在 OpenVZ 客户机中运行,无法使用讨论过的 AppArmor,所以我尝试配置 BIND9 在 chroot 中运行。
继文档,我努力,直到我发现在 Ubuntu 15.04 和 16.04 中不接受/etc/default/bind9
然后我进行了修改$ sudo systemctl edit bind9
,并在日志中得到了以下内容:
starting BIND 9.10.3-P4-Ubuntu <id:ebd72b3> -f -t /var/named/run-root -u bind
到目前为止一切顺利。直到日志中出现以下内容:
named[3398]: ENGINE_by_id failed (crypto failure)
named[3398]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
named[3398]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
named[3398]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
named[3398]: initializing DST: crypto failure
named[3398]: exiting (due to fatal error)
systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
关于如何解决这个问题有什么想法吗?
编辑:
这似乎是在 Debian 中发现的一个错误:Debian 错误 820974还有一个应该被修复的旧款Debian 错误 696661。
答案1
我认为,从本质上讲,这可以归结为一个更一般的问题,即如何运行 chrooted 程序。
您准备的 chroot 目录必须包含运行时所需的所有文件,如果没有很好的文档记录,可以简单地观察 chrooted 进程试图使用哪些文件。
在这种特定情况下,错误消息表明某些库正在动态加载,但该库不存在(可能是因为该库是在调用后加载的chroot()
,但库文件并不存在于新的根目录中)。
错误信息不清楚细节,但听起来像是一些加密相关的扩展或类似的东西(可能是 openssl),它们在运行时被动态加载。
由于分销商似乎没有正确记录需要复制哪些文件,我建议简单地使用它strace
来查看在出现该错误之前尝试打开哪些文件。
首先,为了重现该问题,我启动了一个 Ubuntu 16.04 实例,禁用了 apparmor,并按照您链接的 Ubuntu 指南中的步骤执行,并确保我得到了正确的错误:
# named -g -f -u bind -t /chroot/named
01-Oct-2016 17:36:25.539 starting BIND 9.10.3-P4-Ubuntu <id:ebd72b3> -g -f -u bind -t /chroot/named
01-Oct-2016 17:36:25.539 built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE'
01-Oct-2016 17:36:25.539 ----------------------------------------------------
01-Oct-2016 17:36:25.539 BIND 9 is maintained by Internet Systems Consortium,
01-Oct-2016 17:36:25.539 Inc. (ISC), a non-profit 501(c)(3) public-benefit
01-Oct-2016 17:36:25.539 corporation. Support and training for BIND 9 are
01-Oct-2016 17:36:25.539 available at https://www.isc.org/support
01-Oct-2016 17:36:25.539 ----------------------------------------------------
01-Oct-2016 17:36:25.539 adjusted limit on open files from 65536 to 1048576
01-Oct-2016 17:36:25.539 found 1 CPU, using 1 worker thread
01-Oct-2016 17:36:25.539 using 1 UDP listener per interface
01-Oct-2016 17:36:25.539 using up to 4096 sockets
01-Oct-2016 17:36:25.541 ENGINE_by_id failed (crypto failure)
01-Oct-2016 17:36:25.541 error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
01-Oct-2016 17:36:25.541 error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
01-Oct-2016 17:36:25.541 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
01-Oct-2016 17:36:25.541 initializing DST: crypto failure
01-Oct-2016 17:36:25.541 exiting (due to fatal error)
#
那么,下一步,就直接扔strace
出去。输出很多,但最后一点是:
# strace named -g -f -u bind -t /chroot/named
...
open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = -1 ENOENT (No such file or directory)
futex(0x7f61561bb0a8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
gettimeofday({1475343388, 821162}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 ENGINE_"..., 6201-Oct-2016 17:36:28.821 ENGINE_by_id failed (crypto failure)
) = 62
gettimeofday({1475343388, 821239}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 error:2"..., 11901-Oct-2016 17:36:28.821 error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
) = 119
gettimeofday({1475343388, 821314}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 error:2"..., 9801-Oct-2016 17:36:28.821 error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
) = 98
gettimeofday({1475343388, 821376}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 error:2"..., 10701-Oct-2016 17:36:28.821 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
) = 107
gettimeofday({1475343388, 821604}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 initial"..., 5801-Oct-2016 17:36:28.821 initializing DST: crypto failure
) = 58
gettimeofday({1475343388, 821668}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 exiting"..., 5401-Oct-2016 17:36:28.821 exiting (due to fatal error)
) = 54
exit_group(1) = ?
+++ exited with 1 +++
因此,这一位似乎与问题完全匹配,此后它就开始打印错误消息。
open("/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
那么,如果我们简单地将/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/
目录复制到为绑定设置的 chroot 目录中会怎么样?
