Univention Bugzilla – Bug 51421
univention-bind prevents bind start
Last modified: 2021-05-25 16:03:27 CEST
univention-bind prevents bind start There is a short period in which bind can't be started until dns/backend is set. This seems to be a problem in buster
[feature/ucs5 f646389c69] Bug #51421: fix bind start
[feature/ucs5 28857a6faa] Bug #51421: cleanup bind9.service.d/10-configure-backend.conf [feature/ucs5 ff5fc4bd1d] Bug #51421: fix diversion removal and changelog [feature/ucs5 025c3bbc04] Bug #51421: changelog [feature/ucs5 35239e45cf] Bug #51421: fix diversion removal (2) r19033: Bug #51417: Do not fail on service start The bind9 patch is needed during the upgrade. Otherwise the upgrade of bind9 fails.
OK: git diff 4.4-4.. -- services/univention-bind OK: git log -p 4.4-4.. -- services/univention-bind OK: svn diff -c 19033 RFC: services/univention-bind/conffiles/etc/systemd/system/bind9.service.d/10-configure-backend.conf contains this: > ExecStartPre=-/bin/systemctl stop univention-bind-ldap.service From my understanding this in an absolute no-go as `systemctl` MUST NOT be invoked recursively as systemd works transaction based and nested transaction are not supported and may lead to dead-locks - see Bug #42380 where we had exactly that problem. As systemd.services files are declarative by nature "Conflicts=univention-bind" should be used instead - see <man:systemd.unit(5)>
Thanks! [feature/ucs5 239b5e3c67] Bug #51421: fix systemd service recursion
Created attachment 10391 [details] Fix dependencies between services OK: apt install -t apt univention-bind BUG: Due to the "Conflict" a `systemctl start univention-bind-ldap.service` with UCRV "dns/backend=ldap" will now stop "bind9.service", which is not what we want. BUG 2: The dependencies between "bind9.service" (Proxy or Samba-Backend) and "univention-bind-ldap.service" (LDAP-Backend) are wrong: > lib/systemd/system/univention-bind-ldap.service:4: > After=bind9.service > conffiles/etc/systemd/system/bind9.service.d/10-configure-backend.conf:29: > Before=univention-bind-ldap.service > Wants=univention-bind-ldap.service Strictly speaking for UCRV "dns/backend=lamba" we need "slapd.service" → "univention-bind-ldap.service" → "bind9.serivce" as the proxy-bind needs to connect the already running ldap-bind to fetch the initial zone. (For UCRV "dns/backend=samba" the sequence is "samba-ad-dc.serice" → "bind9.serice")
[feature/ucs5 3985d0502f] Bug #51421: Cleanup; fix systemd service recursion (2) I dropped the "Conflicts=". Together with the "PropagatesReload" it resulting in an error when the backend was switched from ldap to samba4 ``` Failed to restart bind9.service: Transaction contains conflicting jobs 'restart' and 'stop' for univention-bind-ldap.service. Probably contradicting requirement dependencies configured. ``` I do not enable the univention-bind-ldap unit in the package, because it should be started as a dependency from bind9
OK: 3985d0502f FAIL: + chown bind:bind /etc/bind/rndc.key Use "root:bind" with "0640" - only the user "root" is supposed to configure the service; the running process (as "bind:bind") is NOT supposed to be able to CHANGE these files to protect BIND9 from being hacked. Also this is now incompatible between the 3 versions in usr/lib/univention-bind/{ldap,proxy,samba4} for now obvious reason. Was Bug #25358 OK: ucr set dns/backend=ldap systemctl restart bind9.service ucr set dns/backend=samba4 systemctl restart bind9.service
Created attachment 10392 [details] Fix permission issues Proposed patch
[feature/ucs5 852685f1b9] Bug #51421: simplify /etc/bind/rndc.key handling and service installation
OK: 852685f1b9 OK: # SELECT * FROM binpkg WHERE major=5 AND site='apt' AND srcpkg='univention-bind'; binpkg | binver | arch | srcpkg | srcver | major | minor | patch | scope | site | maintained | id -----------------+------------------------------+------+-----------------+------------------------------+-------+-------+-------+-------+------+------------+---------- univention-bind | 14.0.0-6A~5.0.0.202006161401 | all | univention-bind | 14.0.0-6A~5.0.0.202006161401 | 5 | 0 | 0 | | apt | | 18373676 (1 Zeile) ~OK: ls -l /etc/bind/rndc.key # root:bind 0660 Somethings changes the permission back to 0660 - I have not figured out what, but even 0660 is okay. OK: ucr set dns/backend=ldap systemctl restart bind9.service systemctl status bind9.service univention-bind-ldap.service ucr set dns/backend=samba4 systemctl restart bind9.service systemctl status bind9.service univention-bind-ldap.service
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".