no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+===== bind and chroot =====
+Install software:
+<code>
+apt-get install bind9
+/etc/init.d/bind9 stop
+/etc/init.d/apparmor stop
+</code>
+Change bind settings to make it startup in chroot environment:
+<code>
+vim /etc/default/bind9
+</code>
+Change first line to:
+<file>
+OPTIONS="-u bind -t /var/lib/named"
+</file>
+Create some directories & a link to move /etc/bind to /var/lib/named/etc/bind, creating null & random devices, fixing permissions:
+<code>
+mkdir -p /var/lib/named/etc
+mkdir /var/lib/named/dev
+mkdir -p /var/lib/named/var/cache/bind
+mkdir -p /var/lib/named/var/run/bind/run
+mv /etc/bind /var/lib/named/etc
+ln -s /var/lib/named/etc/bind /etc/bind
+mknod /var/lib/named/dev/null c 1 3
+mknod /var/lib/named/dev/random c 1 8
+chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
+chown -R bind:bind /var/lib/named/var/*
+chown -R bind:bind /var/lib/named/etc/bind
+</code>
+Edit /etc/default/syslogd:
+<code>
+vim /etc/default/syslogd
+</code>
+Change it to:
+<file>
+SYSLOGD="-a /var/lib/named/dev/log"
+</file>
+On Lucid Lynx you need to this instead:
+<code>
+vi /etc/rsyslog.d/bind-chroot.conf
+</code>
+and add the following line so that we can still get important messages logged to the system logs:
+<file>
+$AddUnixListenSocket /var/lib/named/dev/log
+</file>
+Now edit the (problematic) bind9 apparmor profile:
+<code>
+vim /etc/apparmor.d/usr.sbin.named
+</code>
+and change marked lines
+<file># vim:syntax=apparmor
+# Last Modified: Fri Jun  1 16:43:22 2007
+#include <tunables/global>
+/usr/sbin/named {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  # /etc/bind should be read-only for bind
+  # /var/lib/bind is for dynamically updated zone (and journal) files.
+  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
+  # See /usr/share/doc/bind9/README.Debian.gz
+#These three lines for chroot environment
+  /var/lib/named/etc/bind/* rw,
+  /var/lib/named/var/run/bind/run/named.pid w,
+  /var/lib/named/var/run/bind/named.options r,
+  /var/lib/named/etc/localtime r,
+  /var/lib/named/etc/bind/named.conf r,
+  /var/lib/named/etc/root.hints r,
+  /var/lib/named/etc/named.run rw,
+  /var/lib/named/var/run/named.pid rw,
+  /var/lib/named/dev/random r,
+#chroot end
+  /etc/bind/** r,
+  /var/lib/bind/** rw,
+  /var/cache/bind/** rw,
+  /proc/net/if_inet6 r,
+  /usr/sbin/named mr,
+ # /var/run/bind/run/named.pid w,
+  # support for resolvconf
+ # /var/run/bind/named.options r,
+}
+</file>
+Or use this profile:
+<file>
+# Last Modified: Mon Oct  6 20:46:31 2008
+#include <tunables/global>
+/usr/sbin/named {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/nis>
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  /usr/sbin/named mr,
+  /var/lib/named/dev/random r,
+  /var/lib/named/etc/127.0.0 r,
+  /var/lib/named/etc/bind/named.conf r,
+  /var/lib/named/etc/bind/rndc.key r,
+  /var/lib/named/etc/localhost r,
+  /var/lib/named/etc/localtime r,
+  /var/lib/named/etc/named.run a,
+  /var/lib/named/etc/root.hints r,
+  /var/lib/named/etc/sites/domingo.dk/forward.zone r,
+  /var/lib/named/etc/sites/domingo.dk/reverse.zone r,
+  /var/lib/named/var/run/named.pid w,
+}
+</file>
+then restart services
+/etc/init.d/sysklogd restart
+/etc/init.d/apparmor start
+/etc/init.d/bind9 start