我正在运行 Ubuntu 18.04.2 和 BIND 9.11.3
我尝试通过将以下内容添加到 /etc/bind/named.conf.local 来启用日志记录
logging {
channel bind.log {
file "/var/log/bind/bind.log" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
// Set the severity to dynamic to see all the debug messages.
severity info;
};
category default { bind.log; };
};
“named-checkconf /etc/bind/named.conf.local” 没有报告任何错误。但是当我这样做时:
root@mail:/home/mike# service bind9 restart
root@mail:/home/mike# service bind9 status
我得到:
bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2019-07-06 18:48:43 NZST; 2s ago
Docs: man:named(8)
Process: 9812 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
Process: 12930 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 12930 (code=exited, status=1/FAILURE)
Jul 06 18:48:43 mail.mydomain.nz named[12930]: automatic empty zone: A.E.F.IP6.ARPA
Jul 06 18:48:43 mail.mydomain.nz named[12930]: automatic empty zone: B.E.F.IP6.ARPA
Jul 06 18:48:43 mail.mydomain.nz named[12930]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jul 06 18:48:43 mail.mydomain.nz named[12930]: automatic empty zone: EMPTY.AS112.ARPA
Jul 06 18:48:43 mail.mydomain.nz named[12930]: none:103: 'max-cache-size 90%' - setting to 7086MB (out of 7874MB)
Jul 06 18:48:43 mail.mydomain.nz named[12930]: command channel listening on 127.0.0.1#953
Jul 06 18:48:43 mail.mydomain.nz named[12930]: isc_stdio_open '/var/log/bind/bind.log' failed: permission denied
Jul 06 18:48:43 mail.mydomain.nz named[12930]: configuring logging: permission denied
Jul 06 18:48:43 mail.mydomain.nz named[12930]: loading configuration: permission denied
Jul 06 18:48:43 mail.mydomain.nz named[12930]: exiting (due to fatal error)
/var/log/bind 的权限为:
root@mail:/home/mike# ls -ld /var/log/bind
drwxrwxr-x 2 root root 4096 Jul 6 17:51 /var/log/bind
这篇文章说
isc_stdio_open'/var/log/bind9/query.log'失败:权限被拒绝
“bind:bind” 有效,但我看不懂。这是否是指目录由名为“bind”的用户拥有并属于“bind”组?我本来想对这个问题发表评论,要求提供更多信息,但至少需要 50 点声誉。
我在系统日志中注意到了这一点:
Jul 6 22:30:52 mail kernel: [1835655.620976] audit: type=1400 audit(1562409052.847:297): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/log/bind/bind.log" pid=10582 comm="isc-worker0000" requested_mask="ac" denied_mask="ac" fsuid=120 ouid=0
答案1
在 /etc/apparmor.d/usr.sbin.named 中
我变了
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,
到
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/bind/** rw,
/var/log/bind/ rw,
因为这是我指定要写入日志的目录的名称。
然后
root@mail:/home/mike# service apparmor restart
root@mail:/home/mike# service bind9 restart
root@mail:/home/mike# service bind9 status
都好。