Bug 2144069

Summary: proc directory in named chroot path - /var/named/chroot
Product: Red Hat Enterprise Linux 8 Reporter: Amey <abetkike>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED NOTABUG QA Contact: rhel-cs-infra-services-qe <rhel-cs-infra-services-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.6CC: sbalasub
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-02 12:58:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1950714    
Bug Blocks:    

Description Amey 2022-11-18 20:48:02 UTC 
Description of problem:

In RHEL 8 we see proc directory inside chroot path - this was not the case in RHEL 7, is this an expected change, as I do not see this in changelog?

[root@node-0 quicklab]# ll /var/named/chroot
total 0
drwxr-x---. 2 root named  6 Oct 20 09:20 dev
drwxr-x---. 5 root named 53 Nov 18 14:51 etc
drwxr-xr-x. 3 root root  17 Nov 18 14:51 proc   <<-------
drwxr-x---. 3 root named 19 Nov 18 14:51 run
drwxr-xr-x. 4 root root  32 Nov 18 14:51 usr
drwxr-x---. 5 root named 52 Nov 18 14:51 var

the last reference to proc was in 2008 wherein it was omitted from mounting in chroot 

* Mon Nov 10 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.1.b1
- 9.6.0b1 release
- don't build ODBC and Berkeley DB DLZ drivers
- end of bind-chroot-admin script, copy config files to chroot manually
- /proc doesn't have to be mounted to chroot
- temporary use libbind from 9.5 series, noone has been released for 9.6 yet


Version-Release number of selected component (if applicable):

bind-chroot-9.11.36-5.el8_7.2.x86_64


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Petr Menšík 2023-01-02 12:58:11 UTC 
/proc actually have to be mounted, or at least part of it. To limit possible privacy or attack vector, I have chosen to bind-mount only one required (pseudo) "file", which is ephemeral port ranges. It is used by bind unless port ranges are specified in config file. Our default configuration does not specify it. It ensures bind will use only ports allowed by SELinux policy. It is not needed if SELinux is disabled, but that is not checked by named-chroot script.

Yes, it is expected change. BIND 9.11 started reading /proc/sys/net/ipv4/ip_local_port_range for used port ranges. It will start also without this, but may emit SELinux warnings from time to time.

It was requested by bug #1950714, fixed in bind-9.11.26-8 build. I admit it does not mention proc in changelog. It contains instead:

- Propagate ephemeral port ranges to chroot (#1950714)

Closing with not-a-bug, because I think it is more a question than an issue requiring any change. It is not an error, it is intentional and required. If there is something to fix, please reopen it and explain with more details.

Removing /proc/sys/net/ipv4/ip_local_port_range from /etc/named-chroot.files will cause used port ranges reported during startup into the journal to change.
With /proc used in chroot:
named[4651]: using default UDP/IPv4 port range: [32768, 60999]
named[4651]: using default UDP/IPv6 port range: [32768, 60999]

If /proc is not used in chroot:
named[5198]: using default UDP/IPv4 port range: [1024, 65535]
named[5198]: using default UDP/IPv6 port range: [1024, 65535]

named-chroot.service has to be stopped before the modification of /etc/named-chroot.files