[arch-general] Problem with powerdns-recursor-4.0.3-1 package

Mon Oct 24 19:32:01 UTC 2016

On 10/24/2016 09:58 AM, Roel de Wildt via arch-general wrote:
> I have found that the issue that I previously reported with systemctl
>> hanging when starting pdns-recursor is due to my pdns_recursor
>> configuration having a chroot in it and it looks like I have to modify
>> the setup for chroot to work under system (though I didn't have any
>> problems with the previous version of pdns_recursor).
>>
>> Nataraj
>
> Does it work if you comment out the chroot option in the configuration
> of pdns_recursor? Just to rule out other possible configuration issues.

Yes, it does run correctly if I remove chroot from the config file.

>
> It looks like that systemd is not detecting your pdns_recursor
> process. I don't know yet how to fix this but in the 'journalctl -r'
> will properly shows a hint where to look further.

There are no entries in the log other than the normal output from the
recursor which does actually work only that systemd thinks it's still
starting.

There are these changes in the systemd pdns-recursor.service between
3.7.3-3 and 4.0.3-1:
3.7.3-3

[Unit]
Description=PowerDNS resolving DNS server
After=network.target

[Service]
Type=forking
ExecStart=/usr/bin/pdns_recursor --daemon

[Install]
WantedBy=multi-user.target

------------------------------------------

4.0.3-1

[Unit]
Description=PowerDNS Recursor
Documentation=man:pdns_recursor(1) man:rec_control(1)
Documentation=https://doc.powerdns.com
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target
After=network-online.target

[Service]
Type=notify
ExecStart=/usr/bin/pdns_recursor --daemon=no --write-pid=no --disable-syslog
Restart=on-failure
StartLimitInterval=0
PrivateTmp=true
PrivateDevices=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CA\
P_SYS_CHROOT
NoNewPrivileges=true
ProtectSystem=full
ProtectHome=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LimitNOFILE=4200

[Install]
WantedBy=multi-user.target

So it looks like the 4.0.3-1 version is interfacing to systemd in a way
that the 3.7.3 version was not.  I have not yet spent the time to
understand the systemd interface and how daemons running under systemd
interface too it.  I know that pdns-recursor creates a socket for use by
the rec_control program, but it does not appear that systemd uses that
socket because I tried moving that socket to a different place using the
config file directive and it still worked normal (without the chroot)
when I did that.

Various articles such as these imply that you have to setup chroots
differently under systemd:
http://superuser.com/questions/688733/start-a-systemd-service-inside-chroot#688748
https://wiki.archlinux.org/index.php/Arch_systemd_container

but I'm open to other suggestions on how to do this.

How does systemd determine if a daemon process is running or fully started?

Thank You,
Nataraj