[arch-general] nsd 4.3.5 broken

Archange archange at archlinux.org
Sat Feb 6 16:51:25 UTC 2021

Le 06/02/2021 à 20:00, Archange via arch-general a écrit :
> Le 06/02/2021 à 18:51, Genes Lists via arch-general a écrit :
>> On 2/6/21 9:34 AM, Genes Lists via arch-general wrote:
>> I tried couple more things.
>> I changed RunTimeDirecroy=/etc/nad   # it was previosuly set to: =nsd
>> Now I can get nsd to start up, but get this problem:
>>   nsd[10230]: setsockopt(..., IP_TRANSPARENT, ...) failed for tcp: 
>> Operation not permitted

So if you use this option (IP_TRANSPARENT), which is non-default, you 
might want to add a service drop-in extending CapabilityBoundingSet to 
also include CAP_NET_ADMIN. Since I expect this to be a non-standard use 
case, I’d prefer to not add it by default and rather document it on the 

>>   nsd[10230]: cannot open pidfile /run/nsd/nsd.pid: No such file or 
>> directory
>>   nsd[10230]: cannot overwrite the pidfile /run/nsd/nsd.pid: No such 
>> file or directory

This is because you changed the RuntimeDirectory, which should not be 

>>   nsd[10230]: unable to initgroups nsd: Operation not permitted

This is harmless, it happens because nsd thought to be root and tried to 
give up rights, but I’m not starting nsd as root anymore with the new 
service, so actually this is just a warning and expected.

>> So the new permissions seem too strict.
>> I confirmed this as If i put the 4.3.4 nsd.service into
>>   /etc/systemd/system
>> then 4.3.5 starts up and works fine.
>> Bruno can you help get this sorted out please?
> Yes of course, it’s not like I sent an email to you personally to tell 
> you about the changes and that breaking was expected, so that tests of 
> the package in [testing] was welcome. ;)
> Regarding the first issue, what if you change WorkingDirectory (to 
> WorkingDirectory=/etc/nsd for instance, or maybe /run/nsd/) instead?

Actually removing the line entirely is the better solution, I thought I 
had done it after removing the $home from the nsd user, but apparently 
not. Pushed 4.3.5-2 to [community-testing] with that change, continuing 
on the bug tracker for further debugging. ;)


More information about the arch-general mailing list