bind-chroot, runs, works, dies

Reindl Harald h.reindl at thelounge.net
Wed Aug 9 22:19:02 UTC 2017 


Am 10.08.2017 um 00:14 schrieb toddandmargo:
> I have a weird one. I am trying to set up bind-chroot. When I run it, it 
> works
> 
> for about 30 seconds, then dies. And for the entire 30 seconds, it works
> 
> beautifully. I can go anywhere with Firefox and look up anything with 
> "host". Then it breaks my heart.
> 
> |# systemctl start named-chroot Job for named-chroot.service canceled. |
> 
> 
> |PID file /var/named/chroot/run/named/named.pid not readable (yet?) after 
> start: No such file or directory |
> 
> error to be a bit weird as the directory does exist and the entire 
> directory tree from /var/named is owned by "named". This is usually 
> SELinux's doing. But SELinux does not throw an error

while this is Fedora 25 - get rid of the crappy PID file dance for every 
systemd-unit, i ripped them out many years ago and since named is even a 
single process service "Type=simple" is enough while it even works for 
httpd-preforker

frankly i go so far and specify /dev/null for mariadb and guess what - 
all the random startup errors are gone for a long time

[root at srv-rhsoft:~]$ cat /etc/systemd/system/named.service
[Unit]
Description=DNS Server
After=network.service systemd-networkd.service network-online.target 
network-wan-bridge.service network-wlan-bridge.service openvpn.service

[Service]
Type=simple
ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z 
/etc/named.conf
ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/kill -TERM $MAINPID
ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
TimeoutSec=25
Restart=always
RestartSec=1

PrivateTmp=yes
PrivateDevices=yes
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN 
CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime 
delete_module fanotify_init finit_module get_mempolicy init_module 
io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp 
kexec_load keyctl lookup_dcookie migrate_pages move_pages 
open_by_handle_at perf_event_open process_vm_readv process_vm_writev 
ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib 
vmsplice

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib

InaccessibleDirectories=-/root
InaccessibleDirectories=-/media
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
InaccessibleDirectories=-/var/lib/dbus
InaccessibleDirectories=-/var/lib/rpm
InaccessibleDirectories=-/var/lib/systemd
InaccessibleDirectories=-/var/spool

[Install]
WantedBy=multi-user.target

More information about the bind-users mailing list