Hi, I have bug I can't figure out.
I got 3 virtualmin servers. 2 of them where on Ubuntu 10.04 lts, which I upgraded to 12.04 mostly sucessfully, and 1 of them is a fresh install of 12.04.
All 3 of them are setup with cluster dns of the other 2.
Now whenever I create a master a master zone on one, slave zones are created on the 2 others. The "test zone transfer" function works, but the zone content only gets transferred between the 2 servers that where migrated from 10.04 to 12.04.
On the fresh 12.04 install I see the following in syslog:
Sep 1 11:15:48 tt1 kernel: [165998.653837] type=1400 audit(1346512548.355:239): apparmor="DENIED" operation="link" parent=15751 profile="/usr/sbin/named" name="/var/lib/bind/db-ldjjTVPa" pid=15753 comm="named" requested_mask="l" denied_mask="l" fsuid=0 ouid=0 target="/var/lib/bind/disney.com.hosts"
I tried to see differences in both /etc/apparmor.d/usr.sbin.named and other config files and I can't see any.
The only difference I see is on file ownership and permissions of hosts file in /var/lib/bind
the 2 migrated servers:
ls -als /var/lib/bind4 drwxrwxr-x 2 root bind 4096 Sep 1 11:02 . 4 drwxr-xr-x 54 root root 4096 Aug 30 01:42 .. 4 -rw-r--r-- 1 root root 782 Nov 2 2011 disney.com.hosts
the 1 fresh install server:
ls -als /var/lib/bind4 drwxrwxr-x 2 root bind 4096 Sep 1 11:15 . 4 drwxr-xr-x 48 root root 4096 Aug 31 06:48 .. 0 -rw-rw-r-- 1 root bind 0 Sep 1 11:15 disney.com.hosts
Any help would get appreciated =)
Comments
Submitted by JamieCameron on Sat, 09/01/2012 - 15:34 Comment #1
Have you tried turning off apparmor? Many users have reported that it causes problems with Virtualmin and servers that Virtualmin uses, like Apache and BIND..
Submitted by bksunday on Sat, 09/01/2012 - 15:42 Comment #2
/etc/init.d/apparmor stop
# did not work
/etc/init.d/apparmor teardown
# works and the slave zone gets their record.
I have no idea how apparmor works but would you know how to adjust its settings so I can leave it on?
Thanks.
Submitted by JamieCameron on Sat, 09/01/2012 - 20:06 Comment #3
I'm not sure how to configure apparmor .. but unless it is providing some significant benefit to you, I would advise turning it off.
Submitted by bksunday on Sat, 09/01/2012 - 20:59 Comment #4
I don't have a significant usage of it. To be honest I have no idea either how to configure it or what are the benefits I gain from it, so I will disable it for now. But wouldn't the virtualmin auto-installer script do that automatically if it where useless and troublesome by default on ubuntu 12.04? (or 12.04.1)
Submitted by bksunday on Sat, 09/01/2012 - 22:40 Comment #5
I will settle with disabling apparmor for /usr/sbin/named instead of the whole apparmor.
Here are the steps to do so.
step 1: install apparmor-utils
sudo apt-get install apparmor-utils
step 2: disable the /usr/sbin/named profile
sudo aa-disable /etc/apparmor.d/usr.sbin.named
Done and problem fixed.
* Should you instead want to have the apparmor profile for /usr/sbin/named adjusted, there are instructions for that available at: https://wiki.ubuntu.com/DebuggingApparmor
Submitted by JamieCameron on Sun, 09/02/2012 - 00:03 Comment #6
That seems like the best option. I will look into having the Virtualmin install disable apparmor automatically..
Submitted by Issues on Sun, 09/16/2012 - 00:08 Comment #7
Automatically closed -- issue fixed for 2 weeks with no activity.