Dynamic zone update problems, continued

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Dynamic zone update problems, continued

Bruce  Johnson
Fixing the permissions and restarting named got dynamic updating working again, but new systems (ie names that are NOT already in the Zone file ) are throwing errors about the journal file: error: journal open failed: unexpected error

Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': deleting rrset at 'dhbfswrkgrps1.DYN.Zone.COM' AAAA
Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': deleting rrset at 'dhbfswrkgrps1.DYN.Zone.COM' A
Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': adding an RR at 'dhbfswrkgrps1.DYN.Zone.COM' A 10.128.206.151
Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': deleting rrset at 'NIC-COPIT.DYN.Zone.COM' AAAA
Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': deleting rrset at 'NIC-COPIT.DYN.Zone.COM' A
Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': adding an RR at 'NIC-COPIT.DYN.Zone.COM' A 128.196.45.228
Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': error: journal open failed: unexpected error


Is there a specific command to create the .jnl file? I thought named created it automatically as needed. (at least the named-journalprint man page indicates this…)  


--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic zone update problems, continued

Bruce  Johnson
I”m running it as named-chroot, and named is rw permissions at the /var/named 

This is the directory listing:

[root@mydns named]# ls -l
total 16
drwxr-x---. 7 named named   61 Oct  9 13:30 chroot
drwxrwx---. 2 named named  127 Feb 28 03:27 data
drwxrwx---. 2 named named   60 Mar  4 13:57 dynamic
drwxr-xr-x. 2 named named   31 Mar  2 13:46 log
-rw-r-----. 1 named named 2253 Sep  9 09:48 named.ca
-rw-r-----. 1 named named  152 Sep  9 09:48 named.empty
-rw-r-----. 1 named named  152 Sep  9 09:48 named.localhost
-rw-r-----. 1 named named  168 Sep  9 09:48 named.loopback
drwxrwx---. 2 named named    6 Sep  9 09:47 slaves

On Mar 5, 2021, at 12:19 PM, Gregory Sloop <[hidden email]> wrote:

Re: Dynamic zone update problems, continued
You may need to set permissions on not just the files, but the directory too. If it didn't have permissions to existing files, I suspect the parent directory doesn't allow that same user/group to create files either - so the jnl files don't get created.

-Greg


BJ> Fixing the permissions and restarting named got dynamic updating
BJ> working again, but new systems (ie names that are NOT already in
BJ> the Zone file ) are throwing errors about the journal file: error:
BJ> journal open failed: unexpected error

BJ> Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0
BJ> 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': deleting
BJ> rrset at 'dhbfswrkgrps1.DYN.Zone.COM' AAAA
BJ> Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0
BJ> 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': deleting
BJ> rrset at 'dhbfswrkgrps1.DYN.Zone.COM' A
BJ> Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0
BJ> 10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': adding an
BJ> RR at 'dhbfswrkgrps1.DYN.Zone.COM' A 10.128.206.151
BJ> Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20
BJ> 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': deleting
BJ> rrset at 'NIC-COPIT.DYN.Zone.COM' AAAA
BJ> Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20
BJ> 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': deleting
BJ> rrset at 'NIC-COPIT.DYN.Zone.COM' A
BJ> Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20
BJ> 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': adding an
BJ> RR at 'NIC-COPIT.DYN.Zone.COM' A 128.196.45.228
BJ> Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20
BJ> 128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': error:
BJ> journal open failed: unexpected error


BJ> Is there a specific command to create the .jnl file? I thought
BJ> named created it automatically as needed. (at least the
BJ> named-journalprint man page indicates this…)  


-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic zone update problems, continued

Bind-Users forum mailing list
In reply to this post by Bruce Johnson
On 3/5/21 12:07 PM, Bruce Johnson wrote:
> Fixing the permissions and restarting named got dynamic updating
> working again, but new systems (ie names that are NOT already in
> the Zone file ) are throwing errors about the journal file: error:
> journal open failed: unexpected error

It seems like you still have a permissions error.

Can the user that named is running as create new files in the directory
where the zone is stored?

