Dear colleagues,<style>
body {
font-family: 'Arial';
font-size: 100% !important;
margin: 0;
line-height: 1.2rem;
color: #1F497D;
}
</style><div><br></div><div>after upgrading from Stretch to Debian Buster (10.2) I get following error message which blocks NSD (4.1.26) from starting:</div><div><br></div><div><div>> Nov 24 16:18:40 ns2 nsd[989]: [2019-11-24 16:18:40.030] nsd[989]: error: could not open zone list /var/lib/nsd/zone.list: Permission denied</div><div>> Nov 24 16:18:40 ns2 nsd[989]: [2019-11-24 16:18:40.032] nsd[989]: error: could not read zonelist file /var/lib/nsd/zone.list</div></div><div><br></div><div>However, the permissions are all fine; they did not change during the update.</div><div><br></div><div>ls -l /var/lib/nsd/zone.list</div><div>> -rw-r--r-- 1 nsd nsd 1195 Nov 4 17:33 /var/lib/nsd/zone.list</div><div><br></div><div>I had a look into /lib/systemd/system/nsd.service:</div><div><br></div><div><div>> [Unit]</div><div>> Description=Name Server Daemon</div><div>> Documentation=man:nsd(8)</div><div>> After=network.target</div><div><br></div><div>> [Service]</div><div>> Type=notify</div><div>> Restart=always</div><div>> ExecStart=/usr/sbin/nsd -d</div><div>> ExecReload=+/bin/kill -HUP $MAINPID</div><div>> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT</div><div>> MemoryDenyWriteExecute=true</div><div>> NoNewPrivileges=true</div><div>> PrivateDevices=true</div><div>> PrivateTmp=true</div><div>> ProtectHome=true</div><div>> ProtectControlGroups=true</div><div>> ProtectKernelModules=true</div><div>> ProtectKernelTunables=true</div><div>> ProtectSystem=strict</div><div>> ReadWritePaths=/var/lib/nsd /etc/nsd /run</div><div>> RuntimeDirectory=nsd</div><div>> RestrictRealtime=true</div><div>> SystemCallArchitectures=native</div><div>> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources</div><div><br></div><div>> [Install]</div><div>> WantedBy=multi-user.target</div></div><div><br></div><div>Once I remove following line,</div><div><br></div><div>> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT</div><div><br></div><div>while it does not help to only remove params from it (I need to remove the full line), the error message changes to:</div><div><br></div><div><div>> Nov 24 16:37:57 ns2 systemd[1]: Starting Name Server Daemon...</div><div>> Nov 24 16:37:57 ns2 nsd[1607]: [2019-11-24 16:37:57.144] nsd[1607]: error: Cannot open /var/log/nsd.log for appending (Read-only file system), logging to stderr</div><div>> Nov 24 16:37:57 ns2 nsd[1607]: [2019-11-24 16:37:57.145] nsd[1607]: notice: nsd starting (NSD 4.1.26)</div><div>> Nov 24 16:37:57 ns2 nsd[1607]: [2019-11-24 16:37:57.252] nsd[1608]: notice: nsd started (NSD 4.1.26), pid 1607</div><div>> Nov 24 16:37:57 ns2 systemd[1]: Started Name Server Daemon.</div></div><div><br></div><div>Since nsd-control zonestatus now works, NSD now can read the /var/lib/nsd/zone.list. However, it is still not running fine because now NSD says it cannot open the /var/log/nsd.log.</div><div><br></div><div>Does anyone know how to fix that?</div><div><br></div><div>Kind Regards,</div><div>Kaulkwappe</div>