Submitted by Locutus on Fri, 09/21/2012 - 14:58
I installed an Ubuntu 12.04 64-bit on a virtual machine, Virtualmin GPL on it, and configured it to be a DNS cluster slave for another VM.
When a new zone gets created on the master, the .hosts file on the slave gets created with owner "root:bind" instead of "bind:bind", permissions 644.
Result: During the subsequent zone transfer, bind is not allowed to overwrite the file.
I haven't had this happen on Ubuntu 10.04 yet, I'm unsure what exactly is the cause of this. Eric, can you reproduce this behavior?
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Fri, 09/21/2012 - 15:42 Comment #1
This is a bug in Webmin versions before 1.600 - however, the 1.600 release is coming out in a few days, and will fix it.
Also, you can work around the issue now by going to the BIND DNS Server module, clicking on the Module Config link, going to the "Zone file options" section and setting the "Owner for zone files (user:group)" field.
Submitted by Locutus on Fri, 09/21/2012 - 15:53 Comment #2
Thanks Jamie! The suggested change fixed the ownership problem.
Another issue popped up though, which obviously has to do with AppArmor on Ubuntu:
Sep 21 22:44:20 aurora kernel: [32192.974621] type=1400 audit(1348260260.223:38): apparmor="DENIED" operation="link" parent=1 profile="/usr/sbin/named" name="/var/lib/bind/db-wFUYyWmQ" pid=26585 comm="named" requested_mask="l" denied_mask="l" fsuid=107 ouid=107 target="/var/lib/bind/testabc.de.hosts"
This happens just before the zone transfer starts.
Does Virtualmin in general suggest to turn off AppArmor? I have the feeling it causes more problems than it helps preventing. :)
Submitted by JamieCameron on Fri, 09/21/2012 - 15:56 Comment #3
Yes, disable AppArmor - it causes all sorts of problems for Virtualmin, and is impossible for us to debug :-(
Submitted by Locutus on Fri, 09/21/2012 - 16:13 Comment #4
Alrighty, AppArmor is killed, and zone transfer for the fresh zone works now.
Just one thing is still odd: An empty temporary file is left behind in the zone file directory. According to syslog, the empty zone file was renamed before the zone transfer started.
I've created a lot of zones under Ubuntu 10.04 using the cluster slave thingy, and this never happened. :) Should Webmin be creating an empty zone file at all when a new zone is made through cluster slave?
I'm attaching the syslog excerpt of the "enable-feature --dns" command:
Submitted by JamieCameron on Fri, 09/21/2012 - 16:15 Comment #5
What is the name of this temporary file? It may be created by BIND, not Webmin ..
Submitted by Locutus on Fri, 09/21/2012 - 16:51 Comment #6
The name is exactly the one mentioned in the syslog, "db-XvNjXaWD".
It's possible that BIND creates it... The log sounds like it renames the previously empty zone file to that temporary file. It never did that before -- maybe on Ubuntu 12 it stumbles over the empty zone file that Webmin allegedly creates?
No need to hurry about this though, since it's not critical but merely cosmetic.
Submitted by JamieCameron on Fri, 09/21/2012 - 18:12 Comment #7
Certainly Virtualmin never creates that file. Perhaps BIND creates it, but cannot delete it for some reason?
Does only one file get created per domain, or do they keep accumulating?
Submitted by Locutus on Fri, 09/21/2012 - 19:11 Comment #8
The files accumulate. A new one is created each time I turn the DNS feature off and on.
I agree that VM did not.create that file with the odd name. As I said, according to syslog, BIND renamed an empty zone file that appeared right after the zone was created. Don't ask me why it did that.
I am also assuming that the empty zone file WAS created by VMin, because the option which owner to use in the BIND module configuration was effective for that file.
Submitted by Locutus on Sat, 09/22/2012 - 05:07 Comment #9
To sum up what I witnessed during my tests:
The Ubuntu 12.04 is DNS cluster slave, another (Ubuntu 10.04) Virtualmin is the master. I create a new domain on the master.
During domain creation, a 0-bytes zone file is created on the slave. At first, the owner of that file was "root:bind" with mode 644, so subsequent BIND accesses failed.
I made the configuration change suggested by Jamie, which fixed the ownership issue. During domain creation, the empty zone file gets created as "bind:bind", and BIND tries to rename it to a random name. AppArmor denied that.
I uninstalled AppArmor. Renaming now works. So, during domain creation, apparently Webmin creates an empty zone file (I suppose it was Webmin, otherwise I wouldn't know why the "ownership" setting would take effect). During the subsequent zone transfer, the empty zone file is renamed (presumably by BIND) to a random file name, and the zone is transferred under the original name.
Assuming Webmin's behavior has not changed in this regard, and it always created an empty zone file as a result of DNS cluster slave zone creation, some change must have been made to BIND which causes it to rename empty zone files before transfer, instead of, like before, simply overwriting them.
Could this syslog entry provide a clue as to why?
Sep 21 23:00:06 aurora named[995]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Another notice:
In the cause of some nameserver reorganization, I'm creating zones in a Webmin manually. Doing so, the mentioned empty zone file does get created, as soon as I click "Create" in the "Create slave zone" dialog. When I then click "Apply zone", the transfer is done, and the existing empty zone is renamed to a random filename.
Submitted by JamieCameron on Sat, 09/22/2012 - 13:26 Comment #10
Yes, Webmin will create an empty zone file at domain creation time - that is done so that BIND has permissions to write to it, just in case it doesn't have permissions on the directory. I'm surprised that the renamed file doesn't get deleted by BIND though ..
What are the permissions on the directory containing these zone files? Perhaps the
bind
user doesn't have permissions to delete them?Submitted by Locutus on Sat, 09/22/2012 - 17:12 Comment #11
I agree that it should get deleted. There's no real error message about it in the syslog either. The file just stays behind for no apparent reason.
The zone files reside in
/var/lib/bind
which is owned by root:bind and has permissions 775, so bind should be able to delete them. The files themselves are owned by bind:bind and perms 644.Also note that, as mentioned before, AppArmor was preventing BIND from renaming the file and stuff, which is something that never happened on Ubuntu 10.
At least we know now that the issue is not directly related to DNS Cluster Slave, but happens in general when Webmin creates a zone. Maybe you can try to reproduce the behavior, to see if there's just something wonky on my system. I don't think there is, but you never know :)
Submitted by JamieCameron on Sun, 09/23/2012 - 12:32 Comment #12
Some users have reported this before ... but I've never seen it on my systems :-(
Submitted by Issues on Sun, 10/07/2012 - 12:46 Comment #13
Automatically closed -- issue fixed for 2 weeks with no activity.