[nsd-users] Permission error after upgrade to Debian Buster (10.2)
simon at sdeziel.info
Sun Nov 24 21:07:18 UTC 2019
On 2019-11-24 3:05 p.m., Kaulkwappe wrote:
> Hi Simon,
> thanks for your fast answer.
> It seems that you're right that NSD tries to open the files as root user – which
> seems is blocked by the restrictive nsd.service configuration. See also:
> So, I changed the owner of all the files to 'root:root' and added '/var/log' to
> 'ReadWritePaths'. Then NSD starts without any problems.
> However, on the next startup I see that NSD always changes back the ownership of
> '/var/log/nsd.log' from 'root:root' back to the nsd user. This leads to
> following error message:
> > Nov 24 18:48:05 ns2 nsd: [2019-11-24 18:48:05.896] nsd: error:
> Cannot open /var/log/nsd.log for appending (Read-only file system), logging to
I would have expect a permission error instead of a "read-only" one. It
looks as if /var/log was not properly added to be ReadWritePaths set.
> When I stop NSD, I get following messages:
> > Nov 24 21:01:22 ns2 nsd: [2019-11-24 21:01:22.109] nsd: warning:
> signal received, shutting down...
> > Nov 24 21:01:22 ns2 nsd: [2019-11-24 21:01:22.112] nsd: warning:
> failed to unlink pidfile /run/nsd/nsd.pid: Permission denied
This unlink failure is expected and AFAICT harmless.
> > Nov 24 21:01:22 ns2 nsd: [2019-11-24 21:01:22.117] nsd: error:
> xfrd: Could not open file /var/lib/nsd/xfrd.state for writing: Permission denied
> This is very confusing since /var/lib/nsd/xfrd.state still has root:root, while
> NSD created the /run/nsd/nsd.pid using nsd:nsd.
I believe that xfrd.state should be owned by nsd:nsd as the daemon needs
to write to that file.
For reference, here's what it looks on my local slave:
root at ns0:~# ll /var/lib/nsd/xfrd.state /run/nsd/nsd.*
srwxr-xr-x 1 nsd nsd 0 Nov 24 19:41 /run/nsd/nsd.ctl=
-rw-r--r-- 1 nsd nsd 4 Nov 24 19:41 /run/nsd/nsd.pid
-rw-r--r-- 1 nsd nsd 2702 Nov 24 19:39 /var/lib/nsd/xfrd.state
More information about the nsd-users