绑定致命错误无法打开自定义日志

Question

我在 14.04 LTS 上使用 bind9 时遇到问题

sudo service bind9 start 产生下一个日志

May 20 21:47:46 c1 named[1110]: starting BIND 9.9.5-3-Ubuntu -u bind
May 20 21:47:46 c1 named[1110]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
May 20 21:47:46 c1 named[1110]: ----------------------------------------------------
May 20 21:47:46 c1 named[1110]: BIND 9 is maintained by Internet Systems Consortium,
May 20 21:47:46 c1 named[1110]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 
May 20 21:47:46 c1 named[1110]: corporation.  Support and training for BIND 9 are 
May 20 21:47:46 c1 named[1110]: available at https://www.isc.org/support
May 20 21:47:46 c1 named[1110]: ----------------------------------------------------
May 20 21:47:46 c1 named[1110]: adjusted limit on open files from 4096 to 1048576
May 20 21:47:46 c1 named[1110]: found 2 CPUs, using 2 worker threads
May 20 21:47:46 c1 named[1110]: using 2 UDP listeners per interface
May 20 21:47:46 c1 named[1110]: using up to 4096 sockets
May 20 21:47:46 c1 named[1110]: loading configuration from '/etc/bind/named.conf'
May 20 21:47:46 c1 named[1110]: reading built-in trusted keys from file '/etc/bind/bind.keys'
May 20 21:47:46 c1 named[1110]: using default UDP/IPv4 port range: [1024, 65535]
May 20 21:47:46 c1 named[1110]: using default UDP/IPv6 port range: [1024, 65535]
May 20 21:47:46 c1 named[1110]: listening on IPv4 interface lo, 127.0.0.1#53
May 20 21:47:46 c1 named[1110]: generating session key for dynamic DNS
May 20 21:47:46 c1 named[1110]: sizing zone task pool based on 25 zones
May 20 21:47:46 c1 named[1110]: using built-in DLV key for view _default
May 20 21:47:46 c1 named[1110]: using built-in root key for view _default
May 20 21:47:46 c1 named[1110]: set up managed keys zone for view _default, file 'managed-keys.bind'
May 20 21:47:46 c1 named[1110]: command channel listening on 127.0.0.1#953
May 20 21:47:46 c1 named[1110]: isc_file_isplainfile '/var/log/named/query.log' failed: permission denied
May 20 21:47:46 c1 named[1110]: configuring logging: permission denied
May 20 21:47:46 c1 named[1110]: loading configuration: permission denied
May 20 21:47:46 c1 named[1110]: exiting (due to fatal error)

named.conf.log 预告

root@c1:/etc/bind# cat named.conf.log
logging {
    channel query_log {
        file "/var/log/named/query.log" versions 3 size 5m;
        // Set the severity to dynamic to see all the debug messages.
            print-category yes;
        print-severity yes;
        print-time yes;
        severity dynamic;
        };
    channel update_debug {
        file "/var/log/named/update_debug.log" versions 3 size 5m;
        severity debug ;
        print-category yes;
        print-severity yes;
        print-time yes;
        };
    channel security_info {
        file "/var/log/named/security_info.log" versions 3 size 5m;
        severity info;
        print-category yes;
        print-severity yes;
        print-time yes;
        };
    channel bind_log {
        file "/var/log/named/bind.log" versions 3 size 5m;
        severity info;
        print-category yes;
        print-severity yes;
        print-time yes;
        };
    category queries {
        query_log; 
        };
    category security {
        security_info;
        };  
    category update-security {
        update_debug;
        };
    category update {
        update_debug;
        };
    category lame-servers {
        null;
        };
    category default {
        bind_log;
        };
};

命令不named-checkconf返回错误

Answer 1

修复文件许可和apparmor中的问题

服装修复

完整文件复制粘贴排除第一行

root@c1:/etc/bind# cat /etc/apparmor.d/usr.sbin.named
# vim:syntax=apparmor
# Last Modified: Fri Jun  1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,