> Is there a specific command to create the .jnl file? I thought named
> created it automatically as needed. (at least the named-journalprint
> man page indicates this…)

I don't remember ever needing to manually create a journal (.jnl) file.
I think that named always did it.

Named will create, modify, and remove the journal file as needed.  rndc
freeze will sync the in memory zone contents to the journal file.  rndc
sync will sync the journal file to the main zone file.  The -clean
option to rndc sync will remove the journal file.  --  Don't forget to
rndc thaw a frozen zone to start allowing dynamic updates again.

Beyond that, I've not needed to worry about the journal file or it's
contents.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic zone update problems, continued

Bruce  Johnson
named process is running as ’named’:

named      45631  1.0 11.8 411576 220744 ?       Ssl  11:28   0:57 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

if I run su --shell=/bin/sh named 

I can create files  in the directory the journal file should be.



On Mar 5, 2021, at 12:39 PM, Grant Taylor via bind-users <[hidden email]> wrote:

On 3/5/21 12:07 PM, Bruce Johnson wrote:
Fixing the permissions and restarting named got dynamic updating working again, but new systems (ie names that are NOT already in the Zone file ) are throwing errors about the journal file: error: journal open failed: unexpected error

It seems like you still have a permissions error.

Can the user that named is running as create new files in the directory where the zone is stored?

Is there a specific command to create the .jnl file? I thought named created it automatically as needed. (at least the named-journalprint man page indicates this…)

I don't remember ever needing to manually create a journal (.jnl) file. I think that named always did it.

Named will create, modify, and remove the journal file as needed.  rndc freeze will sync the in memory zone contents to the journal file.  rndc sync will sync the journal file to the main zone file.  The -clean option to rndc sync will remove the journal file.  --  Don't forget to rndc thaw a frozen zone to start allowing dynamic updates again.

Beyond that, I've not needed to worry about the journal file or it's contents.



--
Grant. . . .
unix || die

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic zone update problems, continued

Bruce  Johnson
In reply to this post by Bind-Users forum mailing list
Turne out to be a dumdum mistake on my part. SELinux was set to enforce…set it to permissive and voila! the .jnl file was created.

I coulda sworn I’d fixed that before...

> On Mar 5, 2021, at 12:39 PM, Grant Taylor via bind-users <[hidden email]> wrote:
>
> On 3/5/21 12:07 PM, Bruce Johnson wrote:
>> Fixing the permissions and restarting named got dynamic updating working again, but new systems (ie names that are NOT already in the Zone file ) are throwing errors about the journal file: error: journal open failed: unexpected error
>
> It seems like you still have a permissions error.
>
> Can the user that named is running as create new files in the directory where the zone is stored?
>
>> Is there a specific command to create the .jnl file? I thought named created it automatically as needed. (at least the named-journalprint man page indicates this…)
>
> I don't remember ever needing to manually create a journal (.jnl) file. I think that named always did it.
>
> Named will create, modify, and remove the journal file as needed.  rndc freeze will sync the in memory zone contents to the journal file.  rndc sync will sync the journal file to the main zone file.  The -clean option to rndc sync will remove the journal file.  --  Don't forget to rndc thaw a frozen zone to start allowing dynamic updates again.
>
> Beyond that, I've not needed to worry about the journal file or it's contents.
>
>
>
> --
> Grant. . . .
> unix || die
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic zone update problems, continued

Bind-Users forum mailing list
On 3/5/21 1:41 PM, Bruce Johnson wrote:
> Turne out to be a dumdum mistake on my part. SELinux was set to
> enforce…set it to permissive and voila! the .jnl file was created.

Ah.

That sounds like an SELinux policy problem.  SELinux /should/ allow
named to create journal files.

A non-default location may be an contributing factor.

> I coulda sworn I’d fixed that before...

I would not be surprised if a system update accidentally overwrote a
tweak to a SELinux policy.

If you can't tell, I prefer to leave things enabled at the security
posture they are at and provide exceptions for things that need to be
allowed.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment