In CentOS 6.3 Linux 2.6.32-279.1.1.el6.x86_64 BIND version 9.8.2, under chroot /var/named/chroot, the DNS server is consistently marked as down even if in fact is running. This happens both on the System Information page, where I get the play button, but when I click it, nothing happens, and on the BIND DNS Server page where in the right-up corner I keep getting Start BIND, also nothing happening if you click the link.
I replicated this twice, on a fresh install from the CentOS DVDs and with your script installer.
Status:
Active
Comments
Submitted by JamieCameron on Thu, 07/19/2012 - 12:50 Comment #1
This is probably due to Webmin looking in the wrong place for the BIND PID file.
Where is the
named.pid
file on your system? It should be somewhere under the/var
directory.> locate named.pid
/var/named/chroot/var/run/named/named.pid
/var/run/named.pid
Wich one is the good one? BTW this gives all kinds of problems due to Virtualmin thinking Bind is not running, mainly when creating a new domain, and "Virtualmin is never ready for your system" :)
Submitted by JamieCameron on Fri, 07/20/2012 - 13:15 Comment #3
Those should actually be effectively the same file..
Could you attach the contents of the
/etc/webmin/bind8/config
file from your system?/etc/webmin/bind8/config is not in the directory.
In /etc/webmin/bind8/ there are all the domains...
Submitted by JamieCameron on Fri, 07/20/2012 - 16:34 Comment #5
You mean the /etc/webmin/bind8/config file doesn't on your system?! That is really odd, as that is the primary configuration file for the BIND module.
Sry missed it the first time, there is a config file indeed, also the domains with an acl extension. But this problem is surely a bug, tried it the other day on a different (virtual) machine, a default server installation - the same!
updserial_man=1
keygen=dnssec-keygen
checkconf=named-checkconf
updserial_def=0
pid_file=/var/run/named.pid
named_conf=/etc/named.conf
restart_cmd=restart
relative_paths=0
rev_must=0
soa_start=0
records_order=0
reversezonefilename_format=ZONE.rev
no_pid_chroot=0
short_names=0
master_dir=/var/named
master_ttl=1
allow_comments=0
no_chroot=0
updserial_on=1
named_path=/usr/sbin/named
whois_cmd=whois
ndc_cmd=ndc
allow_long=0
checkzone=named-checkzone
allow_wild=1
show_list=1
rev_def=0
stop_cmd=/etc/rc.d/init.d/named stop
confirm_zone=1
forwardzonefilename_format=ZONE.hosts
by_view=0
rndcconf_cmd=rndc-confgen
start_cmd=/etc/rc.d/init.d/named start
rndc_conf=/etc/rndc.conf
signzone=dnssec-signzone
support_aaaa=1
ipv6_mode=1
slave_dir=/var/named/slaves
confirm_rec=0
soa_style=1
max_zones=100
largezones=0
allow_underscore=1
rndc_cmd=rndc
other_slaves=1
auto_chroot=sh -c '. /etc/sysconfig/named && echo "$ROOTDIR"'
chroot=/var/named/chroot
named_group=
named_user=
zones_file=
keys_dir=
extra_reverse=
default_view=
extra_forward=
default_prins=
file_perms=
default_master=
file_owner=
free_nets=
PS: can you also take a look here pls https://www.virtualmin.com/node/22770 , hope this two are not related...
Submitted by JamieCameron on Sun, 07/22/2012 - 13:08 Comment #9
Can you try removing the line :
auto_chroot=sh -c '. /etc/sysconfig/named && echo "$ROOTDIR"'
Tried it - nothing happened, BIND seems down as before, and the little play button & links in webmin/virtualmin to start it doesn't do squad, even after a reboot and some updates to everything, so I put the line back in the config file as it seems it is not it.
I also removed the annoying Network Manager... because I don't like at all overwriting my files specially the hosts file? :)
Should I do a bug report also for this issue https://www.virtualmin.com/node/22770#comment-103194 ? I'm getting a weird error on my primary Virtualmin server, a CentOS 5.8x64, when trying to add this one as a slave:
Failed to add server : flush_file_lines called on non-loaded file /etc/named.conf
Are the problems related maybe?
