From greg.bock at stackpath.com Thu Oct 10 18:48:54 2019 From: greg.bock at stackpath.com (Greg Bock) Date: Thu, 10 Oct 2019 18:48:54 +0000 Subject: [nsd-users] Add option and logic to disable additional out-of-zone data. Message-ID: <55DDF638-BE55-461B-9579-49A5BA24B760@stackpath.com> Looking for a review of https://github.com/NLnetLabs/nsd/pull/39 . It is a small patch that adds logic to not return additional out-of-zone data for other zones configured locally in NSD (E.G. CNAME resolution). From zenbakaitz at speedy.com.ar Wed Oct 23 19:25:44 2019 From: zenbakaitz at speedy.com.ar (=?ISO-8859-1?Q?Jos=E9?= Luis Artuch) Date: Wed, 23 Oct 2019 16:25:44 -0300 Subject: [nsd-users] logs Message-ID: <51d05022951fb5a838de8f425947ef403c8ff1f8.camel@speedy.com.ar> Hello, Firstly, thank you very much to those who make this powerful and optimized software possible !! I've had it running on Debian 9 and now I have it running on Debian 10. But now there is a small inconvenience, I cannot get the logs written. I have tried both /var/log/nsd.log and /var/log/nsd/nsd.log. I have also tried changing permissions. This is what /var/log/daemon.log shows immediately after restarting NSD: ... Oct 23 15:46:13 dhcppc1 nsd[2378]: [2019-10-23 15:46:13.314] nsd[2380]: warning: signal received, shutting down... Oct 23 15:46:13 dhcppc1 nsd[2378]: [2019-10-23 15:46:13.316] nsd[2380]: warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied Oct 23 15:46:13 dhcppc1 systemd[1]: Stopping Name Server Daemon... Oct 23 15:46:13 dhcppc1 systemd[1]: nsd.service: Succeeded. Oct 23 15:46:13 dhcppc1 systemd[1]: Stopped Name Server Daemon. Oct 23 15:46:13 dhcppc1 systemd[1]: Starting Name Server Daemon... Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]: error: Cannot open /var/log/nsd/nsd.log for appending (Read-only file system)$ Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]: warning: chown /var/log/nsd/nsd.log failed: No such file or directory Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]: notice: nsd starting (NSD 4.1.26) Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]: error: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation not perm$ Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]: error: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation not perm$ Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.518] nsd[2401]: info: setup SSL certificates Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.566] nsd[2402]: info: zonefile /etc/nsd/zones/... ... I would appreciate help on this topic. Best regards. Jos? Luis From sca at andreasschulze.de Wed Oct 23 20:45:41 2019 From: sca at andreasschulze.de (A. Schulze) Date: Wed, 23 Oct 2019 22:45:41 +0200 Subject: [nsd-users] logs In-Reply-To: <51d05022951fb5a838de8f425947ef403c8ff1f8.camel@speedy.com.ar> References: <51d05022951fb5a838de8f425947ef403c8ff1f8.camel@speedy.com.ar> Message-ID: <02f62acf-671a-f81a-b57a-f025d3b4d985@andreasschulze.de> Am 23.10.19 um 21:25 schrieb Jos? Luis Artuch: > Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] nsd[2401]: > error: Cannot open /var/log/nsd/nsd.log for appending (Read-only file > system)$ > I would appreciate help on this topic. 2 things coming to my mind: - chroot enabled? -> nsd-checkconf -o chroot /path/to/nsd.conf - systemd is doint unexpected stuff Andreas From zenbakaitz at speedy.com.ar Thu Oct 24 01:26:22 2019 From: zenbakaitz at speedy.com.ar (=?ISO-8859-1?Q?Jos=E9?= Luis Artuch) Date: Wed, 23 Oct 2019 22:26:22 -0300 Subject: [nsd-users] logs In-Reply-To: <02f62acf-671a-f81a-b57a-f025d3b4d985@andreasschulze.de> Message-ID: El mi?, 23-10-2019 a las 21:59 -0300, Jos? Luis Artuch escribi?: > Am 23.10.19 um 21:25 schrieb Jos? Luis Artuch: > > Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] > nsd[2401]: > > error: Cannot open /var/log/nsd/nsd.log for appending (Read-only > > file > > system)$ > > I would appreciate help on this topic. > > 2 things coming to my mind: > - chroot enabled? -> nsd-checkconf -o chroot /path/to/nsd.conf > - systemd is doint unexpected stuff > > Andreas > Thanks Andreas, The output of /usr/sbin/nsd-checkconf -o chroot /etc/nsd/nsd.conf is empty. I don't know what tests to do with systemd. Jos? Luis From jeroen at nlnetlabs.nl Thu Oct 24 08:54:35 2019 From: jeroen at nlnetlabs.nl (Jeroen Koekkoek) Date: Thu, 24 Oct 2019 10:54:35 +0200 Subject: [nsd-users] logs In-Reply-To: References: Message-ID: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> Hi Jos?, What are the permissions of the /var/log/nsd.log directory and what user are you executing nsd as? Might be wise to check if the systemd unit has the same user configured. Default unit file for nsd is located at /lib/systemd/system/nsd.service on Debian. Another question: did you upgrade the Debian 9 machine to Debian 10 or did you do a fresh install and copy the configuration file? Maybe the uid of the user on the Debian 9 machine doesn't match the nsd user on the Debian 10 machine? Best regards, Jeroen On Wed, 2019-10-23 at 22:26 -0300, Jos? Luis Artuch wrote: > El mi?, 23-10-2019 a las 21:59 -0300, Jos? Luis Artuch escribi?: > > Am 23.10.19 um 21:25 schrieb Jos? Luis Artuch: > > > Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] > > nsd[2401]: > > > error: Cannot open /var/log/nsd/nsd.log for appending (Read-only > > > file > > > system)$ > > > I would appreciate help on this topic. > > > > 2 things coming to my mind: > > - chroot enabled? -> nsd-checkconf -o chroot /path/to/nsd.conf > > - systemd is doint unexpected stuff > > > > Andreas > > > > Thanks Andreas, > The output of > /usr/sbin/nsd-checkconf -o chroot /etc/nsd/nsd.conf > is empty. > I don't know what tests to do with systemd. > Jos? Luis > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users From simon at sdeziel.info