Regards,

Holger

----------

## anrock

@hdcg thanks! That was it.

```

$ start-stop-daemon --start --pidfile /run/named/named.pid --nicelevel 0 --exec /usr/sbin/named -- -u named -g -d 9

start-stop-daemon --start --pidfile /run/named/named.pid --nicelevel 0 --exec /usr/sbin/named -- -u named -g -d 9

24-Oct-2019 02:58:30.540 starting BIND 9.14.7 (Stable Release) <id:d410de0>

24-Oct-2019 02:58:30.540 running on Linux x86_64 5.3.0-gentoo #2 SMP Fri Oct 11 00:00:31 MSK 2019

24-Oct-2019 02:58:30.540 built with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.14.7' '--htmldir=/usr/share/doc/bind-9.14.7/html' '--with-sysroot=/' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--with-openssl=/usr' '--enable-linux-caps' '--disable-dnsrps' '--disable-dnstap' '--disable-fixed-rrset' '--without-dlz-bdb' '--without-dlopen' '--without-dlz-filesystem' '--without-dlz-stub' '--without-gssapi' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--without-libxml2' '--with-zlib' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe -march=native -mtune=native -fomit-frame-pointer' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -L/usr/lib64 -ldl' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'

24-Oct-2019 02:58:30.540 running as: named -u named -g -d 9

24-Oct-2019 02:58:30.540 compiled by GCC 8.3.0

24-Oct-2019 02:58:30.540 compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

24-Oct-2019 02:58:30.540 linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

24-Oct-2019 02:58:30.540 compiled with zlib version: 1.2.11

24-Oct-2019 02:58:30.541 linked to zlib version: 1.2.11

24-Oct-2019 02:58:30.541 ----------------------------------------------------

24-Oct-2019 02:58:30.541 BIND 9 is maintained by Internet Systems Consortium,

24-Oct-2019 02:58:30.541 Inc. (ISC), a non-profit 501(c)(3) public-benefit

24-Oct-2019 02:58:30.541 corporation.  Support and training for BIND 9 are

24-Oct-2019 02:58:30.541 available at https://www.isc.org/support

24-Oct-2019 02:58:30.541 ----------------------------------------------------

24-Oct-2019 02:58:30.541 adjusted limit on open files from 4096 to 1048576

24-Oct-2019 02:58:30.542 found 2 CPUs, using 2 worker threads

24-Oct-2019 02:58:30.542 using 2 UDP listeners per interface

24-Oct-2019 02:58:30.544 using up to 4096 sockets

24-Oct-2019 02:58:30.558 loading configuration from '/etc/bind/named.conf'

24-Oct-2019 02:58:30.559 directory '/var/bind' is not writable

24-Oct-2019 02:58:30.559 /etc/bind/named.conf:30: parsing failed: permission denied

24-Oct-2019 02:58:30.560 load_configuration: permission denied

24-Oct-2019 02:58:30.560 loading configuration: permission denied

24-Oct-2019 02:58:30.560 exiting (due to fatal error)

 * start-stop-daemon: failed to start `/usr/sbin/named'

```

I've changed perms on /var/bin to 770 and it worked.

----------

