[nsd-users] Permission error after upgrade to Debian Buster (10.2)

José Luis Artuch zenbakaitz at speedy.com.ar
Fri Dec 13 22:59:40 UTC 2019 

Hi Kaulkwappe,

El vie, 13-12-2019 a las 13:18 +0100, Kaulkwappe escribió:
> Unfortunately I still get this errors in NSD 4.1.26 on Debian Buster
> 10.2:
> 
> 1) Log file:
> > error: Cannot open /var/log/nsd.log for appending (Permission
> denied), logging to std
> 
> When it se the owner of nsd.log to root:root, I don't get an error
> message on start. However, after this start, NSD will change the
> owner to nsd:nsd and on the next start I will get this error message.
> 
> 2) PID file:
> > warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission
> denied
> It seems that NSD needs a PID file, because if I change pidfile:
> "/run/nsd/nsd.pid" to pidfile: "" I get:
> 
> > error: cannot open pidfile : No such file or directory
> > error: cannot overwrite the pidfile : No such file or directory

---> Debian 10.2
---> NSD 4.1.26

About LOG and PID, I don't know if what I'm doing is correct, but
apparently NSD works correctly.

In the NSD configuration file I considered:

sudo nano /etc/nsd/nsd.conf
...
        logfile: "/var/run/log/nsd.log"
...
        pidfile: "/var/lib/nsd/nsd.pid"
...

With those routes I got the LOG written (I didn't get it written in
other places):

sudo mc
...
/var/run/log
	/journal
	nsd.log		<--- !!

But the LOG reported that the PID could not be written in
/var/lib/nsd due to permission issues ...

Because I think *pid.nsd* must be written by *root*, I modified owner
and permissions like this:

sudo chown root:nsd /var/lib/nsd
sudo chmod 755 /var/lib/nsd

With this, the PID is now written:

sudo mc
...
/var/lib/nsd
	nsd.db
	nsd.pid		<--- !!
	xfrd.state

Regards.
José Luis

> From: JoséLuis Artuch <zenbakaitz at speedy.com.ar>
> Sent: Tuesday, 26. Nov 2019 – 01:03 CET +0100
> To: Kaulkwappe <kaulkwappe at prvy.eu>
> nsd-users at NLnetLabs.nl
> 
> Subject: Re: [nsd-users] Permission error after upgrade to Debian
> Buster (10.2)
> 
> Hi Kaulkwappe,
> 
> El lun, 25-11-2019 a las 01:34 +0100, Kaulkwappe escribió:
> > > [...] I'd double check if it's indeed effective with "systemctl
> > show nsd | grep ReadWritePaths"
> > 
> > Seems to be effective:
> > > # systemctl show nsd | grep ReadWritePaths
> > > ReadWritePaths=/var/lib/nsd /var/log /etc/nsd /run
> > 
> > The problem with the log file will never stop the NSD service from
> > working (I believe) but the log file is quite important, so, of
> > course, NSD should be able to append to it.
> > 
> > Does anyone already had this problem after an upgrade?
> > 
> > Kind Regards,
> > Kaulkwappe
> > 
> 
> My knowledge on this subject is very limited, but since you ask I
> give
> you my recent experience. I have also upgraded from Debian 9 to
> Debian
> 10, two ways, starting from Debian 9 and also from scratch. In both
> cases I have not got NSD to write the log file. I have tested changes
> of permissions and/or routes.
> However, I have not had problems with the start of NSD, but I clarify
> that I use NSD with a very elementary configuration and without
> /var/lib/nsd/zone.list defined.
> A cordial greeting.
> José Luis
> 
> > From: Simon Deziel <simon at sdeziel.info>
> > Sent: Monday, 25. Nov 2019 – 01:26 CET +0100
> > To: nsd-users at NLnetLabs.nl
> > 
> > Subject: Re: [nsd-users] Permission error after upgrade to Debian
> > Buster (10.2)
> > 
> > On 2019-11-24 6:10 p.m., Kaulkwappe wrote:
> > > Hi Simon,
> > > 
> > >  > I would have expect a permission error instead of a "read-
> only"
> > one. It
> > >  > looks as if /var/log was not properly added to be
> ReadWritePaths
> > set.
> > > That is what I have used:
> > >  > ReadWritePaths=/var/lib/nsd /var/log /etc/nsd /run
> > 
> > Not sure what would explain the read-only error then. I'd double
> > check
> > if it's indeed effective with "systemctl show nsd | grep
> > ReadWritePaths"
> > 
> > >  > This unlink failure is expected and AFAICT harmless.
> > > It should be harmless, but it doesn't look nice. I would consider
> > this as a bug.
> > 
> > Agreed. Interestingly, unbound accepts "-p" to skip managing its
> own
> > PID. If nsd could get this, it would be handy when managing the
> > daemon
> > with systemd.
> > 
> > >  > I believe that xfrd.state should be owned by nsd:nsd as the
> > daemon needs
> > >  > to write to that file.
> > > After changing the owner to nsd:nsd I believe this problem is
> > fixed. Thanks!
> > 
> > Glad to hear that!
> > 
> > Regards,
> > Simon
> > _______________________________________________
> > nsd-users mailing list
> > nsd-users at NLnetLabs.nl
> > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> > _______________________________________________
> > nsd-users mailing list
> > nsd-users at NLnetLabs.nl
> > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list