Log rolling stopped working in 9.11.12 ?
Michał Kępień
michal at isc.org
Fri Nov 22 09:52:56 UTC 2019
Hi John,
> Thank you for the obvious suggestion, Mark. It hadn't occurred to me that a
> yum update might have clobbered my existing permissions.
>
> Sure enough, there it was -
> 755 root:root /var/opt/isc/isc-bind/log/
> Everything in that directory was still -
> 644 named:named
> but the user "named" was unable to create anything new
>
> Looking at my installation notes from earlier this year, I found the
> following:
> > Adjust the log directory permissions. chown named:named
> > /var/opt/isc/isc-bind/log
> > chmod 775 /var/opt/isc/isc-bind/log
>
> I have re-applied that permission change, and things are happy again. Which
> brings me to two follow-up questions.
>
> A) Should I expect these file permissions be altered by a minor update? I
> know I started at 9.11.8 and have updated to 9.11.9 and 9.11.10 without
> seeing this behavior.
/var/opt/isc/isc-bind/log is part of the isc-bind-runtime package, which
is the runtime package for the isc-bind Software Collection. The
contents of that package are determined by the %{scl_files} macro used
in the *.spec file for the isc-bind metapackage [1]. That is how the
runtime package is supposed to be created according to Software
Collection docs [2]. We do not add that directory explicitly.
Answering your question, this directory is not touched when you update
the isc-bind-bind package (which is usually the only package that gets
updated whenever a new version of BIND is released), but it *will* be
affected (i.e. its permissions will be reset to those specified by the
package) by isc-bind-runtime updates.
We recently had to update the metapackage to make the Software
Collection work on RHEL/CentOS 8, which also caused a revision bump for
the isc-bind-runtime package. That is likely the update that caused the
permissions on your box to be reset. Updates like this are rare, but
can happen from time to time, so I would avoid relying on customized
permissions for packaged directories.
> B) Should I not be logging to /var/opt/isc/isc-bind/log?
> The log path in my named.conf is currently set to a relative path
> "../../log/query.log", but I could easily change it to an absolute path
> "/var/log/named/query.log"
You can really log where you want as long as the permissions are right.
The default named.conf included with our packages causes logs to be
written to /var/opt/isc/isc-bind/named/data/named.run, mimicking what
stock RHEL/CentOS BIND packages do (with the path adjusted to follow the
Software Collection's directory layout).
Note that /var/opt/isc/isc-bind/log is the Software Collection's
equivalent of /var/log; if you configured named to log to the latter, it
would also not work because /var/log is owned by root:root by default,
just like /var/opt/isc/isc-bind/log is.
If you are okay with adhering to the Software Collection's directory
layout, feel free to create a subdirectory in /var/opt/isc/isc-bind/log
with proper permissions - subdirectories should not be affected by the
metapackage updates I mentioned above. But the Software Collection does
not force you to use that location.
Hope this helps,
[1] https://gitlab.isc.org/isc-packages/rpms/isc-bind/blob/434d4d8a6e436e0943cfc2deac2f1a07fe3136b5/isc-bind.spec#L63
[2] https://www.softwarecollections.org/en/docs/guide/#bh-Example_of_the_Meta_Package
--
Best regards,
Michał Kępień
More information about the bind-users
mailing list