Thanks Jeroen,
If I do:
nano /etc/nsd/nsd.conf
...
# logfile: "/var/log/nsd/nsd.log"
...
systemctl restart nsd
This is the output of journalctl:
journalctl -u nsd.service --since today
oct 24 10:53:26 dhcppc1 nsd[6937]: signal received, shutting down...
oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.281] nsd[6937]:
warning: signal received, shutting down...
oct 24 10:53:26 dhcppc1 nsd[6937]: failed to unlink pidfile
/run/nsd/nsd.pid: Permission denied
oct 24 10:53:26 dhcppc1 nsd[6935]: [2019-10-24 10:53:26.284] nsd[6937]:
warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied
oct 24 10:53:26 dhcppc1 systemd[1]: Stopping Name Server Daemon...
oct 24 10:53:26 dhcppc1 systemd[1]: nsd.service: Succeeded.
oct 24 10:53:26 dhcppc1 systemd[1]: Stopped Name Server Daemon.
oct 24 10:53:26 dhcppc1 systemd[1]: Starting Name Server Daemon...
oct 24 10:53:26 dhcppc1 nsd[6965]: nsd starting (NSD 4.1.26)
oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT, ...)
failed for udp: Operation not permitted
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] nsd[6965]:
notice: nsd starting (NSD 4.1.26)
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] nsd[6965]:
error: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation
not permi
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.479] nsd[6965]:
error: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation
not permi
oct 24 10:53:26 dhcppc1 nsd[6965]: setsockopt(...,IP_TRANSPARENT, ...)
failed for tcp: Operation not permitted
oct 24 10:53:26 dhcppc1 nsd[6965]: setup SSL certificates
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.483] nsd[6965]:
info: setup SSL certificates
oct 24 10:53:26 dhcppc1 nsd[6967]: zonefile /etc/nsd/zones/...
...
oct 24 10:53:26 dhcppc1 nsd[6967]: nsd started (NSD 4.1.26), pid 6965
oct 24 10:53:26 dhcppc1 nsd[6965]: [2019-10-24 10:53:26.584] nsd[6967]:
notice: nsd started (NSD 4.1.26), pid 6965
oct 24 10:53:26 dhcppc1 systemd[1]: Started Name Server Daemon.
Best regards.
Jos? Luis
El jue, 24-10-2019 a las 15:13 +0200, Jeroen Koekkoek
escribi?:> On Thu, 2019-10-24 at 08:58 -0400, Simon Deziel wrote:
> > On 2019-10-24 8:46 a.m., Jos? Luis Artuch wrote:
> > > Thanks Jeroen,
> > >
> > > About permissions and owners:
> > > For /var/log/nsd.log, the directory /var/log/ has 755 root:root
> > > For /var/log/nsd/nsd.log, I created alternatively a directory
> > > /var/log/nsd/ with permissions 664, 666 and 777, for both nsd and
> > > root
> > > owners.
> > > As for NSD user, in /etc/nsd/nsd.conf I have configured username:
> > > nsd.
> > >
> > > cat /lib/systemd/system/nsd.service
> > > [Unit]
> > > Description=Name Server Daemon
> > > Documentation=man:nsd(8)
> > > After=network.target
> > >
> > > [Service]
> > > Type=notify
> > > Restart=always
> > > ExecStart=/usr/sbin/nsd -d
> > > ExecReload=+/bin/kill -HUP $MAINPID
> > > CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
> > > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> > > MemoryDenyWriteExecute=true
> > > NoNewPrivileges=true
> > > PrivateDevices=true
> > > PrivateTmp=true
> > > ProtectHome=true
> > > ProtectControlGroups=true
> > > ProtectKernelModules=true
> > > ProtectKernelTunables=true
> > > ProtectSystem=strict
> > > ReadWritePaths=/var/lib/nsd /etc/nsd /run
> >
> > ProtectSystem=strict turns most of the hierarchy into read only
> > mounts
> > so you need to add /var/log and/or /var/log/nsd as ReadWritePaths>
> for
> > them to be writable by nsd itself. This is normally not needed as
> > logging goes through syslog by default but you are likely using
> > "logfile" in nsd.conf.
> >
> > To add that ReadWritePaths directive:
> >
> > sudo systemctl edit nsd
> >
> > Then type and save the following:
> >
> > [Service]
> > ReadWritePaths=/var/log/nsd
> >
> >
> > This will create an override file supplementing the package
> > provided
> > unit with your local config.
> >
> > HTH,
> > Simon
>
> The systemd unit shows nsd is executed with "-d", that causes it
to
> not
> fork. Judging by the ReadWritePaths in the original unit file, the
> original intent was maybe for nsd to log to stdout and then have
> systemd write it to the journal(?) Maybe that bit changed between
> Debian versions?
>
> You could try not logging to a file by removing it from the
> configuration and see if the output still ends up in the journal.
> Alternatively, Simon's answer seems to make sense, so you can take
> that
> route too.
>
> - Jeroen
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users