Red Hat Bugzilla – Bug 680748
[RFE] Named resource agent should run named as the named user, not root.
Last modified: 2016-04-26 12:41:06 EDT
The resource agent for named could do with enhancement. (my testing here is based on adding in the missing /usr/share/cluster/utils/named-parse-config.pl which has a bug entry that is being actioned already) This agent is great but could benefit from a few changes. 1/ It runs the daemon as root. This isn't desirable. There isn't much required to change this. Passing named daemon launch line a "-u named" and chowning the directory that holds the pid file seems to be enough (I did this with a chown named:named `dirname $NAMED_pid_file`, after the creation routine there is probably a cleaner way, it may even be better to chgrp and chmod g+w, haven't checked). 2/ Even though this agent changes the listen address to match the IP address of passed to the service. Zone Transfers etc always come from the main IP of the node running the service. This isn't perfect as these are often secured by source IP (on the up level boxes) (and this is a hassle if a large number of nodes in the cluster) and it is confusing that it isn't the cluster service IP. The resource script should probably (even if by an option) change not just listen-on but set "transfer-source", "query-source", "notify-source". There maybe others. I have looked at Fedora 14's named resource agent and it doesn't seem to have these features so this query maybe an upstream one. But I'm not sure what the the upstream is for this?
(In reply to comment #0) > I have looked at Fedora 14's named resource agent and it doesn't seem to have > these features so this query maybe an upstream one. But I'm not sure what the > the upstream is for this? @Colin: resource agents are used in a variety of upstream distros, but if you're interested in getting this fixed upstream best place to file a bug would be Fedora against the resource-agents package. When Fedora has this fixed, we can look at pulling the fixes into RHEL.
That's cool, I have added a Bug #680775 for Fedora to hopefully action. And I have opened a SR#428006 with support pointing at this bug report. Thanks
Updating bz to refer to issue #1. Making sure the named daemon runs as the user "named" instead of root. Issue #2 has been moved to bz#711586.
After digging deeper into getting the agent to run as named, there can potentially be issues if named has already been run as the root user. It's possible that some of the bind configuration files will not have the correct permissions which would break an upgrade. However, there is a simple workaround. Add the option 'named_options="-u named"' to the named service in your cluster.conf file and the service will be run as the user 'named'. Closing this as WONTFIX for now as an upgrade will likely break current installs, and there is a simple workaround.