Hello,
Firstly, thank you very much to those who make this powerful and
optimized software possible !!
I've had it running on Debian 9 and now I have it running on Debian 10.
But now there is a small inconvenience, I cannot get the logs written.
I have tried both /var/log/nsd.log and /var/log/nsd/nsd.log.
I have also tried changing permissions.
This is what /var/log/daemon.log shows immediately after restarting
NSD:
...
Oct 23 15:46:13 dhcppc1 nsd[2378]: [2019-10-23 15:46:13.314] nsd[2380]:
warning: signal received, shutting down...
Oct 23 15:46:13 dhcppc1 nsd[2378]: [2019-10-23 15:46:13.316] nsd[2380]:
warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied
Oct 23 15:46:13 dhcppc1 systemd[1]: Stopping Name Server Daemon...
Oct 23 15:46:13 dhcppc1 systemd[1]: nsd.service: Succeeded.
Oct 23 15:46:13 dhcppc1 systemd[1]: Stopped Name Server Daemon.
Oct 23 15:46:13 dhcppc1 systemd[1]: Starting Name Server Daemon...
Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]:
error: Cannot open /var/log/nsd/nsd.log for appending (Read-only file
system)$
Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]:
warning: chown /var/log/nsd/nsd.log failed: No such file or directory
Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]:
notice: nsd starting (NSD 4.1.26)
Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]:
error: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation
not perm$
Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]:
error: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation
not perm$
Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.518] nsd[2401]:
info: setup SSL certificates
Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.566] nsd[2402]:
info: zonefile /etc/nsd/zones/...
...
I would appreciate help on this topic.
Best regards.
José Luis
2 things coming to my mind:
- chroot enabled? -> nsd-checkconf -o chroot /path/to/nsd.conf
- systemd is doint unexpected stuff
Andreas
Thanks Andreas,
The output of
/usr/sbin/nsd-checkconf -o chroot /etc/nsd/nsd.conf
is empty.
I don't know what tests to do with systemd.
José Luis
Hi José,
What are the permissions of the /var/log/nsd.log directory and what
user are you executing nsd as? Might be wise to check if the systemd
unit has the same user configured.
Default unit file for nsd is located at /lib/systemd/system/nsd.service
on Debian.
Another question: did you upgrade the Debian 9 machine to Debian 10 or
did you do a fresh install and copy the configuration file? Maybe the
uid of the user on the Debian 9 machine doesn't match the nsd user on
the Debian 10 machine?
Best regards,
Jeroen
Could you provide the output of this:
systemctl cat nsd
A read only file system sounds like "ProtectSystem=strict" or some other
protection.
Simon
Thanks Jeroen,
About permissions and owners:
For /var/log/nsd.log, the directory /var/log/ has 755 root:root
For /var/log/nsd/nsd.log, I created alternatively a directory
/var/log/nsd/ with permissions 664, 666 and 777, for both nsd and root
owners.
As for NSD user, in /etc/nsd/nsd.conf I have configured username: nsd.
cat /lib/systemd/system/nsd.service
[Unit]
Description=Name Server Daemon
Documentation=man:nsd(8)
After=network.target
[Service]
Type=notify
Restart=always
ExecStart=/usr/sbin/nsd -d
ExecReload=+/bin/kill -HUP $MAINPID
CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/var/lib/nsd /etc/nsd /run
RuntimeDirectory=nsd
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount
@obsolete @resources
[Install]
WantedBy=multi-user.target
I have done a fresh installation of Debian 10 and also rewrite each
configuration file.
A detail that I do not know if it can be important, previously NSD
worked on a 32-bit architecture computer and now is working on another
computer but with 64-bit architecture.
Best regards.
José Luis
ProtectSystem=strict turns most of the hierarchy into read only mounts
so you need to add /var/log and/or /var/log/nsd as ReadWritePaths= for
them to be writable by nsd itself. This is normally not needed as
logging goes through syslog by default but you are likely using
"logfile" in nsd.conf.
