我想为我的 DNS 服务器 ( bind9
) 创建一个单独的文件来写入日志。我在Ubuntu 社区页面。
因此我添加了以下几行/etc/bind/named.conf.local
:
logging {
channel query.log {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity dynamic;
};
};
我继续创建一个日志文件,授予它所有权限并重新启动bind9
服务,当检查状态时,我看到一个错误:
cd /var/log
touch query.log
chmod 777 query.log
systemctl restart bind9
systemctl status bind9
● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-04-02 17:37:24 UTC; 1s ago
Docs: man:named(8)
Process: 5723 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
Process: 4480 ExecReload=/usr/sbin/rndc reload (code=exited, status=0/SUCCESS)
Process: 5851 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 5851 (code=exited, status=1/FAILURE)
Apr 02 17:37:24 ballgame named[5851]: command channel listening on 127.0.0.1#953
Apr 02 17:37:24 ballgame named[5851]: configuring command channel from '/etc/bind/rndc.key'
Apr 02 17:37:24 ballgame named[5851]: isc_stdio_open '/var/log/query.log' failed: permission denied
Apr 02 17:37:24 ballgame named[5851]: command channel listening on ::1#953
Apr 02 17:37:24 ballgame named[5851]: isc_stdio_open '/var/log/query.log' failed: permission denied
Apr 02 17:37:24 ballgame named[5851]: configuring logging: permission denied
Apr 02 17:37:24 ballgame named[5851]: loading configuration: permission denied
Apr 02 17:37:24 ballgame named[5851]: exiting (due to fatal error)
Apr 02 17:37:24 ballgame systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
Apr 02 17:37:24 ballgame systemd[1]: bind9.service: Failed with result 'exit-code'.
有人能解释一下这里缺少什么吗?
答案1
~# grep log /etc/apparmor.d/usr.sbin.named
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,
日志应该记录下来/var/log/named/
,否则 Apparmor 会默默拒绝访问。如果你真的想要覆盖软件包维护者的选择,请在/etc/apparmor.d/local/usr.sbin.named
答案2
当取消注释named.conf中的日志记录部分时遇到了同样的问题。
正如 @Waddles 所建议的,它是 AppArmor。可能缺少 /var/log/* 的权限
将日志记录到 /var/log/bind/ 等文件夹中
使绑定用户成为文件夹的所有者
检查并更改(如果需要)...
$ sudo vi /etc/apparmor.d/usr.sbin.named
查找以下部分
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
并且,在该块(/var/cache/bind/rw,)的最后一行之后立即添加:
/var/log/bind/** rw,
/var/log/bind/ rw,
保存文件并退出,然后重新加载 AppArmor:
$ sudo systemctl restart apparmor
然后再次开始绑定,错误就消失了。