Thu Oct 24 12:37:37 2019 From: simon at sdeziel.info (Simon Deziel) Date: Thu, 24 Oct 2019 08:37:37 -0400 Subject: [nsd-users] logs In-Reply-To: References: Message-ID: <2b4b22e1-f8d8-c211-d155-dd4aa2883410@sdeziel.info> On 2019-10-23 9:26 p.m., Jos? Luis Artuch wrote: > El mi?, 23-10-2019 a las 21:59 -0300, Jos? Luis Artuch escribi?: >> Am 23.10.19 um 21:25 schrieb Jos? Luis Artuch: >>> Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] >> nsd[2401]: >>> error: Cannot open /var/log/nsd/nsd.log for appending (Read-only >>> file >>> system)$ >>> I would appreciate help on this topic. >> >> 2 things coming to my mind: >> - chroot enabled? -> nsd-checkconf -o chroot /path/to/nsd.conf >> - systemd is doint unexpected stuff >> >> Andreas >> > > Thanks Andreas, > The output of > /usr/sbin/nsd-checkconf -o chroot /etc/nsd/nsd.conf > is empty. > I don't know what tests to do with systemd. Could you provide the output of this: systemctl cat nsd A read only file system sounds like "ProtectSystem=strict" or some other protection. Simon From zenbakaitz at speedy.com.ar Thu Oct 24 12:46:16 2019 From: zenbakaitz at speedy.com.ar (=?ISO-8859-1?Q?Jos=E9?= Luis Artuch) Date: Thu, 24 Oct 2019 09:46:16 -0300 Subject: [nsd-users] logs In-Reply-To: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> Message-ID: <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> Thanks Jeroen, About permissions and owners: For /var/log/nsd.log, the directory /var/log/ has 755 root:root For /var/log/nsd/nsd.log, I created alternatively a directory /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and root owners. As for NSD user, in /etc/nsd/nsd.conf I have configured username: nsd. cat /lib/systemd/system/nsd.service [Unit] Description=Name Server Daemon Documentation=man:nsd(8) After=network.target [Service] Type=notify Restart=always ExecStart=/usr/sbin/nsd -d ExecReload=+/bin/kill -HUP $MAINPID CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true ProtectHome=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=strict ReadWritePaths=/var/lib/nsd /etc/nsd /run RuntimeDirectory=nsd RestrictRealtime=true SystemCallArchitectures=native SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources [Install] WantedBy=multi-user.target I have done a fresh installation of Debian 10 and also rewrite each configuration file. A detail that I do not know if it can be important, previously NSD worked on a 32-bit architecture computer and now is working on another computer but with 64-bit architecture. Best regards. Jos? Luis El jue, 24-10-2019 a las 10:54 +0200, Jeroen Koekkoek escribi?: > Hi Jos?, > > What are the permissions of the /var/log/nsd.log directory and what > user are you executing nsd as? Might be wise to check if the systemd > unit has the same user configured. > > Default unit file for nsd is located at > /lib/systemd/system/nsd.service > on Debian. > > Another question: did you upgrade the Debian 9 machine to Debian 10 > or > did you do a fresh install and copy the configuration file? Maybe the > uid of the user on the Debian 9 machine doesn't match the nsd user on > the Debian 10 machine? > > Best regards, > Jeroen > > > On Wed, 2019-10-23 at 22:26 -0300, Jos? Luis Artuch wrote: > > El mi?, 23-10-2019 a las 21:59 -0300, Jos? Luis Artuch escribi?: > > > Am 23.10.19 um 21:25 schrieb Jos? Luis Artuch: > > > > Oct 23 15:46:13 dhcppc1 nsd[2401]: [2019-10-23 15:46:13.514] > > > nsd[2401]: > > > > error: Cannot open /var/log/nsd/nsd.log for appending (Read- > > > > only > > > > file > > > > system)$ > > > > I would appreciate help on this topic. > > > > > > 2 things coming to my mind: > > > - chroot enabled? -> nsd-checkconf -o chroot /path/to/nsd.conf > > > - systemd is doint unexpected stuff > > > > > > Andreas > > > > > > > Thanks Andreas, > > The output of > > /usr/sbin/nsd-checkconf -o chroot /etc/nsd/nsd.conf > > is empty. > > I don't know what tests to do with systemd. > > Jos? Luis > > > > _______________________________________________ > > nsd-users mailing list > > nsd-users at NLnetLabs.nl > > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users From simon at sdeziel.info Thu Oct 24 12:58:00 2019 From: simon at sdeziel.info (Simon Deziel) Date: Thu, 24 Oct 2019 08:58:00 -0400 Subject: [nsd-users] logs In-Reply-To: <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> Message-ID: <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote: > Thanks Jeroen, > > About permissions and owners: > For /var/log/nsd.log, the directory /var/log/ has 755 root:root > For /var/log/nsd/nsd.log, I created alternatively a directory > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and root > owners. > As for NSD user, in /etc/nsd/nsd.conf I have configured username: nsd. > > cat /lib/systemd/system/nsd.service > [Unit] > Description=Name Server Daemon > Documentation=man:nsd(8) > After=network.target > > [Service] > Type=notify > Restart=always > ExecStart=/usr/sbin/nsd -d > ExecReload=+/bin/kill -HUP $MAINPID > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > MemoryDenyWriteExecute=true > NoNewPrivileges=true > PrivateDevices=true > PrivateTmp=true > ProtectHome=true > ProtectControlGroups=true > ProtectKernelModules=true > ProtectKernelTunables=true > ProtectSystem=strict > ReadWritePaths=/var/lib/nsd /etc/nsd /run ProtectSystem=strict turns most of the hierarchy into read only mounts so you need to add /var/log and/or /var/log/nsd as ReadWritePaths= for them to be writable by nsd itself. This is normally not needed as logging goes through syslog by default but you are likely using "logfile" in nsd.conf. To add that ReadWritePaths directive: sudo systemctl edit nsd Then type and save the following: [Service] ReadWritePaths=/var/log/nsd This will create an override file supplementing the