  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,

  # ssl
  /etc/ssl/openssl.cnf r,

  # GeoIP data files for GeoIP ACLs
  /usr/share/GeoIP/** r,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  /proc/net/if_inet6 r,
  /proc/*/net/if_inet6 r,
  /usr/sbin/named mr,
  /{,var/}run/named/named.pid w,
  /{,var/}run/named/session.key w,
  # support for resolvconf
  /{,var/}run/named/named.options r,

  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  #added line here
  /var/log/named/* rw, 
  /var/log/named/ rw,



  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.named>
}

绑定9修复

接下来我一直在改变 pemitions 直到它起作用

/var/log/named 更改

chown -R bind:root /var/log/named
chmod -R 775 /var/log/named

以上命令的结果

root@c1:/etc/bind# ls -lha /var/log/named/
total 196K
drwxrwxr-x  2 bind root   4,0K ??? 20 20:38 .
drwxrwxr-x 18 root syslog 4,0K ??? 21 00:46 ..
-rwxrwxr-x  1 bind root   6,8K ??? 21 01:20 bind.log
-rwxrwxr-x  1 bind root      0 ??? 20 19:30 bind.log~
-rwxrwxr-x  1 bind root   167K ??? 21 01:21 query.log
-rwxrwxr-x  1 bind root      1 ??? 20 23:14 security_info.log
-rwxrwxr-x  1 bind root      0 ??? 20 19:30 security_info.log~
-rwxrwxr-x  1 bind root      1 ??? 20 23:13 update_debug.log
-rwxrwxr-x  1 bind root      0 ??? 20 19:23 update_debug.log~

/etc/bind 更改

chown -R bind:root /etc/bind
chmod -R 774 /etc/bind

以上命令的结果

root@c1:/etc/bind# ls -lha /etc/bind
total 120K
drwxrwsr--   3 bind root 4,0K ??? 21 00:33 .
drwxr-xr-x 150 root root  12K ??? 21 00:34 ..
-rwxrwxr--   1 bind root 2,4K ??? 24 18:06 bind.keys
-rwxrwxr--   1 bind root  237 ??? 24 18:06 db.0
-rwxrwxr--   1 bind root  271 ??? 24 18:06 db.127
-rwxrwxr--   1 bind root  237 ??? 24 18:06 db.255
-rwxrwxr--   1 bind root  353 ??? 24 18:06 db.empty
-rwxrwxr--   1 bind root  270 ??? 24 18:06 db.local
-rwxrwxr--   1 bind root 3,0K ??? 24 18:06 db.root
-rwxrwxr--   1 bind root  860 ??? 20 18:54 named.conf
-rwxrwxr--   1 bind root 1,1K ??? 20 18:49 named.conf~
-rwxrwxr--   1 bind root  490 ??? 24 18:06 named.conf.default-zones
-rwxrwxr--   1 bind root  475 ??? 20 22:24 named.conf.local
-rwxrwxr--   1 bind root  477 ??? 20 22:22 named.conf.local~
-rwxrwxr--   1 bind root 1002 ??? 20 23:12 named.conf.log
-rwxrwxr--   1 bind root 1002 ??? 20 23:11 named.conf.log~
-rwxrwxr--   1 bind root 1,1K ??? 21 00:33 named.conf.log.save
-rwxrwxr--   1 bind root 1,4K ??? 20 18:50 named.conf.options
-rwxrwxr--   1 bind root 1,4K ??? 18 23:23 named.conf.options~
-rwxrwxr--   1 bind root   77 ??? 20 04:25 rndc.key
drwxrwxr--   2 bind root 4,0K ??? 18 23:23 zones
-rwxrwxr--   1 bind root 1,3K ??? 24 18:06 zones.rfc1918

注意：

这个bind9安装没有chroot

现在 Bind9 正在工作

 root@c1:/etc/bind# service bind9 start
     * Starting domain name service... bind9             [ OK ]