Re: bind9-chroot (was: questions on ITP)

To: debian-devel@lists.debian.org
Subject: Re: bind9-chroot (was: questions on ITP)
From: Martin F Krafft <madduck@madduck.net>
Date: Sun, 23 Sep 2001 16:24:52 +0200
Message-id: <[🔎] 20010923162452.A16048@fishbowl.madduck.net>
Mail-followup-to: Martin F Krafft <madduck@madduck.net>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010923114733.A636@wonderland.linux.it>
References: <[🔎] 20010922174657.A20558@fishbowl.madduck.net> <[🔎] 87elozyuaa.fsf@rover.gag.com> <[🔎] 20010923114733.A636@wonderland.linux.it>

also sprach Marco d'Itri (on Sun, 23 Sep 2001 11:47:33AM +0200):
> There are no packaging changes needed.
> To chroot bind you just have to fix $OPTS in /etc/init.d/bind9 and
> create the two mount binds I described earlier.

marco is right, following his advice, i just chrooted my bind in the
most easiest fashion possible. i have always done it way too
complicated for i did not know about the mount --bind option. sure,
this only works with 2.4.x, but if any chroot changes to bind9 are
going public, then this will be bundled with a 2.4.x kernel-image,
right? will testing be 2.4.x?

i am going to summarize the steps i took to chroot bind9:

CHROOTDIR=/var/lib/bind
# here i have to say that init.d/bind9 lists /var/lib/named, but since
# Debian uses /etc/bind instead of the more common /etc/namedb, i
# suggest going all the way.

# also, init.d/bind9 suggests running as nobody. i find it better to
# have a dedicated user for reasons like protecting reading of
# rndc.conf and others.

# lastly, i suggest making a directory /var/log/bind to place all
# logfiles into, and amending named.conf

this is what debconf should do, if the users wants a chroot:

1) add a user "bind" with homedir $CHROOTDIR and /bin/false shell,
   member of group 'nogroup'

2) mkdir /var/log/bind
   chown -R bind.adm /var/log/bind
   chmod 2750 /var/log/bind

3) mkdir -p $CHROOTDIR/{var/{log/bind,run},etc/bind}
   chown -R bind.nogroup $CHROOTDIR
   chmod -R 2700 $CHROOTDIR

4) change $OPTS in init.d/bind9 to
     "-u bind -t $CHROOTDIR"

and this is what init.d/bind9 should do at every start, if chrooted

5) function bind_mount() {
     mount | grep -q $2 && return 1
     mount --bind $1 $2
     return $?
   }
   
   bind_mount /etc/bind $CHROOTDIR/etc/bind
   bind_mount /var/log/bind $CHROOTDIR/var/log/bind

and this is what init.d/bind9 should do at every stop, if chrooted

6) function bind_unmount() {
     echo "" > /dev/null
     while [ $? = 0 ]; do umount $1 &> /dev/null; done
   }
   
   bind_unmount $CHROOTDIR/etc/bind
   bind_unmount $CHROOTDIR/var/log/bind



now, thanks to marco's ingenious hint, you have a chrooted bind, which
won't interfere with tripwire, which does not store anything
changeable on /var/lib, which happily logs

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
-- 
#define emacs eight megabytes and constantly swapping.

Attachment: pgphbIQX6EH5U.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Chroots (was: bind9-chroot)
  - From: Itai Zukerman <zukerman@math-hat.com>
- Re: bind9-chroot (was: questions on ITP)
  - From: Christian Kurz <shorty@debian.org>

References:
- Re: bind9-chroot (was: questions on ITP)
  - From: Martin F Krafft <madduck@madduck.net>
- Re: bind9-chroot (was: questions on ITP)
  - From: Bdale Garbee <bdale@gag.com>
- Re: bind9-chroot (was: questions on ITP)
  - From: Marco d'Itri <md@Linux.IT>

Prev by Date: Tool to generate an override file from packages?
Next by Date: Re: Tool to generate an override file from packages?
Previous by thread: Re: bind9-chroot (was: questions on ITP)
Next by thread: Chroots (was: bind9-chroot)
Index(es):
- Date
- Thread