package provided unit with your local config. HTH, Simon From jeroen at nlnetlabs.nl Thu Oct 24 13:13:13 2019 From: jeroen at nlnetlabs.nl (Jeroen Koekkoek) Date: Thu, 24 Oct 2019 15:13:13 +0200 Subject: [nsd-users] logs In-Reply-To: <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> Message-ID: <712752c797cb57cc297d59c4ee00cae6d81b5df0.camel@nlnetlabs.nl> On Thu, 2019-10-24 at 08:58 -0400, Simon Deziel wrote: > On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote: > > Thanks Jeroen, > > > > About permissions and owners: > > For /var/log/nsd.log, the directory /var/log/ has 755 root:root > > For /var/log/nsd/nsd.log, I created alternatively a directory > > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and > > root > > owners. > > As for NSD user, in /etc/nsd/nsd.conf I have configured username: > > nsd. > > > > cat /lib/systemd/system/nsd.service > > [Unit] > > Description=Name Server Daemon > > Documentation=man:nsd(8) > > After=network.target > > > > [Service] > > Type=notify > > Restart=always > > ExecStart=/usr/sbin/nsd -d > > ExecReload=+/bin/kill -HUP $MAINPID > > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > MemoryDenyWriteExecute=true > > NoNewPrivileges=true > > PrivateDevices=true > > PrivateTmp=true > > ProtectHome=true > > ProtectControlGroups=true > > ProtectKernelModules=true > > ProtectKernelTunables=true > > ProtectSystem=strict > > ReadWritePaths=/var/lib/nsd /etc/nsd /run > > ProtectSystem=strict turns most of the hierarchy into read only > mounts > so you need to add /var/log and/or /var/log/nsd as ReadWritePaths= > for > them to be writable by nsd itself. This is normally not needed as > logging goes through syslog by default but you are likely using > "logfile" in nsd.conf. > > To add that ReadWritePaths directive: > > sudo systemctl edit nsd > > Then type and save the following: > > [Service] > ReadWritePaths=/var/log/nsd > > > This will create an override file supplementing the package provided > unit with your local config. > > HTH, > Simon The systemd unit shows nsd is executed with "-d", that causes it to not fork. Judging by the ReadWritePaths in the original unit file, the original intent was maybe for nsd to log to stdout and then have systemd write it to the journal(?) Maybe that bit changed between Debian versions? You could try not logging to a file by removing it from the configuration and see if the output still ends up in the journal. Alternatively, Simon's answer seems to make sense, so you can take that route too. - Jeroen From zenbakaitz at speedy.com.ar Thu Oct 24 13:38:43 2019 From: zenbakaitz at speedy.com.ar (=?ISO-8859-1?Q?Jos=E9?= Luis Artuch) Date: Thu, 24 Oct 2019 10:38:43 -0300 Subject: [nsd-users] logs In-Reply-To: <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> Message-ID: Thanks Simon, Exactly, there was the problem !! I just discovered it at the same time you wrote with the data provided by Andreas and Jeroen :) Thank you very much to all three for guiding me !!! Here what I did: mkdir -p /var/log/nsd chown nsd:nsd /var/log/nsd nano /etc/nsd/nsd.conf ... logfile: "/var/log/nsd/nsd.log" ... cp /lib/systemd/system/nsd.service{,_original} nano /lib/systemd/system/nsd.service ... ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log/nsd ... systemctl daemon-reload <--- !!!! systemctl restart nsd Thank you very much again, best regards !! Jos? Luis El jue, 24-10-2019 a las 08:58 -0400, Simon Deziel escribi?: > On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote: > > Thanks Jeroen, > > > > About permissions and owners: > > For /var/log/nsd.log, the directory /var/log/ has 755 root:root > > For /var/log/nsd/nsd.log, I created alternatively a directory > > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and > > root > > owners. > > As for NSD user, in /etc/nsd/nsd.conf I have configured username: > > nsd. > > > > cat /lib/systemd/system/nsd.service > > [Unit] > > Description=Name Server Daemon > > Documentation=man:nsd(8) > > After=network.target > > > > [Service] > > Type=notify > > Restart=always > > ExecStart=/usr/sbin/nsd -d > > ExecReload=+/bin/kill -HUP $MAINPID > > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > MemoryDenyWriteExecute=true > > NoNewPrivileges=true > > PrivateDevices=true > > PrivateTmp=true > > ProtectHome=true > > ProtectControlGroups=true > > ProtectKernelModules=true > > ProtectKernelTunables=true > > ProtectSystem=strict > > ReadWritePaths=/var/lib/nsd /etc/nsd /run > > ProtectSystem=strict turns most of the hierarchy into read only > mounts > so you need to add /var/log and/or /var/log/nsd as ReadWritePaths= > for > them to be writable by nsd itself. This is normally not needed as > logging goes through syslog by default but you are likely using > "logfile" in nsd.conf. > > To add that ReadWritePaths directive: > > sudo systemctl edit nsd > > Then type and save the following: > > [Service] > ReadWritePaths=/var/log/nsd > > > This will create an override file supplementing the package provided > unit with your local config. > > HTH, > Simon > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users From simon at sdeziel.info Thu Oct 24 13:52:05 2019 From: simon at sdeziel.info (Simon Deziel) Date: Thu, 24 Oct 2019 09:52:05 -0400 Subject: [nsd-users] logs In-Reply-To: <2778d4ccd54bcb3efab6eddf06d26663b501f1f7.camel@speedy.com.ar> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <2778d4ccd54bcb3efab6eddf06d26663b501f1f7.camel@speedy.com.ar> Message-ID: On 2019-10-24 9:29 a.m., Jos? Luis Artuch wrote: > cp /lib/systemd/system/nsd.service{,_original} > nano /lib/systemd/system/nsd.service If/when nsd's package is updated, your custom edits will be lost. That's why I suggested the "systemctl edit" way to just add a local override/drop-in file that would survive package