[nsd-users] logs
Jeroen Koekkoek
jeroen at nlnetlabs.nl
Thu Oct 24 13:13:13 UTC 2019
On Thu, 2019-10-24 at 08:58 -0400, Simon Deziel wrote:
> On 2019-10-24 8:46 a.m., José Luis Artuch wrote:
> > Thanks Jeroen,
> >
> > About permissions and owners:
> > For /var/log/nsd.log, the directory /var/log/ has 755 root:root
> > For /var/log/nsd/nsd.log, I created alternatively a directory
> > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and
> > root
> > owners.
> > As for NSD user, in /etc/nsd/nsd.conf I have configured username:
> > nsd.
> >
> > cat /lib/systemd/system/nsd.service
> > [Unit]
> > Description=Name Server Daemon
> > Documentation=man:nsd(8)
> > After=network.target
> >
> > [Service]
> > Type=notify
> > Restart=always
> > ExecStart=/usr/sbin/nsd -d
> > ExecReload=+/bin/kill -HUP $MAINPID
> > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
> > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> > MemoryDenyWriteExecute=true
> > NoNewPrivileges=true
> > PrivateDevices=true
> > PrivateTmp=true
> > ProtectHome=true
> > ProtectControlGroups=true
> > ProtectKernelModules=true
> > ProtectKernelTunables=true
> > ProtectSystem=strict
> > ReadWritePaths=/var/lib/nsd /etc/nsd /run
>
> ProtectSystem=strict turns most of the hierarchy into read only
> mounts
> so you need to add /var/log and/or /var/log/nsd as ReadWritePaths=
> for
> them to be writable by nsd itself. This is normally not needed as
> logging goes through syslog by default but you are likely using
> "logfile" in nsd.conf.
>
> To add that ReadWritePaths directive:
>
> sudo systemctl edit nsd
>
> Then type and save the following:
>
> [Service]
> ReadWritePaths=/var/log/nsd
>
>
> This will create an override file supplementing the package provided
> unit with your local config.
>
> HTH,
> Simon
The systemd unit shows nsd is executed with "-d", that causes it to not
fork. Judging by the ReadWritePaths in the original unit file, the
original intent was maybe for nsd to log to stdout and then have
systemd write it to the journal(?) Maybe that bit changed between
Debian versions?
You could try not logging to a file by removing it from the
configuration and see if the output still ends up in the journal.
Alternatively, Simon's answer seems to make sense, so you can take that
route too.
- Jeroen
More information about the nsd-users
mailing list