Logging error on /etc/nsd/nsd.log

Mukul_Shukla · June 18, 2022, 3:21pm

Dear All,

I have recently shifted my Authoritative DNS server from very old TinyDNS to NSD. Presently it is in a very primitive stage, but working absolutely fine.

I have installed NSD on Debian Testing because I could find a relatively newer version of NSD on Debian Testing. I am running the NSD version 4.5.0. I am enabling the NSD logging to /var/log/nsd.log. When I check the status of the NSD demon by “systemctl status nsd”, I get the following error message.

Jun 18 20:39:02 ns1 systemd[1]: Starting Name Server Daemon…

Jun 18 20:39:02 ns1 nsd[1884]: [2022-06-18 20:39:02.460] nsd[1884]: error: Cannot open /var/log/nsd.log for appending (Permission denied), logging to stderr
Jun 18 20:39:02 ns1 nsd[1884]: [2022-06-18 20:39:02.460] nsd[1884]: warning: chown /var/log/nsd.log failed: Read-only file system

Jun 18 20:39:02 ns1 nsd[1884]: [2022-06-18 20:39:02.460] nsd[1884]: notice: nsd starting (NSD 4.5.0)
Jun 18 20:39:02 ns1 nsd[1885]: [2022-06-18 20:39:02.607] nsd[1885]: notice: nsd started (NSD 4.5.0), pid 1884
Jun 18 20:39:02 ns1 systemd[1]: Started Name Server Daemon.

Although the NSD service starts properly, logging is not working. I want to enable logging for the NSD replication, which is not installed as yet.

I want to know what can be the solution to this problem? Whether this is related to the Debian Testing and will work fine on Debian stable. Should I use another distribution (Rocky) for NSD, which won’t have this problem.

If somebody has faced the similar problem, or has any suggestions related to the above problem, it will be of great help to me.

Thank you all.

Mukul

A_Schulze · June 18, 2022, 3:46pm

Hello,

I assume a fault in the systemd unit file.
see https://sources.debian.org/src/nsd/4.5.0-1/debian/nsd.service/#L22
Maybe /var/log is missing there.

You may try to let NSD log to /run ( which may not be /run on your system )

Or you try to start NSD without systemd: /usr/sbin/nsd -d -c /path/to/nsd.conf
and make sure, no logfile is set so NSD log to STDOUT

Andreas

Mukul_Shukla · June 18, 2022, 4:32pm

Dear Andreas

Thanks for the reply

I want to log to a separate log file, very handy for setting up of NSD replication, STDOUT is not a viable option.
Logging to /run (which exists in Debian Testing), is a viable option. For that matter, any other folder like /etc/nsd itself.
I would better change the distribution, if no proper solution could be found out.

Thanks.

Mukul

Simon_Deziel2 · June 18, 2022, 5:36pm

Hi Mukul,

Dear All,

I have recently shifted my Authoritative DNS server from very old TinyDNS
to NSD. Presently it is in a very primitive stage, but working absolutely
fine.

I have installed NSD on Debian Testing because I could find a relatively
newer version of NSD on Debian Testing. I am running the NSD version 4.5.0.
I am enabling the NSD logging to /var/log/nsd.log. When I check the status
of the NSD demon by "systemctl status nsd", I get the following error
message.

Jun 18 20:39:02 ns1 systemd[1]: Starting Name Server Daemon...
Jun 18 20:39:02 ns1 nsd[1884]: [2022-06-18 20:39:02.460] nsd[1884]: error:
Cannot open /var/log/nsd.log for appending (Permission denied), logging to
stderr
Jun 18 20:39:02 ns1 nsd[1884]: [2022-06-18 20:39:02.460] nsd[1884]:
warning: chown /var/log/nsd.log failed: Read-only file system

The systemd unit shipped by Debian assumes default logging to syslog. As such, the systemd unit needs to be edit if you want file logging:

sudo systemctl edit nsd # will open $EDITOR

Then put the following and save:

# Allow file logging to dedicated dir
ReadWritePaths=/var/log/nsd

And create the directory and restart NSD:

   sudo mkdir /var/log/nsd
   sudo chown nsd: /var/log/nsd
   sudo systemctl restart nsd

The above has NSD log to a subdirectory as it is safer than granting write access to all /var/log.

