Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1037966: bind9: Unable to restart bind9 via systemctl when using chroot on Debian 12
783 views
Skip to first unread message
Bret Giddings
Jun 14, 2023, 5:20:04 PM6/14/23
to
Package: bind9
Version: 1:9.18.12-1
Severity: important
Dear Maintainer,
Whilst attempting to upgrade from debian 11 to 12, for my chroot named setup, I
found that running
systemctl restart named
would hang and eventually timeout. It should be noted that named is running fine.
Having compared the differences from 11 to 12, I believe that this is caused
by the latter unit file using a service type of notify rather than the default
simple.
Creating an override with
[Service]
Type=simple
restores the former behaviour. So, I believe that the notify option is unable
to communicate with the chroot'ed environment. Whilst I can use the above
as a workaround, I couldn't find anything in the changelog or elsewhere
reporting this issue. I also tested and confirmed this behaviour on a new
install of bind9 with minimal customisation. It only fails when you switch
to using '-t /var/cache/bind' in /etc/defaults/named (having previously
created the appropriate directories etc.
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/48 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bind9 depends on:
ii adduser 3.134
ii bind9-libs 1:9.18.12-1
ii bind9-utils 1:9.18.12-1
ii debconf [debconf-2.0] 1.5.82
ii dns-root-data 2023010101
ii init-system-helpers 1.65.2
ii iproute2 6.1.0-3
ii libc6 2.36-9
ii libcap2 1:2.66-4
ii libfstrm0 0.6.1-1
ii libjson-c5 0.16-2
ii liblmdb0 0.9.24-1
ii libmaxminddb0 1.7.1-1
ii libnghttp2-14 1.52.0-1
ii libprotobuf-c1 1.4.1-1+b1
ii libssl3 3.0.9-1
ii libsystemd0 252.6-1
ii libuv1 1.44.2-1
ii libxml2 2.9.14+dfsg-1.2
ii netbase 6.4
ii sysvinit-utils [lsb-base] 3.06-4
ii zlib1g 1:1.2.13.dfsg-1
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind-doc <none>
ii bind9-dnsutils [dnsutils] 1:9.18.12-1
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/bind/db.0 [Errno 2] No such file or directory: '/etc/bind/db.0'
/etc/bind/db.127 [Errno 2] No such file or directory: '/etc/bind/db.127'
/etc/bind/db.255 [Errno 2] No such file or directory: '/etc/bind/db.255'
/etc/bind/db.empty [Errno 2] No such file or directory: '/etc/bind/db.empty'
/etc/bind/db.local [Errno 2] No such file or directory: '/etc/bind/db.local'
/etc/bind/named.conf changed [not included]
/etc/bind/named.conf.default-zones [Errno 2] No such file or directory: '/etc/bind/named.conf.default-zones'
/etc/bind/named.conf.local [Errno 2] No such file or directory: '/etc/bind/named.conf.local'
/etc/bind/named.conf.options [Errno 2] No such file or directory: '/etc/bind/named.conf.options'
/etc/bind/zones.rfc1918 [Errno 2] No such file or directory: '/etc/bind/zones.rfc1918'
/etc/default/named changed [not included]
-- no debconf information
Version: 1:9.18.12-1
Severity: important
Dear Maintainer,
Whilst attempting to upgrade from debian 11 to 12, for my chroot named setup, I
found that running
systemctl restart named
would hang and eventually timeout. It should be noted that named is running fine.
Having compared the differences from 11 to 12, I believe that this is caused
by the latter unit file using a service type of notify rather than the default
simple.
Creating an override with
[Service]
Type=simple
restores the former behaviour. So, I believe that the notify option is unable
to communicate with the chroot'ed environment. Whilst I can use the above
as a workaround, I couldn't find anything in the changelog or elsewhere
reporting this issue. I also tested and confirmed this behaviour on a new
install of bind9 with minimal customisation. It only fails when you switch
to using '-t /var/cache/bind' in /etc/defaults/named (having previously
created the appropriate directories etc.
