[stork-users] Stork agent cannot connect through rndc
Slawek Figiel
slawek at isc.org
Thu Aug 29 11:02:21 UTC 2024
Hello Mik!
The Stork agent matches the first "inet" clause occurrence in the
"controls" node. Stork supports the "*" asterisk as an address. In this
case, the Stork agent will establish a connection to the "localhost"
(not 127.0.0.1) address.
The best place for questions about the BIND 9 configuration is the BIND
9 mailing list: bind-users at lists.isc.org
(https://lists.isc.org/mailman/listinfo/bind-users).
I think the BIND 9 community will explain in detail how the listening on
the control endpoint works in this application.
You can also consult the BIND 9 ARM available on:
https://bind9.readthedocs.io/en/latest/ .
Regards
Slawek Figiel
On 29/08/2024 00:55, Mik J wrote:
> Hello again Slawek,
>
> After a lot of research I started to find what's going wrong. There are two things
>
> Like this it's working
> acl "rndc-users" { 127.0.0.1/32; 100.64.1.0/24; };
> controls {
> inet 127.0.0.1 port 953 allow { "rndc-users"; };
>
> a) But like that it's not working (127.0.0.1 is replaced by *)
> acl "rndc-users" { 127.0.0.1/32; 100.64.1.0/24; };
> controls {
> inet * port 953 allow { "rndc-users"; };
>
> So is there a problem with listening on all interfaces ?
>
>
> b) And like that it's not working as well
> acl "rndc-users" { 127.0.0.1/32; 100.64.1.0/24; };
> key "rndc-remote" { algorithm hmac-sha256; secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; };
> controls {
> inet 127.0.0.1 port 953 allow { "rndc-users"; } keys {"rndc-remote";};
> This time keys {"rndc-remote";} is added
>
> Regards
>
>
>
> Le mercredi 28 août 2024 à 15:07:18 UTC+2, Slawek Figiel <slawek at isc.org> a écrit :
>
>
>
>
>
> Mik,
>
> you can find the BIND 9 configuration used by the Stork project in the
> docker/config/agent-bind9 (demo) and tests/system/config/bind (system
> tests) directories.
>
>
> If you use BIND 9 chroot, you need to use both flags:
> `named-checkconf -t /var/named -p /etc/named.conf`.
> Please check if you use the `-t` flag when you start the BIND 9 process
> and use the same value.
>
> Please call the above command as a Stork agent user. It would be best to
> switch to it using the `sudo su stork-agent-user` command.
>
> There may be more files referenced in the named.conf file. Stork agent
> user must have an access to all of them. Please, check also if the Stork
> agent user has permissions to execute the `named-checkconf` binary.
>
> Regards,
> Slawek Figiel
>
> On 28/08/2024 14:59, Mik J wrote:
>> Hello Slawek,
>>
>> When I do
>> # named-checkconf -t /var/named/
>> I don't have any output
>>
>> But when I do
>> # named-checkconf -p /var/named/etc/named.conf
>> I have an output that corresponds more or less to named.conf
>>
>> Could you show me an example of your named.conf configuration (regarding rndc key) and /etc/rndc.key and/or /etc/rndc.conf
>>
>> Because both commands work
>> # rndc -b 127.0.0.1 -s 127.0.0.1 -p 953 -k /etc/rndc.key status
>> # rndc -b 127.0.0.1 -s 127.0.0.1 -p 953 -c /etc/rndc.conf status
>>
>> And the files are world readable (at the moment)
>> # ls -l /etc/rndc.key
>> -rw-r--r-- 1 root _bind 100 Aug 28 14:22 /etc/rndc.key
>> # ls -l /etc/rndc.conf
>> -rw-r--r-- 1 root wheel 411 Aug 28 14:23 /etc/rndc.conf
>> # ls -l /var/named/etc/named.conf
>> -rwxr--r-- 1 root _bind 13534 Aug 16 11:26 /var/named/etc/named.conf
>>
>> I really don't understand what could go wrong
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Le mercredi 28 août 2024 à 13:42:48 UTC+2, Slawek Figiel <slawek at isc.org> a écrit :
>>
>>
>>
>>
>>
>> Hello Mik!
>>
>> The "named-checkconf" call is constructed in
>> backend/agent/bind9.go:569-577 :
>>
>> // Prepare named-checkconf arguments.
>> args := []string{}
>> if rootPrefix != "" {
>> args = append(args, "-t", rootPrefix)
>> }
>> // The config path must be last.