To add that ReadWritePaths directive:
sudo systemctl edit nsd
Then type and save the following:
[Service]
ReadWritePaths=/var/log/nsd
This will create an override file supplementing the package provided
unit with your local config.
HTH,
Simon
The systemd unit shows nsd is executed with "-d", that causes it to not
fork. Judging by the ReadWritePaths in the original unit file, the
original intent was maybe for nsd to log to stdout and then have
systemd write it to the journal(?) Maybe that bit changed between
Debian versions?
You could try not logging to a file by removing it from the
configuration and see if the output still ends up in the journal.
Alternatively, Simon's answer seems to make sense, so you can take that
route too.
- Jeroen
Thanks Simon,
Exactly, there was the problem !!
I just discovered it at the same time you wrote with the data provided
by Andreas and Jeroen 
Thank you very much to all three for guiding me !!!
Here what I did:
mkdir -p /var/log/nsd
chown nsd:nsd /var/log/nsd
nano /etc/nsd/nsd.conf
...
logfile: "/var/log/nsd/nsd.log"
...
cp /lib/systemd/system/nsd.service{,_original}
nano /lib/systemd/system/nsd.service
...
ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log/nsd
...
systemctl daemon-reload <--- !!!!
systemctl restart nsd
Thank you very much again, best regards !!
José Luis
Hello,
** José Luis Artuch <zenbakaitz@speedy.com.ar> [2019-10-24 10:38:43 -0300]:
Thanks Simon,
Exactly, there was the problem !!
I just discovered it at the same time you wrote with the data provided
by Andreas and JeroenThank you very much to all three for guiding me !!!
Here what I did:
mkdir -p /var/log/nsd
chown nsd:nsd /var/log/nsdnano /etc/nsd/nsd.conf
...
logfile: "/var/log/nsd/nsd.log"
...cp /lib/systemd/system/nsd.service{,_original}
nano /lib/systemd/system/nsd.service
...
ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log/nsd
...
And you didn't follow good advice:
$ sudo systemctl edit nsd
Next NSD upgrade will overwrite your changes and you will again come to
ML and will again ask the same question. Don't invent the wheel and
NEVER touch system configuration file IF there is altenative.
If/when nsd's package is updated, your custom edits will be lost. That's
why I suggested the "systemctl edit" way to just add a local
override/drop-in file that would survive package updates.
Regards,
Simon
Thanks Jeroen,
If I do:
nano /etc/nsd/nsd.conf
...
# logfile: "/var/log/nsd/nsd.log"
...
systemctl restart nsd
This is the output of journalctl:
journalctl -u nsd.service --since today
oct 24 10:53:26 dhcppc1 nsd[6937]: signal received, shutting down...
oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.281] nsd[6937]:
warning: signal received, shutting down...
oct 24 10:53:26 dhcppc1 nsd[6937]: failed to unlink pidfile
/run/nsd/nsd.pid: Permission denied
oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.284] nsd[6937]:
warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied
oct 24 10:53:26 dhcppc1 systemd[1]: Stopping Name Server Daemon...
oct 24 10:53:26 dhcppc1 systemd[1]: nsd.service: Succeeded.
oct 24 10:53:26 dhcppc1 systemd[1]: Stopped Name Server Daemon.
oct 24 10:53:26 dhcppc1 systemd[1]: Starting Name Server Daemon...
oct 24 10:53:26 dhcppc1 nsd[6965]: nsd starting (NSD 4.1.26)
oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT, ...)
failed for udp: Operation not permitted
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] nsd[6965]:
notice: nsd starting (NSD 4.1.26)
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] nsd[6965]:
error: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation
not permi
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] nsd[6965]:
error: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation
not permi
oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT, ...)
failed for tcp: Operation not permitted
oct 24 10:53:26 dhcppc1 nsd[6965]: setup SSL certificates
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.483] nsd[6965]:
info: setup SSL certificates
oct 24 10:53:26 dhcppc1 nsd[6967]: zonefile /etc/nsd/zones/...
