Bug 1470996 - named-chroot cannot start due to dynamic DNS: permission denied
named-chroot cannot start due to dynamic DNS: permission denied
Status: ASSIGNED
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: preupgrade-assistant-el6toel7 (Show other bugs)
6.10
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: pstodulk
Alois Mahdal
: Extras
Depends On:
Blocks: 1429926
  Show dependency treegraph
 
Reported: 2017-07-14 04:51 EDT by Petr Sklenar
Modified: 2017-09-14 08:11 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Sklenar 2017-07-14 04:51:04 EDT
Description of problem:
after migrate to el7 named-chroot cannot start

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. have a default config with named-chroot:

cat /var/named/chroot/etc/named.conf 
options {
	listen-on port 53 { 127.0.0.1; } ;
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { localhost; };
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
# ^ this is reason why it doesnt start on el7 ^^^
};

zone "mydomain.com" IN {
      type master;
      file "mydomain.com.zone";
      allow-update { none; };
};

2.
cat /var/named/chroot/var/named/mydomain.com.zone 
$TTL 86400
@   IN  SOA     ns1.mydomain.com. root.mydomain.com. (
        2013042201  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
; Specify our two nameservers
		IN	NS		ns1.mydomain.com.
		IN	NS		ns2.mydomain.com.
; Resolve nameserver hostnames to IP, replace with your two droplet IP addresses.
ns1		IN	A		1.1.1.1
ns2		IN	A		2.2.2.2

; Define hostname -> IP pairs which you wish to resolve
@		IN	A		3.3.3.3
www		IN	A		3.3.3.3
[root@localhost ~]# ls -la /var/named/chroot/etc/named.conf 
-rw-r-----. 1 root named 848 Jul 13 07:48 /var/named/chroot/etc/named.conf


3.
rhel6: service named start (/etc/sysconfig/named is configured as chrooted)

4. preupg

5. redhat-upgrade-tool --network 7.4  --instrepo http://download.eng.brq.redhat.com/pub/rhel/nightly/RHEL-7.4-20170707.n.0/compose/Server/x86_64/os/  --nogpgcheck --addrepo optional=http://download.eng.brq.redhat.com/rel-eng/RHEL-7.4-20170707.n.0/compose/Server-optional/x86_64/os/

6. reboot , and named-chroot cannot start
but similar config for named works!

Actual results:
 systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2017-07-14 04:31:26 EDT; 1s ago
  Process: 31349 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=1/FAILURE)
  Process: 31344 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)

Jul 14 04:31:26 localhost.localdomain named[31350]: could not create /var/run/named/session.key
Jul 14 04:31:26 localhost.localdomain named[31350]: failed to generate session key for dynamic DNS: permission denied
Jul 14 04:31:26 localhost.localdomain named[31350]: sizing zone task pool based on 1 zones
Jul 14 04:31:26 localhost.localdomain named[31350]: invalid managed-keys-directory /var/named/chroot/var/named/dynamic: file not found
Jul 14 04:31:26 localhost.localdomain named[31350]: loading configuration: file not found
Jul 14 04:31:26 localhost.localdomain named[31350]: exiting (due to fatal error)
Jul 14 04:31:26 localhost.localdomain systemd[1]: named-chroot.service: control process exited, code=exited status=1
Jul 14 04:31:26 localhost.localdomain systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Jul 14 04:31:26 localhost.localdomain systemd[1]: Unit named-chroot.service entered failed state.
Jul 14 04:31:26 localhost.localdomain systemd[1]: named-chroot.service failed.


Expected results:
defaulot config with named-chroot start well on el7

Additional info:

Note You need to log in before you can comment on or make changes to this bug.