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/48 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bind9 depends on:
ii adduser 3.134
ii bind9-libs 1:9.18.12-1
ii bind9-utils 1:9.18.12-1
ii debconf [debconf-2.0] 1.5.82
ii dns-root-data 2023010101
ii init-system-helpers 1.65.2
ii iproute2 6.1.0-3
ii libc6 2.36-9
ii libcap2 1:2.66-4
ii libfstrm0 0.6.1-1
ii libjson-c5 0.16-2
ii liblmdb0 0.9.24-1
ii libmaxminddb0 1.7.1-1
ii libnghttp2-14 1.52.0-1
ii libprotobuf-c1 1.4.1-1+b1
ii libssl3 3.0.9-1
ii libsystemd0 252.6-1
ii libuv1 1.44.2-1
ii libxml2 2.9.14+dfsg-1.2
ii netbase 6.4
ii sysvinit-utils [lsb-base] 3.06-4
ii zlib1g 1:1.2.13.dfsg-1
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind-doc <none>
ii bind9-dnsutils [dnsutils] 1:9.18.12-1
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/bind/db.0 [Errno 2] No such file or directory: '/etc/bind/db.0'
/etc/bind/db.127 [Errno 2] No such file or directory: '/etc/bind/db.127'
/etc/bind/db.255 [Errno 2] No such file or directory: '/etc/bind/db.255'
/etc/bind/db.empty [Errno 2] No such file or directory: '/etc/bind/db.empty'
/etc/bind/db.local [Errno 2] No such file or directory: '/etc/bind/db.local'
/etc/bind/named.conf changed [not included]
/etc/bind/named.conf.default-zones [Errno 2] No such file or directory: '/etc/bind/named.conf.default-zones'
/etc/bind/named.conf.local [Errno 2] No such file or directory: '/etc/bind/named.conf.local'
/etc/bind/named.conf.options [Errno 2] No such file or directory: '/etc/bind/named.conf.options'
/etc/bind/zones.rfc1918 [Errno 2] No such file or directory: '/etc/bind/zones.rfc1918'
/etc/default/named changed [not included]
-- no debconf information
Marc Haber
Jun 15, 2023, 1:20:05 AM6/15/23
to
On Thu, Jun 15, 2023 at 06:36:10AM +0200, Ondřej Surý wrote:
> Your chroot is missing the sd_notify socket. The package can’t really expect all non-default configurations. I can probably add a NEWS.Debian entry for this, but it’s certainly not important severity.
Maybe it would also be a good idea to document how to get that socket
into the chroot. Not everybody will know how to do this. #867187 seems
to have a solution for unbound, maybe this one can at least be an
example in the bind9 packages?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
> Your chroot is missing the sd_notify socket. The package can’t really expect all non-default configurations. I can probably add a NEWS.Debian entry for this, but it’s certainly not important severity.
Maybe it would also be a good idea to document how to get that socket
into the chroot. Not everybody will know how to do this. #867187 seems
to have a solution for unbound, maybe this one can at least be an
example in the bind9 packages?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Marc Haber
Jun 15, 2023, 6:00:05 AM6/15/23
to
On Thu, Jun 15, 2023 at 09:02:05AM +0000, Giddings, Bret wrote:
> I can confirm that one solution is
>
> umask 0022
> mkdir /var/cache/bind/run/systemd
> touch /var/cache/bind/run/systemd/notify
> mount --bind /run/systemd/notify /var/cache/bind/run/systemd/notify
>
> I had previously tried this, but my default system umask for root is 0077 and I therefore initially created the directory with more restrictive permissions that meant that it still didn't work. Once I had correct that, it did indeed work.
>
> I'll review the unbound patch and see if I can put it all in systemd using ExecStartPre.
>
> If something could be documented, that would be incredibly helpful as it is by no means obvious that this has changed and how to resolve it.