...
oct 24 10:53:26 dhcppc1 nsd[6967]: nsd started (NSD 4.1.26), pid 6965
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.584] nsd[6967]:
notice: nsd started (NSD 4.1.26), pid 6965
oct 24 10:53:26 dhcppc1 systemd[1]: Started Name Server Daemon.
Best regards.
José Luis
Thanks Vladimir,
I was about to ask if I had solved the problem correctly. I did it my
way while in parallel Simon answered me and now with your notice I read
in Simon's answer the correct way to do it
I must study Systemd, practically I don't know how it works.
Best regards.
José Luis
Thanks Simon,
I did everything again, but now running
sudo systemctl edit nsd
and saving
[Service]
ReadWritePaths=/var/log/nsd
Then I have run
sudo systemctl daemon-reload
sudo systemctl restart nsd
Since the change was not reflected in /lib/systemd/system/nsd.service,
I restarted the system, but the change is still not reflected in
/lib/systemd/system/nsd.service and the log is not written.
What other change should I make ?.
Best regards.
José Luis
Hi José,
Thanks Simon,
I did everything again, but now running
sudo systemctl edit nsd
and saving
[Service]
ReadWritePaths=/var/log/nsdThen I have run
sudo systemctl daemon-reload
sudo systemctl restart nsdSince the change was not reflected in
/lib/systemd/system/nsd.service,
I restarted the system, but the change is still not reflected in
/lib/systemd/system/nsd.service and the log is not written.
What other change should I make ?
The changes will not be reflected in /lib/systemd/system/nsd.service,
instead a new file will be written in /etc/systemd/system/nsd.service
which should reflect your changes(?).
This is done so that changes are kept through upgrades, which is the
point that both Simon and Vladimir are making.
Hope that helps.
Best regards.
José Luis> > cp /lib/systemd/system/nsd.service{,_original}
> > nano /lib/systemd/system/nsd.service
>
> If/when nsd's package is updated, your custom edits will be lost.
> That's
> why I suggested the "systemctl edit" way to just add a local
> override/drop-in file that would survive package updates.
>
> Regards,
> Simon
> _______________________________________________
> nsd-users mailing list
> nsd-users@NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users_______________________________________________
nsd-users mailing list
nsd-users@NLnetLabs.nl
https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
- Jeroen
Hi Jeroen,
Ah, ok, ok ... But how do I get the log written now ? ...
Best regards.
José Luis
Hi,
I think this is actually what you'd want. It's not complaining about
the log file anymore. Just the pid file, probably the same type of
problem. And you probably want to disable the ip-transparent option(?)
- Jeroen
Thanks Simon,
I did everything again, but now running
sudo systemctl edit nsd
and saving
[Service]
ReadWritePaths=/var/log/nsdThen I have run
sudo systemctl daemon-reload
Reloading is not needed as "edit" takes care of this once you save.
sudo systemctl restart nsd
Since the change was not reflected in /lib/systemd/system/nsd.service,
That is correct. The drop-in files are stored in
/etc/systemd/system/nsd.service.d/*.conf (override.conf by default).
"systemctl cat nsd" will list the various files it aggregates to form
the resulting unit definition.
I restarted the system, but the change is still not reflected in
/lib/systemd/system/nsd.service and the log is not written.
What other change should I make ?.
In theory nothing else is needed. Do you still get the error about
read-only FS? If yes, make sure your nsd.conf points to a file under the
directory /var/log/nsd.
Simon
This would have been with "systemctl edit --full nsd" (note the --full).
This is essentially forking the package provided version and shadowing
it for good. This, I believe, is also not desirable because you'd then
miss out on the future improvement by your package maintainer.
Using "systemctl edit nsd" instead will create
/etc/systemd/system/nsd.service.d/override.conf with *just* the local delta.
Simon
Hi Simon,
Very well, I applied changes only with
sudo systemctl edit nsd
and effectively:
cat /etc/systemd/system/nsd.service.d/override.conf
[Service]
ReadWritePaths=/var/log/nsd
Best regards.
José Luis