Bind9 dns 服务器日志记录选项(Ubuntu 18.04)

Bind9 dns 服务器日志记录选项(Ubuntu 18.04)

我想为我的 DNS 服务器 ( bind9) 创建一个单独的文件来写入日志。我在Ubuntu 社区页面

因此我添加了以下几行/etc/bind/named.conf.local

logging {
    channel query.log {
        file "/var/log/query.log";
        // Set the severity to dynamic to see all the debug messages.
        severity dynamic;
    };
};

我继续创建一个日志文件,授予它所有权限并重新启动bind9服务,当检查状态时,我看到一个错误:

cd /var/log
touch query.log
chmod 777 query.log
systemctl restart bind9
systemctl status bind9
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2020-04-02 17:37:24 UTC; 1s ago
     Docs: man:named(8)
  Process: 5723 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
  Process: 4480 ExecReload=/usr/sbin/rndc reload (code=exited, status=0/SUCCESS)
  Process: 5851 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 5851 (code=exited, status=1/FAILURE)

Apr 02 17:37:24 ballgame named[5851]: command channel listening on 127.0.0.1#953
Apr 02 17:37:24 ballgame named[5851]: configuring command channel from '/etc/bind/rndc.key'
Apr 02 17:37:24 ballgame named[5851]: isc_stdio_open '/var/log/query.log' failed: permission denied
Apr 02 17:37:24 ballgame named[5851]: command channel listening on ::1#953
Apr 02 17:37:24 ballgame named[5851]: isc_stdio_open '/var/log/query.log' failed: permission denied
Apr 02 17:37:24 ballgame named[5851]: configuring logging: permission denied
Apr 02 17:37:24 ballgame named[5851]: loading configuration: permission denied
Apr 02 17:37:24 ballgame named[5851]: exiting (due to fatal error)
Apr 02 17:37:24 ballgame systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
Apr 02 17:37:24 ballgame systemd[1]: bind9.service: Failed with result 'exit-code'.

有人能解释一下这里缺少什么吗?

答案1

~# grep log /etc/apparmor.d/usr.sbin.named
  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,

日志应该记录下来/var/log/named/,否则 Apparmor 会默默拒绝访问。如果你真的想要覆盖软件包维护者的选择,请在/etc/apparmor.d/local/usr.sbin.named

答案2

当取消注释named.conf中的日志记录部分时遇到了同样的问题。

正如 @Waddles 所建议的,它是 AppArmor。可能缺少 /var/log/* 的权限

  • 将日志记录到 /var/log/bind/ 等文件夹中

  • 使绑定用户成为文件夹的所有者

  • 检查并更改(如果需要)...

    $ sudo vi /etc/apparmor.d/usr.sbin.named

查找以下部分

  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,

并且,在该块(/var/cache/bind/rw,)的最后一行之后立即添加:

  /var/log/bind/** rw,
  /var/log/bind/ rw,

保存文件并退出,然后重新加载 AppArmor:

$ sudo systemctl restart apparmor

然后再次开始绑定,错误就消失了。

相关内容