chrooting bind

Waltner, Steve swaltner at lsil.com
Tue Aug 14 22:33:01 UTC 2001 

Solaris has a great command called truss that will tell you almost exactly
what the problem is. Change your command to be:

truss -f /usr/sbin/chroot /opt/named.jail....

And you will get a printout of every system call that is executed. Look for
error values on open() system calls toward the end of truss' output. truss
will spit out lots of text, so run it in an xterm with a huge scrollback
buffer. Running a "truss -f chroot ... ls /" in my anonymous FTP server
directory printed 69 lines of text, and I've seen some programs spit out out
tens of thousands of lines of output before I gave up on finding the
trouble. truss is a great debugging tool on Solaris though and can be used
for debugging many problems.

Having said that, like Kevin suggested, you should probably use the built-in
chroot option on BIND and avoid this hassle.

Steve

> ----------
> From: 	Christopher L. Barnard
> Sent: 	Tuesday, August 14, 2001 11:42 AM
> To: 	bind-users at isc.org
> Subject: 	chrooting bind
> 
> 
> I am chrooting bind (9.1.3), and I am using an actual chroot rather than
> just
> starting it with the -t option.  This is a Solaris 7 box, if it matters.
> 
> I think everything is set up; $jail/etc, $jail/dev, $jail/usr, etc. are
> all
> set up.  I have the config file logging to a file (not syslog) within the
> jail.
> 
> Upon startup (/usr/sbin/chroot /opt/named.jail /usr/local/sbin/named -u
> named)
> it appears to work fine according to the logs:
> 
> /var/adm/messages
> Aug 14 11:30:51 srvns2 /usr/local/sbin/named[8333]: starting BIND 9.1.3 -u
> named
> Aug 14 11:30:51 srvns2 /usr/local/sbin/named[8333]: command channel
> listening on 164.74.31.202#953
> 
> and /opt/named.jail/var/log/named.log
> Aug 14 11:30:53.083 general: info: running
> 
> However, named dies immediately.  A grep of the process table for named
> shows
> that it is not running, and nothing is transferred from the primary, even
> if I
> delete all the zone files.
> 
> Reverting back to a non-chrooted environment, but otherwise the same setup
> (in
> particular the non-root user) works fine.
> 
> Can anyone suggest what else to try?
> 
> Christopher
> +-----------------------------------------------------------------------+
> | Christopher L. Barnard         O     When I was a boy I was told that |
> | cbarnard at tsg.cbot.com         / \    anybody could become president.  |
> | (312) 347-4901               O---O   Now I'm beginning to believe it. |
> | http://www.cs.uchicago.edu/~cbarnard                --Clarence Darrow |
> +----------PGP public key available via finger or PGP keyserver---------+
> 
>

More information about the bind-users mailing list