Submitted by JamieCameron on Mon, 07/23/2012 - 19:57 Comment #12
That could be related..
Is there any chance was could login to your system to see what is going wrong? If so, contact me directly at jcameron@virtualmin.com
Submitted by JamieCameron on Wed, 07/25/2012 - 19:00 Comment #13
I had a look, and it seems that the named configuration on your system is inconsistent - the chroot is not completely setup properly. If you like, I can correct it by turning off chroot mode?
Well... everything I read says that is not a good idee to have a BIND out of the jail, as it presents major security risks, so i rather have it setup this way. Can you maybe give me/us some hints? It seems to be working now, though the containts of a zone file is gone.
So this is a bug afterall, never had this kind of issues with previous CentOS releases...
Submitted by andreychek on Thu, 07/26/2012 - 08:21 Comment #15
Way back when, BIND did have some significant security flaws that were taken advantage of.
There have been very few issues in recent years though, and we frequently suggest not using the chroot. It unfortunately seems to cause more problems than it solves. As you're seeing -- there have been a lot of issues with it on CentOS 6.
The thing is that BIND runs as the user "bind" -- who doesn't have permission to do much other than DNS queries.
It's actually far more dangerous to install a web application on a website, than it is to run BIND outside a chroot.
Websites and SSH have become the simpler target these days -- the bots that used to roam the Internet looking to insecure BIND versions, they're typically either searching websites for out of date web applications, or banging on SSH looking for easy username/password combinations.
So if you keep having problems with the chroot setup, we'll continue looking into how to prevent those, but we really don't have problems suggesting someone run BIND without a chroot jail, and we'd have no problem running that configuration on our own servers.
In the meantime though -- it sounds like you were looking for some hints/ideas regarding your current setup -- did you have any specific questions that we can assist with?
I understand all of these and I completely agree with you to a point, but as I am still kind of a linux noob after all these years and books and servers and all kind of stuff, I developed a side-effect: extreme caution :) also called by others "the not talented, but working-hard admins paranoia" :)) I am the kind of person that gets panic atacks at night lol
So please can you try to make this work (no problem on my other server 5.8)? Almost everyone writes it is not a good ideea to run as root the DNS server (anyway it scares the hell out of me only when i see the user) so even If I have full confidence in your team (gave a password for the first time in my life to someone!) I tend to listen also to others.
Let me explain clearely how it works for us not so knowledgeable in linux: eveytime I'll have a problem, I'll suspect it's something wrong with BIND, being hacked and stuff, cause I'll know there is a chance. So why take it? Your software tends to ease my pains as an admin, so don't want to get any useless and pointless ones.
Enough wining in the Issues section :) ! Please tell me what to do: -wait for it, till you find a solution, and that you are willing to try and solve this; -or run it as default, because this is how the Webmin works and there is nothing more to do, and continue with the setup of the secondary server;
PS kind of a sick remark: now anyone registered here knows that all the users running Webmin and CentOS 6 are not chrooted, and their number will grow.
Submitted by JamieCameron on Thu, 07/26/2012 - 22:10 Comment #17
I would recommend turning off chroot - in my opinion the security benefit is tiny, while the operational overhead is substantial.
Submitted by warren0728 on Wed, 08/22/2012 - 15:22 Comment #18
hey jamie this is happening to me again (it has been running great ever since you helped out)....
My server was shut down due to a power outtage and then of course restarted....now it is showing bind as not running when it actually is.
thoughts?
Submitted by andreychek on Wed, 08/22/2012 - 15:30 Comment #19
Hi warren0728 -- it looks like you have an existing support request regarding that issue... can you follow on that request? That'll make it easier for us to provide assistance. That request is here:
https://www.virtualmin.com/node/22752
Thanks!
Submitted by warren0728 on Wed, 08/22/2012 - 15:41 Comment #20
no prob wasn't sure which thread would be better!
thanks