[nsd-users] logs

Jeroen Koekkoek jeroen at nlnetlabs.nl
Thu Oct 24 18:34:06 UTC 2019 

Hi,

I think this is actually what you'd want. It's not complaining about
the log file anymore. Just the pid file, probably the same type of
problem. And you probably want to disable the ip-transparent option(?)

- Jeroen

On Thu, 2019-10-24 at 11:08 -0300, José Luis Artuch wrote:
> Thanks Jeroen,
> 
> If I do:
> 
> nano /etc/nsd/nsd.conf
> ...
> # logfile: "/var/log/nsd/nsd.log"
> ...
> 
> systemctl restart nsd
> 
> This is the output of journalctl:
> 
> journalctl -u nsd.service --since today
> 
> oct 24 10:53:26 dhcppc1 nsd[6937]: signal received, shutting down...
> oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.281]
> nsd[6937]:
> warning: signal received, shutting down...
> oct 24 10:53:26 dhcppc1 nsd[6937]: failed to unlink pidfile
> /run/nsd/nsd.pid: Permission denied
> oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.284]
> nsd[6937]:
> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied
> oct 24 10:53:26 dhcppc1 systemd[1]: Stopping Name Server Daemon...
> oct 24 10:53:26 dhcppc1 systemd[1]: nsd.service: Succeeded.
> oct 24 10:53:26 dhcppc1 systemd[1]: Stopped Name Server Daemon.
> oct 24 10:53:26 dhcppc1 systemd[1]: Starting Name Server Daemon...
> oct 24 10:53:26 dhcppc1 nsd[6965]: nsd starting (NSD 4.1.26)
> oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT,
> ...)
> failed for udp: Operation not permitted
> oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479]
> nsd[6965]:
> notice: nsd starting (NSD 4.1.26)
> oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479]
> nsd[6965]:
> error: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation
> not permi
> oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479]
> nsd[6965]:
> error: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation
> not permi
> oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT,
> ...)
> failed for tcp: Operation not permitted
> oct 24 10:53:26 dhcppc1 nsd[6965]: setup SSL certificates
> oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.483]
> nsd[6965]:
> info: setup SSL certificates
> oct 24 10:53:26 dhcppc1 nsd[6967]: zonefile /etc/nsd/zones/...
> ...
> oct 24 10:53:26 dhcppc1 nsd[6967]: nsd started (NSD 4.1.26), pid 6965
> oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.584]
> nsd[6967]:
> notice: nsd started (NSD 4.1.26), pid 6965
> oct 24 10:53:26 dhcppc1 systemd[1]: Started Name Server Daemon.
> 
> Best regards.
> José Luis
> 
> El jue, 24-10-2019 a las 15:13 +0200, Jeroen Koekkoek escribió:
> > On Thu, 2019-10-24 at 08:58 -0400, Simon Deziel wrote:
> > > On 2019-10-24 8:46 a.m., José Luis Artuch wrote:
> > > > Thanks Jeroen,
> > > > 
> > > > About permissions and owners:
> > > > For /var/log/nsd.log, the directory /var/log/ has 755 root:root
> > > > For /var/log/nsd/nsd.log, I created alternatively a directory
> > > > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd
> > > > and
> > > > root
> > > > owners.
> > > > As for NSD user, in /etc/nsd/nsd.conf I have configured
> > > > username:
> > > > nsd.
> > > > 
> > > > cat /lib/systemd/system/nsd.service
> > > > [Unit]
> > > > Description=Name Server Daemon
> > > > Documentation=man:nsd(8)
> > > > After=network.target
> > > > 
> > > > [Service]
> > > > Type=notify
> > > > Restart=always
> > > > ExecStart=/usr/sbin/nsd -d
> > > > ExecReload=+/bin/kill -HUP $MAINPID
> > > > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK
> > > > CAP_NET_BIND_SERVICE
> > > > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> > > > MemoryDenyWriteExecute=true
> > > > NoNewPrivileges=true
> > > > PrivateDevices=true
> > > > PrivateTmp=true
> > > > ProtectHome=true
> > > > ProtectControlGroups=true
> > > > ProtectKernelModules=true
> > > > ProtectKernelTunables=true
> > > > ProtectSystem=strict
> > > > ReadWritePaths=/var/lib/nsd /etc/nsd /run
> > > 
> > > ProtectSystem=strict turns most of the hierarchy into read only
> > > mounts
> > > so you need to add /var/log and/or /var/log/nsd as
> > > ReadWritePaths=
> > > for
> > > them to be writable by nsd itself. This is normally not needed as
> > > logging goes through syslog by default but you are likely using
> > > "logfile" in nsd.conf.
> > > 
> > > To add that ReadWritePaths directive:
> > > 
> > >   sudo systemctl edit nsd
> > > 
> > > Then type and save the following:
> > > 
> > > [Service]
> > > ReadWritePaths=/var/log/nsd
> > > 
> > > 
> > > This will create an override file supplementing the package
> > > provided
> > > unit with your local config.
> > > 
> > > HTH,
> > > Simon
> > 
> > The systemd unit shows nsd is executed with "-d", that causes it to
> > not
> > fork. Judging by the ReadWritePaths in the original unit file, the
> > original intent was maybe for nsd to log to stdout and then have
> > systemd write it to the journal(?) Maybe that bit changed between
> > Debian versions?
> > 
> > You could try not logging to a file by removing it from the
> > configuration and see if the output still ends up in the journal.
> > Alternatively, Simon's answer seems to make sense, so you can take
> > that
> > route too.
> > 
> > - Jeroen
> > 
> > _______________________________________________
> > nsd-users mailing list
> > nsd-users at NLnetLabs.nl
> > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list