Maybe this could even be solved implicitly by having a template unit
that takes the path to the chroot as instance name and then
automatically does all the right motions to set up the chroot etc.
In any case, neighter the improved docs nor the template unit is likely
to show up in Debian bookworm.
> I can confirm that one solution is
>
> umask 0022
> mkdir /var/cache/bind/run/systemd
> touch /var/cache/bind/run/systemd/notify
> mount --bind /run/systemd/notify /var/cache/bind/run/systemd/notify
>
> I had previously tried this, but my default system umask for root is 0077 and I therefore initially created the directory with more restrictive permissions that meant that it still didn't work. Once I had correct that, it did indeed work.
>
> I'll review the unbound patch and see if I can put it all in systemd using ExecStartPre.
>
> If something could be documented, that would be incredibly helpful as it is by no means obvious that this has changed and how to resolve it.
Maybe this could even be solved implicitly by having a template unit
that takes the path to the chroot as instance name and then
automatically does all the right motions to set up the chroot etc.
In any case, neighter the improved docs nor the template unit is likely
to show up in Debian bookworm.
Athanasius
Aug 6, 2023, 11:20:05 AM8/6/23
to
This bug doesn't only affect `systemctl restart named.service`. After
upgrading a server to bookworm yesterday I just found that named was
being restarted periodically.
2023-08-06T15:48:31.080060+01:00 river systemd[1]: named.service: Failed with result 'timeout'.
2023-08-06T15:48:31.080557+01:00 river systemd[1]: Failed to start named.service - BIND Domain Name Server.
2023-08-06T15:48:31.315062+01:00 river systemd[1]: named.service: Scheduled restart job, restart counter is at 853.
2023-08-06T15:48:31.315934+01:00 river systemd[1]: Stopped named.service - BIND Domain Name Server.
2023-08-06T15:48:31.369499+01:00 river systemd[1]: Starting named.service - BIND Domain Name Server...
2023-08-06T15:48:31.370021+01:00 river systemd[1]: Started named.service - BIND Domain Name Server.
...
2023-08-06T15:48:31.435786+01:00 river named[792739]: all zones loaded
I tracked this down to `Type=notify` with our chroot not having the
socket present.
Whilst it took me a while to notice because it was *mostly* working,
this issue *was* causing some downtime during the restarts. It would
also have been spamming secondary's with notifications upon each
restart.
I'll go see about implementing the socket in the chroot....
--
- Athanasius (he/him) = Athanasius(at)miggy.org / https://miggy.org/
GPG/PGP Key: https://miggy.org/gpg-key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
upgrading a server to bookworm yesterday I just found that named was
being restarted periodically.
2023-08-06T15:48:31.080060+01:00 river systemd[1]: named.service: Failed with result 'timeout'.
2023-08-06T15:48:31.080557+01:00 river systemd[1]: Failed to start named.service - BIND Domain Name Server.
2023-08-06T15:48:31.315062+01:00 river systemd[1]: named.service: Scheduled restart job, restart counter is at 853.
2023-08-06T15:48:31.315934+01:00 river systemd[1]: Stopped named.service - BIND Domain Name Server.
2023-08-06T15:48:31.369499+01:00 river systemd[1]: Starting named.service - BIND Domain Name Server...
2023-08-06T15:48:31.370021+01:00 river systemd[1]: Started named.service - BIND Domain Name Server.
...
2023-08-06T15:48:31.435786+01:00 river named[792739]: all zones loaded
I tracked this down to `Type=notify` with our chroot not having the
socket present.
Whilst it took me a while to notice because it was *mostly* working,
this issue *was* causing some downtime during the restarts. It would
also have been spamming secondary's with notifications upon each
restart.
I'll go see about implementing the socket in the chroot....
--
- Athanasius (he/him) = Athanasius(at)miggy.org / https://miggy.org/
GPG/PGP Key: https://miggy.org/gpg-key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
0 new messages