bind-chroot is not re-positioning my forward and reverse tables

Petr Menšík pemensik at redhat.com
Thu Jul 1 16:10:59 UTC 2021 

Hi,

On 6/30/21 5:11 AM, ToddAndMargo via bind-users wrote:
> On 6/27/21 4:01 PM, Reindl Harald wrote:
>> seriosly i am beginning to wonder if you should simply give up bind-chroot
>>
>
> Never quit!  :-)
Is is not a bad idea. If you are running SELinux in enforcing mode, it
already limits named service in more restrictive way than bind-chroot. I
think there is no real advantage running bind-chroot, just more
configuration quirks required. Please try to use SELinux if possible.
When it is enforcing, I think named.service is just fine. No chroot is
needed for additional security.
>
>>
>> it's not the job of the chroot bind-mount setup to mount each and
>> every file and 'file "abc.hosts.rev"' without any path makes no sense
>>
>> just write your files where they are expected from the viewpoint of
>> the chroot and ignore "/var/named/chroot" in your configs because it
>> simply
>> don't exist from the viewpoint of the process running inside the chroot
>>
>> anyways, that's not a bind topic at all
>
> Odd, I would have thought that bind-chroot was part of the bind project.
>
> Anyway, I figured it out.  I will post it in another reply

No- bind-chroot is a Red Hat provided helper to chroot ability of BIND
to setup chroot easy way. Only smaller part of configuration is specific
to BIND project itself. Larger part of bind-chroot scripts belongs to
Fedora or RHEL, because chroot setup is implementation provided by
Fedora project package, not by any of ISC releases.

I think your attempts fail, because setup script
/usr/libexec/setup-named-chroot.sh tests, whether destination directory
is empty.

That means, /var/named would be mounted to /var/named/chroot/var/named
only when /var/named/chroot/var/named directory is empty. It is mounted
on named-chroot-setup.service, started before named-chroot.service. That
means you have to move your backups out of that directory, not only to
different filenames anywhere under that directory. If there are files,
that copies are used instead. It should be reasony why it cannot find
your zone data.

Move it out of chroot as a backup, when bind-chroot.service is stopped.

# mkdir -p /var/named/backup-chroot/var/named
# mv /var/named/chroot/var/named/* /var/named/backup-chroot/var/named
# systemctl restart bind-chroot
# ls -l /var/named/{,chroot/var/named} # check files are the same

Cheers,

Petr

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the bind-users mailing list