HTH,
Simon

Mukul_Shukla · June 18, 2022, 7:06pm

I did not work.
Same error

Simon_Deziel2 · June 18, 2022, 7:06pm

Please share the NSD config you are using, I'll try to reproduce locally.

Mukul_Shukla · June 18, 2022, 7:23pm

After doing the above steps, I have modified the nsd.conf to have a line:
logfile: “/var/log/nsd/nsd.log”

It gives the same error.

My wild guess is that the /var and /var/log has no write permission for nsd user.
So, even if I point the log file to /var/log/nsd/nsd.conf, it’s the same thing as default pointing to /var/log/nsd.conf.

I think,just to make Debian able to write logs to a file is a big issue. Better to shift to another distribution,
Can anybody confirm if this is not an issue on Centos or OpenBSD?

Simon_Deziel2 · June 18, 2022, 7:34pm

Oops, my bad, I forgot to include "[Service]" in the `systemctl edit` snippet. You need to put the following in the $EDITOR:

   [Service]
   # Allow file logging to dedicated dir
   ReadWritePaths=/var/log/nsd

Then restart NSD. Then to have NSD create the file, I called: `sudo nsd-control stats`.

Ondrej_Sury · June 18, 2022, 7:36pm

No, that’s not the problem. Shifting to another distribution will not help you if you don’t know what you are doing.

The user under nsd is running has no write permissions to the location listed and it could be more things - non-matching permissions on the log-file, non-matching permissions on the directory, AppArmor profile, SELinux profile, chroot/jail.

You are not sharing the whole story, just tiny bits, so it’s really hard to help you.

Ondrej

Mukul_Shukla · June 18, 2022, 8:01pm

Shifting to another distribution will solve the problem indeed.
This seems to be a long pending problem in Debian, it seems.

It has been discussed thoroughly before in this forum, but I could not see any helpful solution.

https://www.mail-archive.com/nsd-use

https://forums.raspberrypi.com/viewtopic.php?t=247931rs@nlnetlabs.nl/msg00082.html
https://www.mail-archive.com/nsd-users@nlnetlabs.nl/msg00082.html

What to share the whole story, I dont know. Very simple “cannot write logs to /var/long/nsd.log” with the error message I have posted in the first instance. Whats the whole story in this case?

Thanks.

Mukul

Mukul_Shukla · June 19, 2022, 12:33pm

Problem persists, just for the information to the others.

Thanks.

Mukul

Simon_Deziel2 · June 20, 2022, 12:51pm

On Debian Sid with NSD 4.5.0 deb + the `systemctl edit` it works for me so there must be something else going on.

Simon

Mukul_Shukla · June 20, 2022, 5:16pm

Dear Simon

Please list down the exact steps.

Thank you.

Mukul

Simon_Deziel2 · June 20, 2022, 5:49pm

I run a different OS so I first create a Debian VM:

$ lxc launch images:debian/sid sid-nsd --vm
$ lxc shell sid-nsd

Now inside the VM:

# get systemd-resolved out of the way
echo DNSStubListener=no >> /etc/systemd/resolved.conf
systemctl restart systemd-resolved

# install NSD
apt-get update
apt-get install -y nsd

# simulate `systemctl edit nsd`
mkdir -p /etc/systemd/system/nsd.service.d
cat << EOF > /etc/systemd/system/nsd.service.d/override.conf
[Service]
# Allow file logging to dedicated dir
ReadWritePaths=/var/log/nsd
EOF
systemctl daemon-reload

# setup logging to file
mkdir -p /var/log/nsd
chown nsd: /var/log/nsd
sed -i 's|log-only-syslog: yes$|logfile: "/var/log/nsd/nsd.log"|' \
/etc/nsd/nsd.conf
systemctl restart nsd

# have NSD create the log file
nsd-control stats

And it works:
root@sid-nsd:~# ls -l /var/log/nsd/
total 0
-rw-r--r-- 1 nsd nsd 0 Jun 20 17:48 nsd.log

HTH,
Simon