绑定日志不起作用

绑定日志不起作用

我正在运行 Ubuntu 18.04.2 和 BIND 9.11.3

我尝试通过将以下内容添加到 /etc/bind/named.conf.local 来启用日志记录

logging {
channel bind.log {
    file "/var/log/bind/bind.log" versions 3 size 20m;
    print-time yes;
    print-category yes;
    print-severity yes;
    // Set the severity to dynamic to see all the debug messages.
    severity info;
};

category default { bind.log; };
};

“named-checkconf /etc/bind/named.conf.local” 没有报告任何错误。但是当我这样做时:

root@mail:/home/mike# service bind9 restart
root@mail:/home/mike# service bind9 status

我得到:

bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2019-07-06 18:48:43 NZST; 2s ago
     Docs: man:named(8)
  Process: 9812 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
  Process: 12930 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 12930 (code=exited, status=1/FAILURE)

Jul 06 18:48:43 mail.mydomain.nz named[12930]: automatic empty zone: A.E.F.IP6.ARPA
Jul 06 18:48:43 mail.mydomain.nz named[12930]: automatic empty zone: B.E.F.IP6.ARPA
Jul 06 18:48:43 mail.mydomain.nz named[12930]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jul 06 18:48:43 mail.mydomain.nz named[12930]: automatic empty zone: EMPTY.AS112.ARPA
Jul 06 18:48:43 mail.mydomain.nz named[12930]: none:103: 'max-cache-size 90%' - setting to 7086MB (out of 7874MB)
Jul 06 18:48:43 mail.mydomain.nz named[12930]: command channel listening on 127.0.0.1#953
Jul 06 18:48:43 mail.mydomain.nz named[12930]: isc_stdio_open '/var/log/bind/bind.log' failed: permission denied
Jul 06 18:48:43 mail.mydomain.nz named[12930]: configuring logging: permission denied
Jul 06 18:48:43 mail.mydomain.nz named[12930]: loading configuration: permission denied
Jul 06 18:48:43 mail.mydomain.nz named[12930]: exiting (due to fatal error)

/var/log/bind 的权限为:

root@mail:/home/mike# ls -ld /var/log/bind
drwxrwxr-x 2 root root 4096 Jul  6 17:51 /var/log/bind

这篇文章说

isc_stdio_open'/var/log/bind9/query.log'失败:权限被拒绝

“bind:bind” 有效,但我看不懂。这是否是指目录由名为“bind”的用户拥有并属于“bind”组?我本来想对这个问题发表评论,要求提供更多信息,但至少需要 50 点声誉。

我在系统日志中注意到了这一点:

Jul  6 22:30:52 mail kernel: [1835655.620976] audit: type=1400 audit(1562409052.847:297): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/log/bind/bind.log" pid=10582 comm="isc-worker0000" requested_mask="ac" denied_mask="ac" fsuid=120 ouid=0

答案1

在 /etc/apparmor.d/usr.sbin.named 中

我变了

# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,

 # some people like to put logs in /var/log/named/ instead of having
 # syslog do the heavy lifting.
 /var/log/bind/** rw,
 /var/log/bind/ rw,

因为这是我指定要写入日志的目录的名称。

然后

root@mail:/home/mike# service apparmor restart
root@mail:/home/mike# service bind9 restart
root@mail:/home/mike# service bind9 status

都好。

相关内容