updates. Regards, Simon From lomov.vl at yandex.ru Thu Oct 24 13:51:44 2019 From: lomov.vl at yandex.ru (Vladimir Lomov) Date: Thu, 24 Oct 2019 21:51:44 +0800 Subject: [nsd-users] logs In-Reply-To: References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> Message-ID: <20191024135144.GC485990@smoon.bkoty.ru> Hello, ** Jos? Luis Artuch [2019-10-24 10:38:43 -0300]: > Thanks Simon, > > Exactly, there was the problem !! > I just discovered it at the same time you wrote with the data provided > by Andreas and Jeroen :) > > Thank you very much to all three for guiding me !!! > > Here what I did: > > mkdir -p /var/log/nsd > chown nsd:nsd /var/log/nsd > > nano /etc/nsd/nsd.conf > ... > logfile: "/var/log/nsd/nsd.log" > ... > > cp /lib/systemd/system/nsd.service{,_original} > nano /lib/systemd/system/nsd.service > ... > ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log/nsd > ... And you didn't follow good advice: $ sudo systemctl edit nsd Next NSD upgrade will overwrite your changes and you will again come to ML and will again ask the same question. Don't invent the wheel and NEVER touch system configuration file IF there is altenative. > systemctl daemon-reload <--- !!!! > systemctl restart nsd > > Thank you very much again, best regards !! > Jos? Luis > > El jue, 24-10-2019 a las 08:58 -0400, Simon Deziel escribi?: >> On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote: >>> Thanks Jeroen, >>> >>> About permissions and owners: >>> For /var/log/nsd.log, the directory /var/log/ has 755 root:root >>> For /var/log/nsd/nsd.log, I created alternatively a directory >>> /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and >>> root >>> owners. >>> As for NSD user, in /etc/nsd/nsd.conf I have configured username: >>> nsd. >>> >>> cat /lib/systemd/system/nsd.service >>> [Unit] >>> Description=Name Server Daemon >>> Documentation=man:nsd(8) >>> After=network.target >>> >>> [Service] >>> Type=notify >>> Restart=always >>> ExecStart=/usr/sbin/nsd -d >>> ExecReload=+/bin/kill -HUP $MAINPID >>> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE >>> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >>> MemoryDenyWriteExecute=true >>> NoNewPrivileges=true >>> PrivateDevices=true >>> PrivateTmp=true >>> ProtectHome=true >>> ProtectControlGroups=true >>> ProtectKernelModules=true >>> ProtectKernelTunables=true >>> ProtectSystem=strict >>> ReadWritePaths=/var/lib/nsd /etc/nsd /run >> >> ProtectSystem=strict turns most of the hierarchy into read only >> mounts >> so you need to add /var/log and/or /var/log/nsd as ReadWritePaths= >> for >> them to be writable by nsd itself. This is normally not needed as >> logging goes through syslog by default but you are likely using >> "logfile" in nsd.conf. >> >> To add that ReadWritePaths directive: >> >> sudo systemctl edit nsd >> >> Then type and save the following: >> >> [Service] >> ReadWritePaths=/var/log/nsd >> >> >> This will create an override file supplementing the package provided >> unit with your local config. >> >> HTH, >> Simon --- WBR, Vladimir Lomov -- Remember that there is an outside world to see and enjoy. -- Hans Liepmann -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From zenbakaitz at speedy.com.ar Thu Oct 24 14:08:43 2019 From: zenbakaitz at speedy.com.ar (=?ISO-8859-1?Q?Jos=E9?= Luis Artuch) Date: Thu, 24 Oct 2019 11:08:43 -0300 Subject: [nsd-users] logs In-Reply-To: <712752c797cb57cc297d59c4ee00cae6d81b5df0.camel@nlnetlabs.nl> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <712752c797cb57cc297d59c4ee00cae6d81b5df0.camel@nlnetlabs.nl> Message-ID: <662e7eb98621ab15a8f26102e4eb393a7a7e66c7.camel@speedy.com.ar> Thanks Jeroen, If I do: nano /etc/nsd/nsd.conf ... # logfile: "/var/log/nsd/nsd.log" ... systemctl restart nsd This is the output of journalctl: journalctl -u nsd.service --since today oct 24 10:53:26 dhcppc1 nsd[6937]: signal received, shutting down... oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.281] nsd[6937]: warning: signal received, shutting down... oct 24 10:53:26 dhcppc1 nsd[6937]: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.284] nsd[6937]: warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied oct 24 10:53:26 dhcppc1 systemd[1]: Stopping Name Server Daemon... oct 24 10:53:26 dhcppc1 systemd[1]: nsd.service: Succeeded. oct 24 10:53:26 dhcppc1 systemd[1]: Stopped Name Server Daemon. oct 24 10:53:26 dhcppc1 systemd[1]: Starting Name Server Daemon... oct 24 10:53:26 dhcppc1 nsd[6965]: nsd starting (NSD 4.1.26) oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation not permitted oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] nsd[6965]: notice: nsd starting (NSD 4.1.26) oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] nsd[6965]: error: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation not permi oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] nsd[6965]: error: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation not permi oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation not permitted oct 24 10:53:26 dhcppc1 nsd[6965]: setup SSL certificates oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.483] nsd[6965]: info: setup SSL certificates oct 24 10:53:26 dhcppc1 nsd[6967]: zonefile /etc/nsd/zones/... ... oct 24 10:53:26 dhcppc1 nsd[6967]: nsd started (NSD 4.1.26), pid 6965 oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.584] nsd[6967]: notice: nsd started (NSD 4.1.26), pid 6965 oct 24 10:53:26 dhcppc1 systemd[1]: Started Name Server Daemon. Best regards. Jos? Luis El jue, 24-10-2019 a las 15:13 +0200, Jeroen Koekkoek escribi?: > On Thu, 2019-10-24 at 08:58 -0400, Simon Deziel wrote: > > On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote: > > > Thanks Jeroen, > > > > > > About permissions and owners: > > > For /var/log/nsd.log, the directory /var/log/ has 755 root:root > > > For /var/log/nsd/nsd.log, I created alternatively a directory > > > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and > > > root > > > owners. > > > As for NSD user, in /etc/nsd/nsd.conf I have configured username: > > > nsd. > > > > > > cat /lib/systemd/system/nsd.service > > > [Unit] > > > Description=Name Server Daemon > > > Documentation=man:nsd(8) > > > After=network.target > > > > > > [Service] > > > Type=notify > > > Restart=always > > > ExecStart=/usr/sbin/nsd -d > > > ExecReload=+/bin/kill -HUP $MAINPID > > > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > > > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > > MemoryDenyWriteExecute=true > > > NoNewPrivileges=true > > > PrivateDevices=true > > > PrivateTmp=true > > > ProtectHome=true > > > ProtectControlGroups=true > > > ProtectKernelModules=true > > > ProtectKernelTunables=true > > > ProtectSystem=strict > > > ReadWritePaths=/var/lib/nsd /etc/nsd /run > > > > ProtectSystem=strict turns most of the hierarchy into read only > > mounts > > so you need to add /var/log and/or /var/log/nsd as ReadWritePaths= > > for > > them to be writable by nsd itself. This is normally not needed as > > logging goes through syslog by default but you are likely using > > "logfile" in nsd.conf. > > > > To add that ReadWritePaths directive: > > > > sudo systemctl edit nsd > > > > Then type and save the following: > > > > [Service] > > ReadWritePaths=/var/log/nsd > > > > > > This will create an override file supplementing the package > > provided > > unit with your local config. > > > > HTH, > > Simon > > The systemd unit shows nsd is executed with "-d", that causes it to > not > fork. Judging by the ReadWritePaths in the original unit file, the > original intent was maybe for nsd to log to stdout and then have > systemd write it to the journal(?) Maybe that bit changed between > Debian versions? > > You could try not logging to a file by removing it from the > configuration and see if the output still ends up in the journal. > Alternatively, Simon's answer seems to make sense, so you can take > that > route too. > > - Jeroen > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users From zenbakaitz at speedy.com.ar Thu Oct 24 18:13:40 2019 From: zenbakaitz at speedy.com.ar (=?ISO-8859-1?Q?Jos=E9?= Luis Artuch) Date: Thu, 24 Oct 2019 15:13:40 -0300 Subject: [nsd-users] logs In-Reply-To: <20191024135144.GC485990@smoon.bkoty.ru> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <20191024135144.GC485990@smoon.bkoty.ru> Message-ID: <7468db8548efb16bdafa94fe5c9fd884f2527fc8.camel@speedy.com.ar> Thanks Vladimir, I was about to ask if I had solved the problem correctly. I did it my way while in parallel Simon answered me and now with your notice I read in Simon's answer the correct way to do it :) I must study Systemd, practically I don't know how it works. Best regards. Jos? Luis El jue, 24-10-2019 a las 21:51 +0800, Vladimir Lomov escribi?: > Hello, > ** Jos? Luis Artuch [2019-10-24 10:38:43 > -0300]: > > > Thanks Simon, > > > > Exactly, there was the problem !! > > I just discovered it at the same time you wrote with the data > > provided > > by Andreas and Jeroen :) > > > > Thank you very much to all three for guiding me !!! > > > > Here what I did: > > > > mkdir -p /var/log/nsd > > chown nsd:nsd /var/log/nsd > > > > nano /etc/nsd/nsd.conf > > ... > > logfile: "/var/log/nsd/nsd.log" > > ... > > > > cp /lib/systemd/system/nsd.service{,_original} > > nano /lib/systemd/system/nsd.service > > ... > > ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log/nsd > > ... > > And you didn't follow good advice: > > $ sudo systemctl edit nsd > > Next NSD upgrade will overwrite your changes and you will again come > to > ML and will again ask the same question. Don't invent the wheel and > NEVER touch system configuration file IF there is altenative. > > > systemctl daemon-reload <--- !!!! > > systemctl restart nsd > > > > Thank you very much again, best regards !! > > Jos? Luis > > > > El jue, 24-10-2019 a las 08:58 -0400, Simon Deziel escribi?: > > > On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote: > > > > Thanks Jeroen, > > > > > > > > About permissions and owners: > > > > For /var/log/nsd.log, the directory /var/log/ has 755 root:root > > > > For /var/log/nsd/nsd.log, I created alternatively a directory > > > > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd > > > > and > > > > root > > > > owners. > > > > As for NSD user, in /etc/nsd/nsd.conf I have configured > > > > username: > > > > nsd. > > > > > > > > cat /lib/systemd/system/nsd.service > > > > [Unit] > > > > Description=Name Server Daemon > > > > Documentation=man:nsd(8) > > > > After=network.target > > > > > > > > [Service] > > > > Type=notify > > > > Restart=always > > > > ExecStart=/usr/sbin/nsd -d > > > > ExecReload=+/bin/kill -HUP $MAINPID > > > > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK > > > > CAP_NET_BIND_SERVICE > > > > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > > > MemoryDenyWriteExecute=true > > > > NoNewPrivileges=true > > > > PrivateDevices=true > > > > PrivateTmp=true > > > > ProtectHome=true > > > > ProtectControlGroups=true > > > > ProtectKernelModules=true > > > > ProtectKernelTunables=true > > > > ProtectSystem=strict > > > > ReadWritePaths=/var/lib/nsd /etc/nsd /run > > > > > > ProtectSystem=strict turns most of the hierarchy into read only > > > mounts > > > so you need to add /var/log and/or /var/log/nsd as > > > ReadWritePaths= > > > for > > > them to be writable by nsd itself. This is normally not needed as > > > logging goes through syslog by default but you are likely using > > > "logfile" in nsd.conf. > > > > > > To add that ReadWritePaths directive: > > > > > > sudo systemctl edit nsd > > > > > > Then type and save the following: > > > > > > [Service] > > > ReadWritePaths=/var/log/nsd > > > > > > > > > This will create an override file supplementing the package > > > provided > > > unit with your local config. > > > > > > HTH, > > > Simon > > --- > WBR, Vladimir Lomov > From zenbakaitz at speedy.com.ar Thu Oct 24 18:18:59 2019 From: zenbakaitz at speedy.com.ar (=?ISO-8859-1?Q?Jos=E9?= Luis Artuch) Date: Thu, 24 Oct 2019 15:18:59 -0300 Subject: [nsd-users] logs In-Reply-To: References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <2778d4ccd54bcb3efab6eddf06d26663b501f1f7.camel@speedy.com.ar> Message-ID: <79d3b54b7afa8175c6ad23bd892439871dee5365.camel@speedy.com.ar> Thanks Simon, I did everything again, but now running sudo systemctl edit nsd and saving [Service] ReadWritePaths=/var/log/nsd Then I have run sudo systemctl daemon-reload sudo systemctl restart nsd Since the change was not reflected in /lib/systemd/system/nsd.service, I restarted the system, but the change is still not reflected in /lib/systemd/system/nsd.service and the log is not written. What other change should I make ?. Best regards. Jos? Luis El jue, 24-10-2019 a las 09:52 -0400, Simon Deziel escribi?: > On 2019-10-24 9:29 a.m., Jos? Luis Artuch wrote: > > cp /lib/systemd/system/nsd.service{,_original} > > nano /lib/systemd/system/nsd.service > > If/when nsd's package is updated, your custom edits will be lost. > That's > why I suggested the "systemctl edit" way to just add a local > override/drop-in file that would survive package updates. > > Regards, > Simon > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users From jeroen at nlnetlabs.nl Thu Oct 24 18:26:56 2019 From: jeroen at nlnetlabs.nl (Jeroen Koekkoek) Date: Thu, 24 Oct 2019 20:26:56 +0200 Subject: [nsd-users] logs In-Reply-To: <79d3b54b7afa8175c6ad23bd892439871dee5365.camel@speedy.com.ar> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <2778d4ccd54bcb3efab6eddf06d26663b501f1f7.camel@speedy.com.ar> <79d3b54b7afa8175c6ad23bd892439871dee5365.camel@speedy.com.ar> Message-ID: <35cd2de93dcb08eea1eeddabb320f2f8cda13781.camel@nlnetlabs.nl> Hi Jos?, On Thu, 2019-10-24 at 15:18 -0300, Jos? Luis Artuch wrote: > Thanks Simon, > > I did everything again, but now running > sudo systemctl edit nsd > and saving > [Service] > ReadWritePaths=/var/log/nsd > > Then I have run > sudo systemctl daemon-reload > sudo systemctl restart nsd > > Since the change was not reflected in > /lib/systemd/system/nsd.service, > I restarted the system, but the change is still not reflected in > /lib/systemd/system/nsd.service and the log is not written. > What other change should I make ? The changes will not be reflected in /lib/systemd/system/nsd.service, instead a new file will be written in /etc/systemd/system/nsd.service which should reflect your changes(?). This is done so that changes are kept through upgrades, which is the point that both Simon and Vladimir are making. Hope that helps. > Best regards. > Jos? Luis > > El jue, 24-10-2019 a las 09:52 -0400, Simon Deziel escribi?: > > On 2019-10-24 9:29 a.m., Jos? Luis Artuch wrote: > > > cp /lib/systemd/system/nsd.service{,_original} > > > nano /lib/systemd/system/nsd.service > > > > If/when nsd's package is updated, your custom edits will be lost. > > That's > > why I suggested the "systemctl edit" way to just add a local > > override/drop-in file that would survive package updates. > > > > Regards, > > Simon > > _______________________________________________ > > nsd-users mailing list > > nsd-users at NLnetLabs.nl > > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users - Jeroen From zenbakaitz at speedy.com.ar Thu Oct 24 18:33:54 2019 From: zenbakaitz at speedy.com.ar (=?ISO-8859-1?Q?Jos=E9?= Luis Artuch) Date: Thu, 24 Oct 2019 15:33:54 -0300 Subject: [nsd-users] logs In-Reply-To: <35cd2de93dcb08eea1eeddabb320f2f8cda13781.camel@nlnetlabs.nl> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <2778d4ccd54bcb3efab6eddf06d26663b501f1f7.camel@speedy.com.ar> <79d3b54b7afa8175c6ad23bd892439871dee5365.camel@speedy.com.ar> <35cd2de93dcb08eea1eeddabb320f2f8cda13781.camel@nlnetlabs.nl> Message-ID: <2411f5d63cedbad34f536902482ea512c7dcb10a.camel@speedy.com.ar> Hi Jeroen, Ah, ok, ok ... But how do I get the log written now ? ... Best regards. Jos? Luis El jue, 24-10-2019 a las 20:26 +0200, Jeroen Koekkoek escribi?: > Hi Jos?, > > On Thu, 2019-10-24 at 15:18 -0300, Jos? Luis Artuch wrote: > > Thanks Simon, > > > > I did everything again, but now running > > sudo systemctl edit nsd > > and saving > > [Service] > > ReadWritePaths=/var/log/nsd > > > > Then I have run > > sudo systemctl daemon-reload > > sudo systemctl restart nsd > > > > Since the change was not reflected in > > /lib/systemd/system/nsd.service, > > I restarted the system, but the change is still not reflected in > > /lib/systemd/system/nsd.service and the log is not written. > > What other change should I make ? > > The changes will not be reflected in /lib/systemd/system/nsd.service, > instead a new file will be written in /etc/systemd/system/nsd.service > which should reflect your changes(?). > > This is done so that changes are kept through upgrades, which is the > point that both Simon and Vladimir are making. > > Hope that helps. > > > Best regards. > > Jos? Luis > > > > El jue, 24-10-2019 a las 09:52 -0400, Simon Deziel escribi?: > > > On 2019-10-24 9:29 a.m., Jos? Luis Artuch wrote: > > > > cp /lib/systemd/system/nsd.service{,_original} > > > > nano /lib/systemd/system/nsd.service > > > > > > If/when nsd's package is updated, your custom edits will be lost. > > > That's > > > why I suggested the "systemctl edit" way to just add a local > > > override/drop-in file that would survive package