<div dir="ltr"><div>Well, I don't know what I have done exactly, but now when I start named as root it seems to be working properly, as far as the pipe goes. I am getting data via the fstrm_capture process written to the "example.dnstap" file. I see a number of startup queries when I decode the file.</div><div><br></div><div>I can't get it to do the same when I start it with "systemctl start isc-bind-named.service" though. So it is clearly a problem with the environment named is running in when launched by systemd.</div><div><br></div><div>My procedure so far (not production worthy, obviously) looks like this for those who may see this in the future:</div><div><br></div><div>1) run '/opt/isc/isc-bind/root/usr/bin/fstrm_capture -t protobuf:dnstap.Dnstap -u /var/opt/isc/scls/isc-bind/log/named/dnstap.sock -w /var/tmp/example.dnstap"</div><div>2) "chown named.named
/var/opt/isc/scls/isc-bind/log/named/dnstap.sock"</div><div>3) run "/opt/isc/isc-bind/root/usr/sbin/named -u named" from a root shell<br></div><div>4) go look at "example.dnstap" and see queries.</div><div><br></div><div>Following that process but replacing step #3 with "systemctl start isc-bind-named.service" results in everything otherwise working properly, but nothing getting added to "example.dnstap".</div><div><br></div><div>"ps auwwwwx | grep named" shows the same user owning the "named" process in both cases. here is the output when run in by root:<br></div><div><br></div># ps auwwwxZ | grep named<br>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 7606 0.0 0.0 11060 1104 pts/0 S+ 10:05 0:00 /opt/isc/isc-bind/root/usr/bin/fstrm_capture -t protobuf:dnstap.Dnstap -u /var/opt/isc/scls/isc-bind/log/named/dnstap.sock -w /var/tmp/example.dnstap<br>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 named 7745 0.0 1.0 531520 41720 ? Ssl 10:23 0:00 /opt/isc/isc-bind/root/usr/sbin/named -u named<br>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 7757 0.0 0.0 12116 972 pts/3 S+ 10:24 0:00 grep --color=auto named<br><div><br></div><div>And here is the output when run by "systemctl start isc-bind-named.service":</div># ps auwwwxZ | grep named<br>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 7606 0.0 0.0 11060 1104 pts/0 S+ 10:05 0:00 /opt/isc/isc-bind/root/usr/bin/fstrm_capture -t protobuf:dnstap.Dnstap -u /var/opt/isc/scls/isc-bind/log/named/dnstap.sock -w /var/tmp/example.dnstap<br>system_u:system_r:named_t:s0 named 7781 0.0 1.0 531516 40860 ? Ssl 10:25 0:00 /opt/isc/isc-bind/root/usr/sbin/named -u named<br>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 7793 0.0 0.0 12116 1084 pts/3 S+ 10:26 0:00 grep --color=auto named<br>m_capture -t protobuf:dnstap.Dnstap -u /var/opt/isc/scls/isc-bind/log/named/dnstap.sock -w /var/tmp/example.dnstap<br>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 named 7745 0.0 1.0 531520 41720 ? Ssl 10:23 0:00 /opt/isc/isc-bind/root/usr/sbin/named -u named<br><div>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 7757 0.0 0.0 12116 972 pts/3 S+ 10:24 0:00 grep --color=auto named</div><div><br></div><div>So clearly it is an SELinux permissions problem. And now I am seeing denies in the /var/log/audit/audit.log.... grrr. I know there was nothing there before, so it must have been hung up on regular unix permissions or something and once I fixed that it was the SELinux permissions issue.</div><div><br></div><div>Sorry for wasting everyone's time. I appreciate you being there as a sounding board though. Thanks Mark for looking beyond my initial concern.<br></div><div><br></div><div>I would like to see that sort of permissions error get logged in the dnstap logs at some severity level though. I am still not clear what I am doing wrong on that front.</div><div><br></div><div>Thanks again.<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 2, 2021 at 9:32 AM Adam Augustine <<a href="mailto:augustineas@gmail.com">augustineas@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>Sorry, I replied to just Mark rather than the list.</div><div>
<div><br></div><div>Yes, here is the command I am using:</div><div><br></div><div># ncat -l -U /var/opt/isc/scls/isc-bind/log/named/dnstap.sock</div><div><div id="gmail-m_7367035172318628687gmail-:1dl"><img src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div></div>
