Bind fails to start with "configuring logging: permission denied" after upgrade to SLES 15 SP4

This document (000020820) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP4

Situation

After upgraded to SLES 15 SP4 from a previous service pack, named.service will not start and produces the following errors.
# systemctl start named.service
Job for named.service failed because the control process exited with error code.
See "systemctl status named.service" and "journalctl -xeu named.service" for details.
# journalctl -xeu named.service
...
Oct 20 12:01:55 host15sp4 named[4111]: isc_stdio_open '/var/log/named_querylog' failed: permission denied
Oct 20 12:01:55 host15sp4 named[4111]: configuring logging: permission denied
Oct 20 12:01:55 host15sp4 named[4111]: loading configuration: permission denied
Oct 20 12:01:55 host15sp4 named[4111]: exiting (due to fatal error)
Oct 20 12:01:55 host15sp4 systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
...

Query logging for bind is enabled and configured to log to a file in /var/log/ by having a configuration similar to the following in the file /etc/named.conf.
logging {
        # Log queries to a file limited to a size of 100 MB.
        channel query_logging {
                file "/var/log/named_querylog"
                        versions 3 size 100M;
                print-time yes;                 // timestamp log entries
        };
        category queries {
                query_logging;
        };

The following line in /etc/sysconfig/named is currently present, or was present when bind was run in the previous service pack.
NAMED_RUN_CHROOTED="yes"

Resolution

Edit the file /etc/named.conf by changing
# Log queries to a file limited to a size of 100 MB.
        channel query_logging {
                file "/var/log/named_querylog"
to
# Log queries to a file limited to a size of 100 MB.
        channel query_logging {
                file "/var/lib/named/log/named_querylog"

This will cause logs to be written to /var/lib/named/log/named_querylog instead of the previous location, /var/lib/named/var/log/named_querylog.

Cause

In previous service packs, the default configuration ran bind in a chroot jail in /var/lib/named. Changes were made for SLES 15 SP4 with regards to this chroot setup.

The logging path from /etc/named.conf used to be evaluated relative to this chroot location, but is now evaluated relative to the system root.

The default configuration on previous service packs set /var/log/named_querylog as the destination for logs. In the previous chroot environment, this caused logs to be written to /var/lib/named/var/log/named_querylog. With the SLES 15 SP4 changes to bind, this same setting causes logs to be written to /var/log/named_querylog.

Logs are written by the user named. This user does not have permission to write to this new location by default which creates the errors observed.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020820
  • Creation Date: 20-Oct-2022
  • Modified Date:21-Oct-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center