# mkdir -p /chroot/named/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines
# cp -a /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/* /chroot/named/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/
(您可能需要考虑一些不同的方法,也许是绑定挂载?但这些文件似乎无论如何都需要存在于 chroot 中)
此时,我得到了完全不言自明的错误,只需将所有(而不是仅一个)文件以及目录复制到绑定 chroot 中named
即可轻松解决。/etc/bind/
/var/cache/bind/
在这之后:
# named -g -f -u bind -t /chroot/named
01-Oct-2016 17:51:01.159 starting BIND 9.10.3-P4-Ubuntu <id:ebd72b3> -g -f -u bind -t /chroot/named
01-Oct-2016 17:51:01.159 built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE'
01-Oct-2016 17:51:01.159 ----------------------------------------------------
01-Oct-2016 17:51:01.159 BIND 9 is maintained by Internet Systems Consortium,
01-Oct-2016 17:51:01.159 Inc. (ISC), a non-profit 501(c)(3) public-benefit
01-Oct-2016 17:51:01.159 corporation. Support and training for BIND 9 are
01-Oct-2016 17:51:01.159 available at https://www.isc.org/support
01-Oct-2016 17:51:01.159 ----------------------------------------------------
01-Oct-2016 17:51:01.159 adjusted limit on open files from 65536 to 1048576
01-Oct-2016 17:51:01.159 found 1 CPU, using 1 worker thread
01-Oct-2016 17:51:01.159 using 1 UDP listener per interface
01-Oct-2016 17:51:01.159 using up to 4096 sockets
01-Oct-2016 17:51:01.163 loading configuration from '/etc/bind/named.conf'
01-Oct-2016 17:51:01.164 reading built-in trusted keys from file '/etc/bind/bind.keys'
01-Oct-2016 17:51:01.164 GeoIP Country (IPv4) (type 1) DB not available
01-Oct-2016 17:51:01.164 GeoIP Country (IPv6) (type 12) DB not available
01-Oct-2016 17:51:01.164 GeoIP City (IPv4) (type 2) DB not available
01-Oct-2016 17:51:01.164 GeoIP City (IPv4) (type 6) DB not available
01-Oct-2016 17:51:01.164 GeoIP City (IPv6) (type 30) DB not available
01-Oct-2016 17:51:01.164 GeoIP City (IPv6) (type 31) DB not available
01-Oct-2016 17:51:01.164 GeoIP Region (type 3) DB not available
01-Oct-2016 17:51:01.164 GeoIP Region (type 7) DB not available
01-Oct-2016 17:51:01.164 GeoIP ISP (type 4) DB not available
01-Oct-2016 17:51:01.164 GeoIP Org (type 5) DB not available
01-Oct-2016 17:51:01.164 GeoIP AS (type 9) DB not available
01-Oct-2016 17:51:01.164 GeoIP Domain (type 11) DB not available
01-Oct-2016 17:51:01.164 GeoIP NetSpeed (type 10) DB not available
01-Oct-2016 17:51:01.164 using default UDP/IPv4 port range: [1024, 65535]
01-Oct-2016 17:51:01.165 using default UDP/IPv6 port range: [1024, 65535]
01-Oct-2016 17:51:01.165 listening on IPv6 interfaces, port 53
01-Oct-2016 17:51:01.166 listening on IPv4 interface lo, 127.0.0.1#53
01-Oct-2016 17:51:01.166 listening on IPv4 interface eth0, 172.31.2.127#53
01-Oct-2016 17:51:01.167 generating session key for dynamic DNS
01-Oct-2016 17:51:01.167 sizing zone task pool based on 5 zones
01-Oct-2016 17:51:01.169 using built-in root key for view _default
01-Oct-2016 17:51:01.169 set up managed keys zone for view _default, file 'managed-keys.bind'
01-Oct-2016 17:51:01.170 automatic empty zone: 10.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 16.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 17.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 18.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 19.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 20.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 21.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 22.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 23.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 24.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 25.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 26.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 27.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 28.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 29.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 30.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 31.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 168.192.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 64.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 65.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 66.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 67.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 68.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 69.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 70.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 71.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 72.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 73.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 74.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 75.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 76.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 77.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 78.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 79.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 80.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 81.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 82.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 83.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 84.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 85.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 86.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 87.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 88.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 89.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 90.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 91.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 92.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 93.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 94.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 95.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 96.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 97.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 98.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 99.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 100.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 101.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 102.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 103.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 104.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 105.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 106.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 107.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 108.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 109.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 110.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 111.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 112.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 113.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 114.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 115.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 116.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 117.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 118.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 119.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 120.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 121.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 122.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 123.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 124.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 125.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 126.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 127.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 254.169.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 2.0.192.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 100.51.198.IN-ADDR.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 113.0.203.IN-ADDR.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: D.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 8.E.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 9.E.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: A.E.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: B.E.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: EMPTY.AS112.ARPA
01-Oct-2016 17:51:01.176 configuring command channel from '/etc/bind/rndc.key'
01-Oct-2016 17:51:01.176 command channel listening on 127.0.0.1#953
01-Oct-2016 17:51:01.176 configuring command channel from '/etc/bind/rndc.key'
01-Oct-2016 17:51:01.176 command channel listening on ::1#953
01-Oct-2016 17:51:01.176 the working directory is not writable
01-Oct-2016 17:51:01.176 not using config file logging statement for logging due to -g option
01-Oct-2016 17:51:01.176 managed-keys.bind.jnl: create: permission denied
01-Oct-2016 17:51:01.176 managed-keys-zone: sync_keyzone:dns_journal_open -> unexpected error
01-Oct-2016 17:51:01.176 managed-keys-zone: unable to synchronize managed keys: unexpected error
01-Oct-2016 17:51:01.177 zone 0.in-addr.arpa/IN: loaded serial 1
01-Oct-2016 17:51:01.178 zone 127.in-addr.arpa/IN: loaded serial 1
01-Oct-2016 17:51:01.179 zone localhost/IN: loaded serial 2
01-Oct-2016 17:51:01.180 zone 255.in-addr.arpa/IN: loaded serial 1
01-Oct-2016 17:51:01.181 all zones loaded
01-Oct-2016 17:51:01.181 running