Bug 1470996

Summary: named-chroot cannot start due to dynamic DNS: permission denied
Product: Red Hat Enterprise Linux 6 Reporter: Petr Sklenar <psklenar>
Component: preupgrade-assistant-el6toel7Assignee: Petr Stodulka <pstodulk>
Status: CLOSED WONTFIX QA Contact: Alois Mahdal <amahdal>
Severity: high Docs Contact:
Priority: high    
Version: 6.10Keywords: Extras
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-01 16:43:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1429926    

Description Petr Sklenar 2017-07-14 08:51:04 UTC 
Description of problem:
after migrate to el7 named-chroot cannot start

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. have a default config with named-chroot:

cat /var/named/chroot/etc/named.conf 
options {
	listen-on port 53 { 127.0.0.1; } ;
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { localhost; };
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
# ^ this is reason why it doesnt start on el7 ^^^
};

zone "mydomain.com" IN {
      type master;
      file "mydomain.com.zone";
      allow-update { none; };
};

2.
cat /var/named/chroot/var/named/mydomain.com.zone 
$TTL 86400
@   IN  SOA     ns1.mydomain.com. root.mydomain.com. (
        2013042201  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
; Specify our two nameservers
		IN	NS		ns1.mydomain.com.
		IN	NS		ns2.mydomain.com.
; Resolve nameserver hostnames to IP, replace with your two droplet IP addresses.
ns1		IN	A		1.1.1.1
ns2		IN	A		2.2.2.2

; Define hostname -> IP pairs which you wish to resolve
@		IN	A		3.3.3.3
www		IN	A		3.3.3.3
[root@localhost ~]# ls -la /var/named/chroot/etc/named.conf 
-rw-r-----. 1 root named 848 Jul 13 07:48 /var/named/chroot/etc/named.conf


3.
rhel6: service named start (/etc/sysconfig/named is configured as chrooted)

4. preupg

5. redhat-upgrade-tool --network 7.4  --instrepo http://download.eng.brq.redhat.com/pub/rhel/nightly/RHEL-7.4-20170707.n.0/compose/Server/x86_64/os/  --nogpgcheck --addrepo optional=http://download.eng.brq.redhat.com/rel-eng/RHEL-7.4-20170707.n.0/compose/Server-optional/x86_64/os/

6. reboot , and named-chroot cannot start
but similar config for named works!

Actual results:
 systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2017-07-14 04:31:26 EDT; 1s ago
  Process: 31349 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=1/FAILURE)
  Process: 31344 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)

Jul 14 04:31:26 localhost.localdomain named[31350]: could not create /var/run/named/session.key
Jul 14 04:31:26 localhost.localdomain named[31350]: failed to generate session key for dynamic DNS: permission denied
Jul 14 04:31:26 localhost.localdomain named[31350]: sizing zone task pool based on 1 zones
Jul 14 04:31:26 localhost.localdomain named[31350]: invalid managed-keys-directory /var/named/chroot/var/named/dynamic: file not found
Jul 14 04:31:26 localhost.localdomain named[31350]: loading configuration: file not found
Jul 14 04:31:26 localhost.localdomain named[31350]: exiting (due to fatal error)
Jul 14 04:31:26 localhost.localdomain systemd[1]: named-chroot.service: control process exited, code=exited status=1
Jul 14 04:31:26 localhost.localdomain systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Jul 14 04:31:26 localhost.localdomain systemd[1]: Unit named-chroot.service entered failed state.
Jul 14 04:31:26 localhost.localdomain systemd[1]: named-chroot.service failed.


Expected results:
defaulot config with named-chroot start well on el7

Additional info:
Comment 2 Petr Stodulka 2019-07-01 16:43:51 UTC 
Closing this bugzilla as the component is under a maintenance mode in which the maintainers are going to fix only critical bugs. If you consider the bugzilla critical, feel free to reopen the bug with an explanation.