Hello,
** Jos? Luis Artuch <zenbakaitz at speedy.com.ar> [2019-10-24 10:38:43
-0300]:
> Thanks Simon,
>
> Exactly, there was the problem !!
> I just discovered it at the same time you wrote with the data provided
> by Andreas and Jeroen :)
>
> Thank you very much to all three for guiding me !!!
>
> Here what I did:
>
> mkdir -p /var/log/nsd
> chown nsd:nsd /var/log/nsd
>
> nano /etc/nsd/nsd.conf
> ...
> logfile: "/var/log/nsd/nsd.log"
> ...
>
> cp /lib/systemd/system/nsd.service{,_original}
> nano /lib/systemd/system/nsd.service
> ...
> ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log/nsd
> ...
And you didn't follow good advice:
$ sudo systemctl edit nsd
Next NSD upgrade will overwrite your changes and you will again come to
ML and will again ask the same question. Don't invent the wheel and
NEVER touch system configuration file IF there is altenative.
> systemctl daemon-reload <--- !!!!
> systemctl restart nsd
>
> Thank you very much again, best regards !!
> Jos? Luis
>
> El jue, 24-10-2019 a las 08:58 -0400, Simon Deziel escribi?:
>> On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote:
>>> Thanks Jeroen,
>>>
>>> About permissions and owners:
>>> For /var/log/nsd.log, the directory /var/log/ has 755 root:root
>>> For /var/log/nsd/nsd.log, I created alternatively a directory
>>> /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and
>>> root
>>> owners.
>>> As for NSD user, in /etc/nsd/nsd.conf I have configured username:
>>> nsd.
>>>
>>> cat /lib/systemd/system/nsd.service
>>> [Unit]
>>> Description=Name Server Daemon
>>> Documentation=man:nsd(8)
>>> After=network.target
>>>
>>> [Service]
>>> Type=notify
>>> Restart=always
>>> ExecStart=/usr/sbin/nsd -d
>>> ExecReload=+/bin/kill -HUP $MAINPID
>>> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
>>> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
>>> MemoryDenyWriteExecute=true
>>> NoNewPrivileges=true
>>> PrivateDevices=true
>>> PrivateTmp=true
>>> ProtectHome=true
>>> ProtectControlGroups=true
>>> ProtectKernelModules=true
>>> ProtectKernelTunables=true
>>> ProtectSystem=strict
>>> ReadWritePaths=/var/lib/nsd /etc/nsd /run
>>
>> ProtectSystem=strict turns most of the hierarchy into read only
>> mounts
>> so you need to add /var/log and/or /var/log/nsd as
ReadWritePaths>> for
>> them to be writable by nsd itself. This is normally not needed as
>> logging goes through syslog by default but you are likely using
>> "logfile" in nsd.conf.
>>
>> To add that ReadWritePaths directive:
>>
>> sudo systemctl edit nsd
>>
>> Then type and save the following:
>>
>> [Service]
>> ReadWritePaths=/var/log/nsd
>>
>>
>> This will create an override file supplementing the package provided
>> unit with your local config.
>>
>> HTH,
>> Simon
---
WBR, Vladimir Lomov
--
Remember that there is an outside world to see and enjoy.
-- Hans Liepmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20191024/d267b75f/attachment.bin>