updates. > > > > > > Regards, > > > Simon > > > _______________________________________________ > > > nsd-users mailing list > > > nsd-users at NLnetLabs.nl > > > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users > > > > _______________________________________________ > > nsd-users mailing list > > nsd-users at NLnetLabs.nl > > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users > > - Jeroen > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users From jeroen at nlnetlabs.nl Thu Oct 24 18:34:06 2019 From: jeroen at nlnetlabs.nl (Jeroen Koekkoek) Date: Thu, 24 Oct 2019 20:34:06 +0200 Subject: [nsd-users] logs In-Reply-To: <662e7eb98621ab15a8f26102e4eb393a7a7e66c7.camel@speedy.com.ar> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <712752c797cb57cc297d59c4ee00cae6d81b5df0.camel@nlnetlabs.nl> <662e7eb98621ab15a8f26102e4eb393a7a7e66c7.camel@speedy.com.ar> Message-ID: <3ccc976583cac9d40b721d46b5b3f629a51ce047.camel@nlnetlabs.nl> Hi, I think this is actually what you'd want. It's not complaining about the log file anymore. Just the pid file, probably the same type of problem. And you probably want to disable the ip-transparent option(?) - Jeroen On Thu, 2019-10-24 at 11:08 -0300, Jos? Luis Artuch wrote: > Thanks Jeroen, > > If I do: > > nano /etc/nsd/nsd.conf > ... > # logfile: "/var/log/nsd/nsd.log" > ... > > systemctl restart nsd > > This is the output of journalctl: > > journalctl -u nsd.service --since today > > oct 24 10:53:26 dhcppc1 nsd[6937]: signal received, shutting down... > oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.281] > nsd[6937]: > warning: signal received, shutting down... > oct 24 10:53:26 dhcppc1 nsd[6937]: failed to unlink pidfile > /run/nsd/nsd.pid: Permission denied > oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.284] > nsd[6937]: > warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied > oct 24 10:53:26 dhcppc1 systemd[1]: Stopping Name Server Daemon... > oct 24 10:53:26 dhcppc1 systemd[1]: nsd.service: Succeeded. > oct 24 10:53:26 dhcppc1 systemd[1]: Stopped Name Server Daemon. > oct 24 10:53:26 dhcppc1 systemd[1]: Starting Name Server Daemon... > oct 24 10:53:26 dhcppc1 nsd[6965]: nsd starting (NSD 4.1.26) > oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT, > ...) > failed for udp: Operation not permitted > oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] > nsd[6965]: > notice: nsd starting (NSD 4.1.26) > oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] > nsd[6965]: > error: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation > not permi > oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] > nsd[6965]: > error: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation > not permi > oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT, > ...) > failed for tcp: Operation not permitted > oct 24 10:53:26 dhcppc1 nsd[6965]: setup SSL certificates > oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.483] > nsd[6965]: > info: setup SSL certificates > oct 24 10:53:26 dhcppc1 nsd[6967]: zonefile /etc/nsd/zones/... > ... > oct 24 10:53:26 dhcppc1 nsd[6967]: nsd started (NSD 4.1.26), pid 6965 > oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.584] > nsd[6967]: > notice: nsd started (NSD 4.1.26), pid 6965 > oct 24 10:53:26 dhcppc1 systemd[1]: Started Name Server Daemon. > > Best regards. > Jos? Luis > > El jue, 24-10-2019 a las 15:13 +0200, Jeroen Koekkoek escribi?: > > On Thu, 2019-10-24 at 08:58 -0400, Simon Deziel wrote: > > > On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote: > > > > Thanks Jeroen, > > > > > > > > About permissions and owners: > > > > For /var/log/nsd.log, the directory /var/log/ has 755 root:root > > > > For /var/log/nsd/nsd.log, I created alternatively a directory > > > > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd > > > > and > > > > root > > > > owners. > > > > As for NSD user, in /etc/nsd/nsd.conf I have configured > > > > username: > > > > nsd. > > > > > > > > cat /lib/systemd/system/nsd.service > > > > [Unit] > > > > Description=Name Server Daemon > > > > Documentation=man:nsd(8) > > > > After=network.target > > > > > > > > [Service] > > > > Type=notify > > > > Restart=always > > > > ExecStart=/usr/sbin/nsd -d > > > > ExecReload=+/bin/kill -HUP $MAINPID > > > > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK > > > > CAP_NET_BIND_SERVICE > > > > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > > > MemoryDenyWriteExecute=true > > > > NoNewPrivileges=true > > > > PrivateDevices=true > > > > PrivateTmp=true > > > > ProtectHome=true > > > > ProtectControlGroups=true > > > > ProtectKernelModules=true > > > > ProtectKernelTunables=true > > > > ProtectSystem=strict > > > > ReadWritePaths=/var/lib/nsd /etc/nsd /run > > > > > > ProtectSystem=strict turns most of the hierarchy into read only > > > mounts > > > so you need to add /var/log and/or /var/log/nsd as > > > ReadWritePaths= > > > for > > > them to be writable by nsd itself. This is normally not needed as > > > logging goes through syslog by default but you are likely using > > > "logfile" in nsd.conf. > > > > > > To add that ReadWritePaths directive: > > > > > > sudo systemctl edit nsd > > > > > > Then type and save the following: > > > > > > [Service] > > > ReadWritePaths=/var/log/nsd > > > > > > > > > This will create an override file supplementing the package > > > provided > > > unit with your local config. > > > > > > HTH, > > > Simon > > > > The systemd unit shows nsd is executed with "-d", that causes it to > > not > > fork. Judging by the ReadWritePaths in the original unit file, the > > original intent was maybe for nsd to log to stdout and then have > > systemd write it to the journal(?) Maybe that bit changed between > > Debian versions? > > > > You could try not logging to a file by removing