Log rolling stopped working in 9.11.12 ?

Fri Nov 22 09:52:56 UTC 2019

Hi John,

> Thank you for the obvious suggestion, Mark. It hadn't occurred to me that a
> yum update might have clobbered my existing permissions.
> 
> Sure enough, there it was -
>   755 root:root /var/opt/isc/isc-bind/log/
> Everything in that directory was still -
>   644 named:named
> but the user "named" was unable to create anything new
> 
> Looking at my installation notes from earlier this year, I found the
> following:
> > Adjust the log directory permissions. chown named:named
> > /var/opt/isc/isc-bind/log
> > chmod 775 /var/opt/isc/isc-bind/log
> 
> I have re-applied that permission change, and things are happy again. Which
> brings me to two follow-up questions.
> 
> A) Should I expect these file permissions be altered by a minor update? I
> know I started at 9.11.8 and have updated to 9.11.9 and 9.11.10 without
> seeing this behavior.

/var/opt/isc/isc-bind/log is part of the isc-bind-runtime package, which
is the runtime package for the isc-bind Software Collection.  The
contents of that package are determined by the %{scl_files} macro used
in the *.spec file for the isc-bind metapackage [1].  That is how the
runtime package is supposed to be created according to Software
Collection docs [2].  We do not add that directory explicitly.

Answering your question, this directory is not touched when you update
the isc-bind-bind package (which is usually the only package that gets
updated whenever a new version of BIND is released), but it *will* be
affected (i.e. its permissions will be reset to those specified by the
package) by isc-bind-runtime updates.

We recently had to update the metapackage to make the Software
Collection work on RHEL/CentOS 8, which also caused a revision bump for
the isc-bind-runtime package.  That is likely the update that caused the
permissions on your box to be reset.  Updates like this are rare, but
can happen from time to time, so I would avoid relying on customized
permissions for packaged directories.

> B) Should I not be logging to /var/opt/isc/isc-bind/log?
> The log path in my named.conf is currently set to a relative path
> "../../log/query.log", but I could easily change it to an absolute path
> "/var/log/named/query.log"

You can really log where you want as long as the permissions are right.
The default named.conf included with our packages causes logs to be
written to /var/opt/isc/isc-bind/named/data/named.run, mimicking what
stock RHEL/CentOS BIND packages do (with the path adjusted to follow the
Software Collection's directory layout).

Note that /var/opt/isc/isc-bind/log is the Software Collection's
equivalent of /var/log; if you configured named to log to the latter, it
would also not work because /var/log is owned by root:root by default,
just like /var/opt/isc/isc-bind/log is.

If you are okay with adhering to the Software Collection's directory
layout, feel free to create a subdirectory in /var/opt/isc/isc-bind/log
with proper permissions - subdirectories should not be affected by the
metapackage updates I mentioned above.  But the Software Collection does
not force you to use that location.

Hope this helps,

[1] https://gitlab.isc.org/isc-packages/rpms/isc-bind/blob/434d4d8a6e436e0943cfc2deac2f1a07fe3136b5/isc-bind.spec#L63

[2] https://www.softwarecollections.org/en/docs/guide/#bh-Example_of_the_Meta_Package

-- 
Best regards,
Michał Kępień