</div><div>I "chown named.named ./dnstap.sock" :</div><div><br></div><div> 0 srwxr-xr-x. 1 named named unconfined_u:object_r:named_log_t:s0 0 Mar 2 09:23 dnstap.sock<br></div><div><br></div><div>But regardless I don't get anything from the pipe when using the normal "systemctl start isc-bind-named.service" followed by some "dig" commands to test (but see below). I was previously using fstrm_capture like this:</div><div><br></div><div># /opt/isc/isc-bind/root/usr/bin/fstrm_capture -t protobuf:dnstap.Dnstap -u /var/opt/isc/scls/isc-bind/log/named/dnstap.sock -w /var/tmp/example.dnstap</div></div><div><br></div><div>But I was only seeing 46 bytes in the "example.dnstap" and nothing decoded when I run "dnstap-read ./example.dnstap". After "systemctl stop isc-bind-named.service" and stopping the "fstrm_capture" process the file increased to 54 bytes, but "dnstap-read" still doesn't decode anything.<br></div><div><br></div><div>I am reasonably confident that I am doing something boneheaded somewhere, likely a typo in my config or bad permission somewhere, but I admit I can't see it and without any error messages or debug information I am struggling. The config is pretty simple, just the option stanza below and logging settings (mostly copy-pasted from the ISC website just in case).<br></div><div><br></div><div>In an effort to figure out the problem I went so far as to:</div><div><br></div><div># strace -a 120 /opt/isc/isc-bind/root/usr/sbin/named -f -u named 2>&1 | tee temp.file</div><div><br></div><div>And I do suddenly get "protobuf:dnstap.Dnstap" on the pipe, but nothing further. So my root problem seems to be with how systemd is managing the process (maybe a user ID problem with the pipe). But my grepping the strace didn't catch anything opening the "dnstap.sock" pipe.<br></div><div><br></div><div>I admit I don't know what I am doing wrong or how to get better information, short of maybe stepping through with GDB to try to see where it is failing.<br></div><div><br></div><div>Running named with this in the options:</div><div><br></div><div> dnstap-output file "/var/opt/isc/scls/isc-bind/log/named/dnstap.log";<br></div><div><br></div><div>Does work just fine with lots of wonderful data, so it isn't a problem with dnstap per se, it is something with how I am setting up the pipe or environment named is running in.<br></div><div><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 1, 2021 at 6:53 PM Mark Andrews <<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Do you have something reading the pipe?<br>
<br>
<br>
> On 2 Mar 2021, at 10:30, Adam Augustine <<a href="mailto:augustineas@gmail.com" target="_blank">augustineas@gmail.com</a>> wrote:<br>
> <br>
> I can't seem to get any debug information out of BIND for troubleshooting a dnstap problem I am having.<br>
> <br>
> I have a CentOS 8.3.2011 VM with the COPR packages installed. <br>
> <br>
> My /etc/opt/isc/scls/isc-bind/named.conf :<br>
> options {<br>
> directory "/var/opt/isc/scls/isc-bind/named/data";<br>
> listen-on { any; };<br>
> listen-on-v6 { any; };<br>
> dnssec-validation auto;<br>
> dnstap {all;};<br>
> // dnstap-output unix "/var/opt/isc/scls/isc-bind/run/named/dnstap.sock";<br>
> dnstap-output unix "/var/opt/isc/scls/isc-bind/log/named/dnstap.sock";<br>
> dnstap-identity "<a href="http://dnstap01.ldschurch.org" rel="noreferrer" target="_blank">dnstap01.ldschurch.org</a>";<br>
> dnstap-version "bind-9.16.12";<br>
> };<br>
> <br>
> logging { <br>
> [SNIP]<br>
> channel dnstap_log {<br>
> file "/var/opt/isc/scls/isc-bind/log/named/dnstap" versions 3 size 20m;<br>
> print-time yes;<br>
> print-category yes;<br>
> print-severity yes;<br>
> severity debug 10;<br>
> };<br>
> [SNIP]<br>
> category dnstap { dnstap_log; default_debug; };<br>
> };<br>
> <br>
> On startup, the /var/opt/isc/scls/isc-bind/log/named/dnstap file is created, but no information is logged:<br>
> <br>
> 4 -rw-r--r--. 1 named named system_u:object_r:named_log_t:s0 54 Mar 1 16:23 dnstap<br>
> <br>
> This is despite /var/log/messages having the following line:<br>
> <br>
> opening dnstap destination '/var/opt/isc/scls/isc-bind/log/named/dnstap.sock'<br>
> <br>
> Which I would have expected to see logged in /var/opt/isc/scls/isc-bind/log/named/dnstap . On shutdown, this single entry is logged in /var/opt/isc/scls/isc-bind/log/named/dnstap:<br>
> <br>
> 01-Mar-2021 16:23:31.597 dnstap: info: closing dnstap<br>
> <br>
> There is nothing relevant in /var/log/audit/audit.log, so I don't think it is SELinux related, especially since there is successful log entry on shutdown.<br>
> <br>
> I have tried changing the severity level from "info", to "debug 1", to "debug 3", and then to "debug 10", but I can't seem to get any more information out other than the single message about "closing dnstap".<br>
> <br>
> Any idea what I am doing wrong?<br>
> <br>
> _______________________________________________<br>
> Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
> <br>
> ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
> <br>
> <br>
> bind-users mailing list<br>
> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
-- <br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
<br>
</blockquote></div></div>
</blockquote></div>