Cannot chroot bind: ENGINE_by_id failed (crypto failure)
Matthew Washington
deity_chooch at yahoo.com
Thu Jun 26 20:53:44 UTC 2014
I recently upgraded my OS from CRUX 2.7 to CRUX 3.0 and am running into a problem with getting bind9 to run in a chroot jail. I had this setup
working correctly on my old OS, but I cannot recall what versions of
bind and openssl were running on it. I can get bind to run without a
chroot, but I would really prefer not to do so. I used `ldd` to copy
the necessary libraries to the chroot dir ('/svc/name'), and copied the
'hosts', 'group', 'passwd', and 'shadow' files as well. I've copied
some extra libraries and etc files so that I could `chroot` from the
console and test, but that hasn't aided in my troubleshooting. I'm
really at a loss on this one. Any help is much appreciated. See below
for further information about my setup.
NOTE: You may notice that the chroot jail name ('/svc/name') is different
from bind's username (named). This is not a typo; it is actually set up this way.
# uname -a
Linux fortress 3.6.11 #2 Sun May 18 18:46:50 MDT 2014 x86_64 Intel(R) Pentium(R) 4 CPU 2.80GHz GenuineIntel GNU/Linux
# openssl version
OpenSSL 1.0.1g 7 Apr 2014
# tail -n18 /var/log/messages
May 20 16:32:15 fortress named[6034]: starting BIND 9.9.4-P2 -c /etc/named.conf -t /svc/name -u named
May
20 16:32:15 fortress named[6034]: built with '--prefix=/usr'
'--enable-ipv6' '--enable-threads' '--with-openssl=yes'
'--sysconfdir=/etc' '--mandir=/usr/man' 'CFLAGS=-O2 -march=x86-64 -pipe'
May 20 16:32:15 fortress named[6034]: ----------------------------------------------------
May 20 16:32:15 fortress named[6034]: BIND 9 is maintained by Internet Systems Consortium,
May 20 16:32:15 fortress named[6034]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
May 20 16:32:15 fortress named[6034]: corporation. Support and training for BIND 9 are
May 20 16:32:15 fortress named[6034]: available at https://www.isc.org/support
May 20 16:32:15 fortress named[6034]: ----------------------------------------------------
May 20 16:32:15 fortress named[6034]: adjusted limit on open files from
4096 to 1048576
May 20 16:32:15 fortress named[6034]: found 1 CPU, using 1 worker thread
May 20 16:32:15 fortress named[6034]: using 1 UDP listener per interface
May 20 16:32:15 fortress named[6034]: using up to 4096 sockets
May 20 16:32:15 fortress named[6034]: ENGINE_by_id failed (crypto failure)
May
20 16:32:15 fortress named[6034]: error:25070067:DSO support
routines:DSO_load:could not load the shared library:dso_lib.c:244:
May 20 16:32:15 fortress named[6034]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
May 20 16:32:15 fortress named[6034]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost
May 20 16:32:15 fortress named[6034]: initializing DST: crypto failure
May 20 16:32:15 fortress named[6034]:
exiting (due to fatal error)
# ls /svc/name
bin/ dev/ etc/ lib/ lib64@ usr/ var/
# ls /svc/name/lib/
ld-linux-x86-64.so.2* libdl.so.2* libnss_dns.so.2* libz.so.1*
libattr.so.1 libhistory.so.6* libnss_files.so.2*
libc.so.6* libm.so.6* libpthread.so.0*
libcap.so.2 libncurses.so.5* libreadline.so.6*
# ls /svc/name/usr/lib/
engines/ libcrypto.so.1.0.0* liblzma.so.5* libssl.so.1.0.0* libxml2.so.2*
# ls /svc/name/usr/lib/engines/
lib4758cca.so* libcapi.so* libgmp.so* libpadlock.so*
libaep.so* libchil.so* libgost.so* libsureware.so*
libatalla.so* libcswift.so* libnuron.so* libubsec.so*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140626/f90a5be1/attachment.html>
More information about the bind-users
mailing list