it from the > > configuration and see if the output still ends up in the journal. > > Alternatively, Simon's answer seems to make sense, so you can take > > that > > route too. > > > > - Jeroen > > > > _______________________________________________ > > nsd-users mailing list > > nsd-users at NLnetLabs.nl > > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users From simon at sdeziel.info Thu Oct 24 18:37:13 2019 From: simon at sdeziel.info (Simon Deziel) Date: Thu, 24 Oct 2019 14:37:13 -0400 Subject: [nsd-users] logs In-Reply-To: <79d3b54b7afa8175c6ad23bd892439871dee5365.camel@speedy.com.ar> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <2778d4ccd54bcb3efab6eddf06d26663b501f1f7.camel@speedy.com.ar> <79d3b54b7afa8175c6ad23bd892439871dee5365.camel@speedy.com.ar> Message-ID: <92d8a2b2-1652-0e42-dd7b-1e5cf0a03c63@sdeziel.info> On 2019-10-24 2:18 p.m., Jos? Luis Artuch wrote: > Thanks Simon, > > I did everything again, but now running > sudo systemctl edit nsd > and saving > [Service] > ReadWritePaths=/var/log/nsd > > Then I have run > sudo systemctl daemon-reload Reloading is not needed as "edit" takes care of this once you save. > sudo systemctl restart nsd > > Since the change was not reflected in /lib/systemd/system/nsd.service, That is correct. The drop-in files are stored in /etc/systemd/system/nsd.service.d/*.conf (override.conf by default). "systemctl cat nsd" will list the various files it aggregates to form the resulting unit definition. > I restarted the system, but the change is still not reflected in > /lib/systemd/system/nsd.service and the log is not written. > What other change should I make ?. In theory nothing else is needed. Do you still get the error about read-only FS? If yes, make sure your nsd.conf points to a file under the directory /var/log/nsd. Simon From simon at sdeziel.info Thu Oct 24 18:42:00 2019 From: simon at sdeziel.info (Simon Deziel) Date: Thu, 24 Oct 2019 14:42:00 -0400 Subject: [nsd-users] logs In-Reply-To: <35cd2de93dcb08eea1eeddabb320f2f8cda13781.camel@nlnetlabs.nl> References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <2778d4ccd54bcb3efab6eddf06d26663b501f1f7.camel@speedy.com.ar> <79d3b54b7afa8175c6ad23bd892439871dee5365.camel@speedy.com.ar> <35cd2de93dcb08eea1eeddabb320f2f8cda13781.camel@nlnetlabs.nl> Message-ID: On 2019-10-24 2:26 p.m., Jeroen Koekkoek wrote: > Hi Jos?, > > On Thu, 2019-10-24 at 15:18 -0300, Jos? Luis Artuch wrote: >> Thanks Simon, >> >> I did everything again, but now running >> sudo systemctl edit nsd >> and saving >> [Service] >> ReadWritePaths=/var/log/nsd >> >> Then I have run >> sudo systemctl daemon-reload >> sudo systemctl restart nsd >> >> Since the change was not reflected in >> /lib/systemd/system/nsd.service, >> I restarted the system, but the change is still not reflected in >> /lib/systemd/system/nsd.service and the log is not written. >> What other change should I make ? > > The changes will not be reflected in /lib/systemd/system/nsd.service, > instead a new file will be written in /etc/systemd/system/nsd.service > which should reflect your changes(?). This would have been with "systemctl edit --full nsd" (note the --full). This is essentially forking the package provided version and shadowing it for good. This, I believe, is also not desirable because you'd then miss out on the future improvement by your package maintainer. Using "systemctl edit nsd" instead will create /etc/systemd/system/nsd.service.d/override.conf with *just* the local delta. Simon From zenbakaitz at speedy.com.ar Thu Oct 24 20:04:44 2019 From: zenbakaitz at speedy.com.ar (=?ISO-8859-1?Q?Jos=E9?= Luis Artuch) Date: Thu, 24 Oct 2019 17:04:44 -0300 Subject: [nsd-users] logs In-Reply-To: References: <051fffcbf3b366970d9d37af8d204e3050d936be.camel@nlnetlabs.nl> <14adaf86bc50b9ab7e06f92e33972d3375bcd794.camel@speedy.com.ar> <45ed3ff8-e6b1-3686-8602-8465ab12ee2f@sdeziel.info> <2778d4ccd54bcb3efab6eddf06d26663b501f1f7.camel@speedy.com.ar> <79d3b54b7afa8175c6ad23bd892439871dee5365.camel@speedy.com.ar> <35cd2de93dcb08eea1eeddabb320f2f8cda13781.camel@nlnetlabs.nl> Message-ID: <5e267e557a305ad4a1213a42cfe90f96610604f4.camel@speedy.com.ar> Hi Simon, Very well, I applied changes only with sudo systemctl edit nsd and effectively: cat /etc/systemd/system/nsd.service.d/override.conf [Service] ReadWritePaths=/var/log/nsd Best regards. Jos? Luis El jue, 24-10-2019 a las 14:42 -0400, Simon Deziel escribi?: > On 2019-10-24 2:26 p.m., Jeroen Koekkoek wrote: > > Hi Jos?, > > > > On Thu, 2019-10-24 at 15:18 -0300, Jos? Luis Artuch wrote: > > > Thanks Simon, > > > > > > I did everything again, but now running > > > sudo systemctl edit nsd > > > and saving > > > [Service] > > > ReadWritePaths=/var/log/nsd > > > > > > Then I have run > > > sudo systemctl daemon-reload > > > sudo systemctl restart nsd > > > > > > Since the change was not reflected in > > > /lib/systemd/system/nsd.service, > > > I restarted the system, but the change is still not reflected in > > > /lib/systemd/system/nsd.service and the log is not written. > > > What other change should I make ? > > > > The changes will not be reflected in > > /lib/systemd/system/nsd.service, > > instead a new file will be written in > > /etc/systemd/system/nsd.service > > which should reflect your changes(?). > > This would have been with "systemctl edit --full nsd" (note the -- > full). > This is essentially forking the package provided version and > shadowing > it for good. This, I believe, is also not desirable because you'd > then > miss out on the future improvement by your package maintainer. > > Using "systemctl edit nsd" instead will create > /etc/systemd/system/nsd.service.d/override.conf with *just* the local > delta. > > Simon > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users