[arch-general] nsd 4.3.5 broken
Archange
archange at archlinux.org
Sat Feb 6 16:51:25 UTC 2021
Le 06/02/2021 à 20:00, Archange via arch-general a écrit :
> Le 06/02/2021 à 18:51, Genes Lists via arch-general a écrit :
>> On 2/6/21 9:34 AM, Genes Lists via arch-general wrote:
>>>
>>
>> I tried couple more things.
>>
>> I changed RunTimeDirecroy=/etc/nad # it was previosuly set to: =nsd
>>
>> Now I can get nsd to start up, but get this problem:
>>
>> nsd[10230]: setsockopt(..., IP_TRANSPARENT, ...) failed for tcp:
>> Operation not permitted
So if you use this option (IP_TRANSPARENT), which is non-default, you
might want to add a service drop-in extending CapabilityBoundingSet to
also include CAP_NET_ADMIN. Since I expect this to be a non-standard use
case, I’d prefer to not add it by default and rather document it on the
wiki.
>> nsd[10230]: cannot open pidfile /run/nsd/nsd.pid: No such file or
>> directory
>> nsd[10230]: cannot overwrite the pidfile /run/nsd/nsd.pid: No such
>> file or directory
This is because you changed the RuntimeDirectory, which should not be
touched.
>> nsd[10230]: unable to initgroups nsd: Operation not permitted
This is harmless, it happens because nsd thought to be root and tried to
give up rights, but I’m not starting nsd as root anymore with the new
service, so actually this is just a warning and expected.
>>
>> So the new permissions seem too strict.
>>
>> I confirmed this as If i put the 4.3.4 nsd.service into
>> /etc/systemd/system
>> then 4.3.5 starts up and works fine.
>>
>> Bruno can you help get this sorted out please?
>
> Yes of course, it’s not like I sent an email to you personally to tell
> you about the changes and that breaking was expected, so that tests of
> the package in [testing] was welcome. ;)
>
> Regarding the first issue, what if you change WorkingDirectory (to
> WorkingDirectory=/etc/nsd for instance, or maybe /run/nsd/) instead?
Actually removing the line entirely is the better solution, I thought I
had done it after removing the $home from the nsd user, but apparently
not. Pushed 4.3.5-2 to [community-testing] with that change, continuing
on the bug tracker for further debugging. ;)
Regards,
Bruno/Archange
More information about the arch-general
mailing list