BIND: invalid chroot detection wrong w/split DNS about webmin HOT 10 CLOSED

Using views shouldn't cause a problem here, as long as the zone files defined in all views exist.

Is your BIND install actually using /var/named/chroot as a root directory, or is Webmin getting this wrong?

from webmin.

Yep, /var/named/chroot is my root -- Webmin's getting it right operationally, just the check is wrong.

from webmin.

Can you check if all the zone files referred to by /var/named/chroot/etc/named.conf exist under /var/named/chroot ?

from webmin.

Yes, there are none missing. Here I use named-checkconf to expand the includes into the canonical form, grep for references to the zone files themselves, strip out stuff other than the file names and then use xargs to run ls -l on the files in the appropriate directory (chroot + "directory" from named.conf):

sudo named-checkconf -t /var/named/chroot -p /etc/named.conf  \
  |grep 'file "zones/'|sed -r 's/file "//;s/";//'\
  |sudo sh -c 'cd /var/named/chroot/var/named; xargs ls -l'

If I redirect stdout to /dev/null (so I should only see errors on stderr), I get no output. If not, I see all of the zone files I expect to see.

I have also substituted for the xargs ls -l and xargs with readlink -f, so that it prints the fully-qualified path to the zone files and those come out as expected. I then pipe that again into xargs ls -l so that it's doing the ls -l on the full file name and that works too. Those are output like this:

-rw-rw-r-- 1 root root   215 Nov 10  2012 /var/named/chroot/var/named/zones/y.x.063

Is Webmin basing the name of the zone files that it's looking for on the output of something like named-checkconf -p (or otherwise parsing named.conf directly), or building them based on BIND module's configuration parameters, such as "Directory for {master,slave/stub} zone files", "Format for the name of the {forward,reverse} zone files"?

If the latter, then that could be the problem, as our zone file names don't conform, because we only use Webmin to manage the contents of the zone files, not to add or remove zones & zone files.

from webmin.

Webmin gets the individual zone file names by reading named.conf directly, and looking at file directives inside zone blocks.

One possible cause of this issue is Webmin's cache of zone files being out of date. Try removing the file /etc/webmin/bind8/zone-names , and see if the problem persists.

from webmin.

I should've mentioned that I looked at the zone-names cache before; just to be sure, I moved it out of the way and the message persists. The re-generated zone-names is different (presumably the order/indexing is non-deterministic), but the size and line count are the same. If I pipe the output of sort into md5sum, I get the same hash.

But I would have expected that to affect listing and working with the zones -- my problem is purely with the invalid chroot detection -- listing, changing and reloading zones works just fine.

from webmin.

There are actually two problems:

1. In bind-lib.pl, the sub make_chroot just concatenates the arguments on line 1469. If the chroot lacks a trailing "/", you get /dir/dir/dirfile instead of /dir/dir/dir/file. File::Spec->catfile, which has been a core module since at least 5.8.8, handles this just fine.
2. In index.cgi, the call to &make_chroot($z->{'file'}) on line 91 neglects the fact that the zone files might be in a subdirectory of the chroot, rather than the root. Changing that to &make_chroot(&absolute_path($z->{'file'})) fixes it for me. This probably obviates the error in point 1, but that still seems like a bad assumption.

There is also a third non-functional problem:

1. There are no messages indicating what files were not found, so troubleshooting requires hacking on the code directly (I worked on a copy, but still). A little more information would have saved us a lot of time.

I am sending pull requests for these.

from webmin.

Thanks for the fix! I didn't think about relative zone file paths when I wrote that code (as Webmin always uses absolutely paths).

from webmin.

When will the fix be posted to the yum repo?

from webmin.

There is a fixed RPM available at http://www.webmin.com/devel.html

from webmin.