On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote:> Thanks Jeroen, > > About permissions and owners: > For /var/log/nsd.log, the directory /var/log/ has 755 root:root > For /var/log/nsd/nsd.log, I created alternatively a directory > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and root > owners. > As for NSD user, in /etc/nsd/nsd.conf I have configured username: nsd. > > cat /lib/systemd/system/nsd.service > [Unit] > Description=Name Server Daemon > Documentation=man:nsd(8) > After=network.target > > [Service] > Type=notify > Restart=always > ExecStart=/usr/sbin/nsd -d > ExecReload=+/bin/kill -HUP $MAINPID > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > MemoryDenyWriteExecute=true > NoNewPrivileges=true > PrivateDevices=true > PrivateTmp=true > ProtectHome=true > ProtectControlGroups=true > ProtectKernelModules=true > ProtectKernelTunables=true > ProtectSystem=strict > ReadWritePaths=/var/lib/nsd /etc/nsd /runProtectSystem=strict turns most of the hierarchy into read only mounts so you need to add /var/log and/or /var/log/nsd as ReadWritePaths= for them to be writable by nsd itself. This is normally not needed as logging goes through syslog by default but you are likely using "logfile" in nsd.conf. To add that ReadWritePaths directive: sudo systemctl edit nsd Then type and save the following: [Service] ReadWritePaths=/var/log/nsd This will create an override file supplementing the package provided unit with your local config. HTH, Simon
On Thu, 2019-10-24 at 08:58 -0400, Simon Deziel wrote:> On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote: > > Thanks Jeroen, > > > > About permissions and owners: > > For /var/log/nsd.log, the directory /var/log/ has 755 root:root > > For /var/log/nsd/nsd.log, I created alternatively a directory > > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and > > root > > owners. > > As for NSD user, in /etc/nsd/nsd.conf I have configured username: > > nsd. > > > > cat /lib/systemd/system/nsd.service > > [Unit] > > Description=Name Server Daemon > > Documentation=man:nsd(8) > > After=network.target > > > > [Service] > > Type=notify > > Restart=always > > ExecStart=/usr/sbin/nsd -d > > ExecReload=+/bin/kill -HUP $MAINPID > > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > MemoryDenyWriteExecute=true > > NoNewPrivileges=true > > PrivateDevices=true > > PrivateTmp=true > > ProtectHome=true > > ProtectControlGroups=true > > ProtectKernelModules=true > > ProtectKernelTunables=true > > ProtectSystem=strict > > ReadWritePaths=/var/lib/nsd /etc/nsd /run > > ProtectSystem=strict turns most of the hierarchy into read only > mounts > so you need to add /var/log and/or /var/log/nsd as ReadWritePaths> for > them to be writable by nsd itself. This is normally not needed as > logging goes through syslog by default but you are likely using > "logfile" in nsd.conf. > > To add that ReadWritePaths directive: > > sudo systemctl edit nsd > > Then type and save the following: > > [Service] > ReadWritePaths=/var/log/nsd > > > This will create an override file supplementing the package provided > unit with your local config. > > HTH, > SimonThe systemd unit shows nsd is executed with "-d", that causes it to not fork. Judging by the ReadWritePaths in the original unit file, the original intent was maybe for nsd to log to stdout and then have systemd write it to the journal(?) Maybe that bit changed between Debian versions? You could try not logging to a file by removing it from the configuration and see if the output still ends up in the journal. Alternatively, Simon's answer seems to make sense, so you can take that route too. - Jeroen
Thanks Simon, Exactly, there was the problem !! I just discovered it at the same time you wrote with the data provided by Andreas and Jeroen :) Thank you very much to all three for guiding me !!! Here what I did: mkdir -p /var/log/nsd chown nsd:nsd /var/log/nsd nano /etc/nsd/nsd.conf ... logfile: "/var/log/nsd/nsd.log" ... cp /lib/systemd/system/nsd.service{,_original} nano /lib/systemd/system/nsd.service ... ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log/nsd ... systemctl daemon-reload <--- !!!! systemctl restart nsd Thank you very much again, best regards !! Jos? Luis El jue, 24-10-2019 a las 08:58 -0400, Simon Deziel escribi?:> On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote: > > Thanks Jeroen, > > > > About permissions and owners: > > For /var/log/nsd.log, the directory /var/log/ has 755 root:root > > For /var/log/nsd/nsd.log, I created alternatively a directory > > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and > > root > > owners. > > As for NSD user, in /etc/nsd/nsd.conf I have configured username: > > nsd. > > > > cat /lib/systemd/system/nsd.service > > [Unit] > > Description=Name Server Daemon > > Documentation=man:nsd(8) > > After=network.target > > > > [Service] > > Type=notify > > Restart=always > > ExecStart=/usr/sbin/nsd -d > > ExecReload=+/bin/kill -HUP $MAINPID > > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > MemoryDenyWriteExecute=true > > NoNewPrivileges=true > > PrivateDevices=true > > PrivateTmp=true > > ProtectHome=true > > ProtectControlGroups=true > > ProtectKernelModules=true > > ProtectKernelTunables=true > > ProtectSystem=strict > > ReadWritePaths=/var/lib/nsd /etc/nsd /run > > ProtectSystem=strict turns most of the hierarchy into read only > mounts > so you need to add /var/log and/or /var/log/nsd as ReadWritePaths> for > them to be writable by nsd itself. This is normally not needed as > logging goes through syslog by default but you are likely using > "logfile" in nsd.conf. > > To add that ReadWritePaths directive: > > sudo systemctl edit nsd > > Then type and save the following: > > [Service] > ReadWritePaths=/var/log/nsd > > > This will create an override file supplementing the package provided > unit with your local config. > > HTH, > Simon > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users