chroot - help

Bill Larson bind9 at comcast.net
Thu Jan 6 15:49:12 UTC 2005 

On Jan 5, 2005, at 11:21 PM, saravanan ganapathy wrote:

>   If I want to write querylog in /var/log/querylog, I
> have to give this in named.conf.Assume my chroot path
> is /opt/named.So that it writes on
> /opt/named/var/log/querylog.
>
> But I want to have log files on /var/named (not
> /opt/dns/var/named). How to do it?

You are missing the point of a "chroot" environment.  Once you start 
"named" in a chroot environment then it no longer has access to any of 
the file system outside of the chroot environment.

My suggestion would be to create a symbolic link from 
"/opt/dns/var/named", the location where you will be performing your 
logging while in the chroot environment, to "/var/named" where you want 
to see these log files while in the normal environment.  This can be 
done with:

	ln -s /opt/dns/var /var/named

Be aware that you can't have a "/var/named" directory or file already 
existing when you create this link.

Now, to forestall future problems and questions, you need to insure 
that your "named.conf" file resides inside the chroot environment.  
This is necessary to allow "named" to re-read the configuration file 
when you do an "rndc reload".  Assuming that your version of "named" 
uses the standard "/etc/named.conf" for the configuration file, you 
need to copy this to "/opt/named/etc/named.conf".  To make this simple 
to manage from outside the chroot environment environment, create a 
symbolic link from /opt/named/etc/named.conf to /etc/named.conf.  With 
this link you can still manipulate the configuration by editing 
/etc/named.conf as you would normally.

Notice that this link can't function in reverse.  I.e., you can't have 
the actual "named.conf" file in /etc and have a symbolic link from the 
chroot environment pointing to it.  If you were to try and do this, 
named would not be able to access the file because it resides outside 
of the chroot environment.  Remember that the chroot environment 
prevents any access to outside the environment from functioning, 
including symbolic links.

As a suggestion, I would create your chroot directory structure to 
mimic the real directory structure as much as possible.  For example, 
rather than using "/var" as the directory to save your named data 
files, I would suggest using "/var/named" instead.  Then, with a 
symbolic link between "/opt/named/var/named" and "/var/named", you 
would have complete transparency to manipulate your named data files 
from inside and outside the chroot environment.  I.e., the 'directory 
"/var/named";' specification in named.conf would identify what would 
appear to be the same "/var/named" directory in both the chroot and 
real environment.

Bill Larson

P.S.

Personally, I would never suggest using syslog for query logging.  This 
type of logging is bad enough on the system that you shouldn't want to 
add the additional overhead of using syslog too.  Do query logging to a 
file and only running query logging when necessary to troubleshoot a 
specific problem.  Don't run query logging with "named" by default.

More information about the bind-users mailing list