Bind fails to start with "configuring logging: permission denied" after upgrade to SLES 15 SP4
This document (000020820) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP4
Situation
After upgraded to SLES 15 SP4 from a previous service pack, named.service will not start and produces the following errors.
Query logging for bind is enabled and configured to log to a file in /var/log/ by having a configuration similar to the following in the file /etc/named.conf.
The following line in /etc/sysconfig/named is currently present, or was present when bind was run in the previous service pack.
# systemctl start named.service Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xeu named.service" for details. # journalctl -xeu named.service ... Oct 20 12:01:55 host15sp4 named[4111]: isc_stdio_open '/var/log/named_querylog' failed: permission denied Oct 20 12:01:55 host15sp4 named[4111]: configuring logging: permission denied Oct 20 12:01:55 host15sp4 named[4111]: loading configuration: permission denied Oct 20 12:01:55 host15sp4 named[4111]: exiting (due to fatal error) Oct 20 12:01:55 host15sp4 systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE ...
Query logging for bind is enabled and configured to log to a file in /var/log/ by having a configuration similar to the following in the file /etc/named.conf.
logging {
# Log queries to a file limited to a size of 100 MB.
channel query_logging {
file "/var/log/named_querylog"
versions 3 size 100M;
print-time yes; // timestamp log entries
};
category queries {
query_logging;
};
The following line in /etc/sysconfig/named is currently present, or was present when bind was run in the previous service pack.
NAMED_RUN_CHROOTED="yes"
Resolution
Edit the file /etc/named.conf by changing
This will cause logs to be written to /var/lib/named/log/named_querylog instead of the previous location, /var/lib/named/var/log/named_querylog.
# Log queries to a file limited to a size of 100 MB.
channel query_logging {
file "/var/log/named_querylog"
to
# Log queries to a file limited to a size of 100 MB.
channel query_logging {
file "/var/lib/named/log/named_querylog"
This will cause logs to be written to /var/lib/named/log/named_querylog instead of the previous location, /var/lib/named/var/log/named_querylog.
Cause
In previous service packs, the default configuration ran bind in a chroot jail in /var/lib/named. Changes were made for SLES 15 SP4 with regards to this chroot setup.
The logging path from /etc/named.conf used to be evaluated relative to this chroot location, but is now evaluated relative to the system root.
The default configuration on previous service packs set /var/log/named_querylog as the destination for logs. In the previous chroot environment, this caused logs to be written to /var/lib/named/var/log/named_querylog. With the SLES 15 SP4 changes to bind, this same setting causes logs to be written to /var/log/named_querylog.
Logs are written by the user named. This user does not have permission to write to this new location by default which creates the errors observed.
The logging path from /etc/named.conf used to be evaluated relative to this chroot location, but is now evaluated relative to the system root.
The default configuration on previous service packs set /var/log/named_querylog as the destination for logs. In the previous chroot environment, this caused logs to be written to /var/lib/named/var/log/named_querylog. With the SLES 15 SP4 changes to bind, this same setting causes logs to be written to /var/log/named_querylog.
Logs are written by the user named. This user does not have permission to write to this new location by default which creates the errors observed.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020820
- Creation Date: 20-Oct-2022
- Modified Date:21-Oct-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