>> args = append(args, "-p", bind9ConfPath)
>>
>> out, err := executor.Output(namedCheckconfPath, args...)
>>
>> So, we provide the BIND 9 configuration path via "-p" flag and path to
>> the BIND 9 chroot via the "-t" flag (if applicable).
>>
>> Regards,
>> Slawek Figiel
>>
>>
>> On 28/08/2024 00:26, Mik J wrote:
>>> Hello Slawek,
>>>
>>> I did
>>> # named-checkconf
>>> open: /etc/named.conf: file not found
>>>
>>> So I made a symbolic link
>>> # ln -s /var/named/etc/named.conf /etc/named.conf
>>> And ran again the command
>>> # named-checkconf
>>>
>>> However no improvement.
>>>
>>> Which option is used along with named-checkconf because when I run it I don't see anything, it's silent.
>>>
>>>
>>> At the moment I launch the stork agent as root so there shouldn't be file permission problems.
>>>
>>> # ls -l /etc/rndc.key
>>> -rw-r--r-- 1 root _bind 100 May 11 00:29 /etc/rndc.key
>>> The permissions are not so good but I'll change them
>>>
>>> I don't have any file specified in my named.conf except:
>>> - Log files: for example
>>> channel queries_errors_file {
>>> file "/var/log/query-errors.log" versions 3 size 5m;
>>>
>>> - or zone files
>>> zone "127.in-addr.arpa" {
>>> type master;
>>> file "/master/reverse/loopback";
>>> allow-transfer { localhost; };
>>> };
>>>
>>> I'm not sure my configuration is involved in this issue, maybe that's because I'm using Openbsd 7.5 and it has something specific.
>>>
>>> Regards
>>>
>>>
>>>
>>> Le lundi 26 août 2024 à 11:51:46 UTC+2, Slawek Figiel <slawek at isc.org> a écrit :
>>>
>>>
>>>
>>>
>>>
>>> Hello Mik!
>>>
>>> Please check if your Stork agent user has rights to read the
>>> "named.conf" and "rndc.key" files and any other files referenced in
>>> "named.conf".
>>>
>>>> Also I see that the stork agent tries to connect to 127.0.0.1 using
>>> rndc but I haven't specified the stork agent to use this adress
>>> (although that's the one I want)
>>>> But, in general, how is the stork agent supposed to find the DNS
>>> server adress and port ?
>>>
>>> Stork uses "named-checkconf" to read the BIND 9 configuration and
>>> extracts the RNDC address and port from it.
>>>
>>> I'm waiting for your feedback.
>>> Regards
>>> Slawek
>>>
>>> On 16/08/2024 11:24, Mik J wrote:
>>>> Stork: 1.18.0
>>>> OS: Openbsd 7.5
>>>>
>>>> Hello,
>>>>
>>>> I made my stork agent to be installed on one of my DNS.
>>>>
>>>> However I get this message
>>>> INFO[2024-08-16 11:00:46] bind9.go:560 Found BIND 9 config file in /var/named/etc/named.conf based on output of `named -V`.
>>>> ERRO[2024-08-16 11:00:49] agent.go:311 Failed to forward commands to rndc Address="127.0.0.1" Port="953" error="exit status 1"
>>>>
>>>>
>>>> If I run the command manually, it works
>>>> # rndc -b 127.0.0.1 -s 127.0.0.1 -p 953 -k /etc/rndc.key status
>>>> version: BIND 9.18.28 (Extended Support Version) <id:f77fadb> ()
>>>> running on localhost: OpenBSD amd64 7.5 GENERIC.MP#82
>>>> boot time: Fri, 16 Aug 2024 02:07:05 GMT
>>>> last configured: Fri, 16 Aug 2024 02:07:05 GMT
>>>> configuration file: /etc/named.conf (/var/named/etc/named.conf)
>>>> ...
>>>>
>>>> How to debug this problem ?
>>>>
>>>> - How does stork knows what is the rndc.key, does it read it in named.conf or should it read /etc/rndc.key
>>>> - If it reads /etc/rndc.key, how does it know where to find this file ?
>>>>
>>>>
>>>> Also I see that the stork agent tries to connect to 127.0.0.1 using rndc but I haven't specified the stork agent to use this adress (although that's the one I want)
>>>> But, in general, how is the stork agent supposed to find the DNS server adress and port ?
>>>>
>>>> Regards
>
>>>
>>>>
>>>>
More information about the Stork-users
mailing list