Problem with chrooted bind setup

I installed virtualmin pro on Centos 6

After installing virtualmin I installed bind-chroot

Now when I add a virtual server I get warnings like the following:

Adding new virtual website .. .. Apache website failed! : Failed to replace /var/named/chroot/etc/named.conf with /var/named/chroot/etc/named.conf.webmintmp.3035 : Device or resource busy at /usr/libexec/webmin/web-lib-funcs.pl line 1360.

Evidently bind-chroot in rhel/centos 6 does not work the way it did in centos 5: see, for example, http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Migrat... http://floriancrouzat.net/2011/09/centos-6-configure-bind-logging-bind-c... https://www.centos.org/modules/newbb/viewtopic.php?topic_id=32877 https://www.centos.org/modules/newbb/viewtopic.php?topic_id=32270

It appears that under rhel6/centos6 changes should be made in /etc/named.conf, /etc/named and /var/named and not directly in the chroot environment.

What do I have to do in virtualmin/webmin to correct this problem?

Status: 
Closed (fixed)

Comments

Howdy -- hmm, there's a Virtualmin bug report regarding that which I can't seem to find at the moment.

However, due to the problems you're describing -- we don't recommend using BIND in a chroot environment right now.

Jamie is developing a workaround to the problem you saw, which should be going out soon. But in the meantime, you may want to edit "/etc/sysconfig/named", and comment out the "ROOTDIR" line, which will allow things to work correctly.

I searched for any similar issue before posting, and found none.

Won't commenting out ROOTDIR prevent the daemon from starting up in the chroot environment?

How soon is soon?

Ah, here it is, it's a forum thread on the matter:

https://virtualmin.com/node/19608

That is correct, my suggestion would indeed stop BIND from starting up in a chroot environment. Due to the changes in CentOS 6, it won't work properly with that enabled.

I don't have a specific date for when a fix will be available, but Jamie is working on it :-)

Ok, I commented out ROOTDIR I restarted named. I restarted webmin. The entries in the Webmin Configuration for module BIND DNS Server still look like the entries for a chrooted setup:

Chroot directory to run BIND under: /var/named/chroot Is named.conf under chroot directory? Yes Command to find chroot directory : sh -c '. /etc/sysconfig/named && echo "$ROOTDIR"'

What changes to I have to make to the BIND module configuration naow that I have commented out ROOTDIR?

Well, in theory, now that you've commented that out, you should now be able to create Virtual Servers without any further changes.

Are you able to create a Virtual Server now?

From a fresh virtualmin gpl install on a local box, it appears that the named configuration entries I have listed would appear like that even if bind-chroot was not installed and there was no /var/named/chroot directory, is that right?

Yes, it appears that I can create a virtual server now The process modifies /etc/named.conf and adds a *.hosts file in /var/named.

Okay, that setting should work for the time being -- the next Webmin release should work around the problem that you're seeing though, so if you're interested in using the chroot setup, you should be able to when the next Webmin version comes out.

ronald's picture
Submitted by ronald on Sun, 02/26/2012 - 11:44 Pro Licensee

this doesnt seem to be solved in Webmin version 1.580
centos 6.2

or should it be? Named is running (chrooted) but webmin doesn't seem to think so

ronald - with CentOS 6, the chroot is setup in such a way that Webmin shouldn't know about it at all.

Are you running into problems creating domains?

ronald's picture
Submitted by ronald on Mon, 02/27/2012 - 05:59 Pro Licensee

I have a domain created as I only need one. (its for a gameserver) Bind didn't want to cooperate at all in the beginning but that was before I knew that the 6 series changed a lot of previous behaviour.
I created the bind hosts file manually and its all working/resolving.
Just webmin BIND module doesn't see it.

Also in centos 6 they changed the networking and I disabled NetworkManager and activated Network..(old style). They have changed a number of things in series 6. It really gave me a hard time setting things up

ronald's picture
Submitted by ronald on Mon, 02/27/2012 - 09:06 Pro Licensee

I just installed a new centos 6.2 with virtualmin. Fresh install, nothing custom.
Failed to replace /var/named/chroot/etc/named.conf with /var/named/chroot/etc/named.conf.webmintmp.13515 : Device or resource busy at /usr/libexec/webmin/web-lib-funcs.pl line 1360

However after disabling chroot in the webmin module, BIND is also working and created the zone properly.
So I gues by default webmin should disable chroot in the webmin module in a fresh install to not have to run in this issue.

When you install Centos 6.2 server with DNS server then it will install bind-chroot by default.
Also Centos 6.2 will call eth0 "System eth0" which is problametic and it won't start. You'll have to edit /etc/sysconfig/network ; /etc/sysconfig/networking/devices and profiles; and /etc/sysconfig/network-scripts/ifcfg-eth0 to make sure settings are proper.
This is also what redhat wants you to do. To do it manually. Which is kinda stupid.

then I had to /etc/init.d/network restart to make the eth0 come online

DEVICE=eth0
NM_CONTROLLED=yes
ONBOOT=yes                       (Default is No)
HWADDR=00:0c:29:8b:74:bb
TYPE=Ethernet
BOOTPROTO=static             (default is NONE)
IPADDR=81.30.xx.xx
PREFIX=24
GATEWAY=81.30.xx.xx
DNS1=217.67.224.xxx
DNS2=217.67.225.xxx
DNS3=127.0.0.1
DOMAIN=izixxxxxxx.com
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME=eth0                    (Default is System eth0)
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
NETMASK=255.255.255.0
USERCTL=no

This sounds like a Webmin bug if it is using chroot when it shouldn't be.

What did you do to disable chroot exactly?

ronald's picture
Submitted by ronald on Mon, 02/27/2012 - 14:00 Pro Licensee

Webmin version 1.580
I went to the BIND module
Chroot directory to run BIND under I had to set this to None
Is named.conf under chroot directory? I had to set this to No

At the moment the website cant be find due to "query timed out" on the nameservers. I still have to find if I can change this under webmin or do it manually.

series centos 6 was initially running fine as a desktop until I added a virtual eth0:1.
Then it took eth0:1 as the default eth which didn't do anything as the parent eth0 didnt go up. I had to manually make that active when i logged in to the desktop.

NetworkManager is used in the desktop like in Ubuntu. But as running as a server ain't that great just like ubuntu is crap as a server.

ronald's picture
Submitted by ronald on Mon, 02/27/2012 - 14:51 Pro Licensee

okay also
to resolve the nameserver query time out issue ...
this can be done with webmin bind module under: Addresses and Topology
Ports and addresses to listen on port 53
Addresses Fill in all adresses of the dns ip's e.g. 127.0.0.1 81.30.xx.xx 81.30.xx.xx

also in the /etc/named.conf you need to add recursion yes; normally this wasn't necessary but in centos 6 it is.

so the options part will look like this

options {
listen-on port 53 {
127.0.0.1;
81.30.xx.xx;
                81.30.xx.xx;
};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};

Ok, I see the underlying issue now .. on CentOS 6, Webmin and Virtualmin are by default using a chroot directory when they shouldn't be. This also causes the code in the Virtualmin installer that fixes the listen directives in named.conf to fail.

I will fix this in the next Webmin release. Till then, the work-around is to disable chroot at Webmin -> Servers -> BIND DNS Server -> Module Config.

I have followed what is written here - but when I try to start named it still does not want to work. I still get this errors.. named[10891]: none:0: open: /etc/named.conf: permission denied

so I have gotten it working by changing the owner on /etc/named.conf to - root:named Please let me know if this is fine or not?

Automatically closed -- issue fixed for 2 weeks with no activity.

Hello again.

Do I have to do somethingto my server to take advantage of the promised fix, which I gather has been applied to webmin/virtualmin since my last message above???

When I first reported this problem I had two servers with Centos 6.0 on which virtualmin had been installed: a production server with virtualmin pro and a test system with virtualmin gpl.

On the test system I edited "/etc/sysconfig/named" and commented out the "ROOTDIR" line, and reported success in message #7 above.

I left the production server alone because I understood from message #8 above that its chroot setup would work "as is" once the promised fix was incorporated into webmin/virtualmin.

So now my production server is at centos 6.3 and its Virtualmin Pro is version 3.93. "/etc/sysconfig/named" srill contains "ROOTDIR=/var/named/chroot" I have made no changes to the configuration of the BIND DNS Server module, which contains displays the subheading "BIND version 9.8.2, under chroot /var/named/chroot"

I just tried creating a subserver under an existing virtual server , and several of the steps reported :

failed! : Failed to replace /var/named/chroot/etc/named.conf with /var/named/chroot/etc/named.conf.webmintmp.2240 : Device or resource busy at /usr/libexec/webmin/web-lib-funcs.pl line 1360.

So, do I have to do something to my server/virtualmin setup to take advantage of the promised fix, which I gather has been applied to webmin/virtualmin since my last message above???

Unfortunately the chroot setup in CentOS 6 is prettty complex, as it involves more than just the /etc/sysconfig/named config file.

Could you attach your system's /etc/webmin/bind8/config file to this bug report?

Also, I'd like to see the /etc/sysconfig/named file, and the output from the mount command.

The requested info is attached.

I have anonymized the contents of the bind config file, since there seems no way to make this response private.

For starters, try removing the line

auto_chroot=sh -c '. /etc/sysconfig/named && echo "$ROOTDIR"'

from /etc/webmin/bind8/config

That seems to have fixed it, thanks.

Great! I am looking into where that line came from, as it isn't supposed to be in the default configuration ..

Perhaps it was in whatever the install script installed on December 10, 2011 (which installed caching-nameserver, among numerous others).

FYI, I just installed Virtualmin on a fully updated from 32-bit VM running CentOS 6.3, but wasn't able re-produce this problem.

That is good news for anyone installing vm now on an up-to-date centos 6.3 server.

Evidently whatever put that line in the webmin bind module config when I installed the then current vm on centos 6.0 in December 2011 is not doing that anymore.

As my case illustrates, whatever you did between then and now to fix this for future installs did not fix it for existing installs.

For folk with older installs, perhaps you might leave a note here about whether that line should ever be in a centos 6.x webmin install, or how they could tell whether it should be there or not.

Unfortunately the first fix for this issue didn't resolve it properly for existing systems, only for new installs.

The next Webmin release (1.600) will also fix the problem for CentOS 6 systems that have inherited the older incorrect Webmin settings.