Re: [knot-dns-users] Issue encountered during a migration from FreeBSD to Gentoo

I re-did all the procedure on another VM (also gentoo): [testing VM] obelix ~ # emerge -va net-dns/knot obelix ~ # ls -lhd /var/run/knot ls: cannot access '/var/run/knot': No such file or directory obelix ~ # ls -lhd /var/lib/knot/ drwxr-xr-x 2 knot knot 4.0K Dec 20 17:50 /var/lib/knot/ obelix ~ # ls -lh /var/lib/knot/ total 0 obelix ~ # vim ~/.ssh/authorized_keys [backups] backup02 ~ # rsync -av /tmp/alarig/2019-12-19/var/db/knot/ root@obelix.breizh-ix.net:/var/lib/knot/ The authenticity of host 'obelix.breizh-ix.net (2a00:5884:102:1::6)' can't be established. ECDSA key fingerprint is SHA256:gzp3uVzltffjUMslc5olyvhwhx28F9e1YXSy86nOnQo. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'obelix.breizh-ix.net,2a00:5884:102:1::6' (ECDSA) to the list of known hosts. sending incremental file list ./ 100.186.234.89.in-addr.arpa.zone 126.91.45.in-addr.arpa.nodnssec 126.91.45.in-addr.arpa.zone 2.0.1.0.4.8.8.5.0.0.a.2.ip6.arpa.zone 2.4.f.0.e.0.a.2.ip6.arpa.nodnssec 2.4.f.0.e.0.a.2.ip6.arpa.zone 208_28.186.234.89.in-addr.arpa.zone 35.186.234.89.in-addr.arpa.zone 4.0.8.0.0.4.1.8.8.5.0.0.a.2.ip6.arpa.zone 67.186.234.89.in-addr.arpa.zone 7.6.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone geoopendata.eu.org.zone no.swordarmor.fr.nodnssec no.swordarmor.fr.zone swordarmor.fr.nodnssec swordarmor.fr.zone confdb/ confdb/data.mdb confdb/lock.mdb journal/ journal/data.mdb journal/lock.mdb keys/ keys/data.mdb keys/lock.mdb keys/keys/ keys/keys/109bcc81665572dabac1484336714f231adc7e6a.pem keys/keys/1beb426dbdf1031928268721dba59522dd47e32e.pem keys/keys/6d271119f9c2feec9d7cc85f4c66c48083f95259.pem keys/keys/7bddece71d6ee9c7e98d99b05a0d8039d688e383.pem keys/keys/7d07589ac2a375f2f1a6fedcad722b91d1883990.pem keys/keys/cddcff459b920d7e429243339a11c1ecd32f723b.pem keys/keys/e3e8ddfc5b7feffd07dce74af5636f1241eaae03.pem keys/keys/f4a66f73462dbcf610f4b911e4ac2c8578917623.pem timers/ timers/data.mdb timers/lock.mdb sent 8,486,759 bytes received 667 bytes 893,413.26 bytes/sec total size is 8,481,722 speedup is 1.00 backup02 ~ # rsync -av /tmp/alarig/2019-12-19/usr/local/etc/knot/knot.conf root@obelix.breizh-ix.net:/etc/knot/ sending incremental file list knot.conf sent 3,166 bytes received 35 bytes 6,402.00 bytes/sec total size is 3,071 speedup is 0.96 [testing machine] obelix ~ # vim ~/.ssh/authorized_keys obelix ~ # ls -lhd /var/lib/knot/ drwxr-x--- 6 553 553 4.0K Dec 18 20:51 /var/lib/knot/ obelix ~ # ls -lh /var/lib/knot/ total 200K -rw-rw---- 1 553 553 378 Dec 31 2017 100.186.234.89.in-addr.arpa.zone -rw-r--r-- 1 root 553 1.2K Dec 18 17:50 126.91.45.in-addr.arpa.nodnssec -rw-rw---- 1 553 553 10K Dec 18 17:50 126.91.45.in-addr.arpa.zone -rw-rw---- 1 553 553 1.5K Dec 31 2017 2.0.1.0.4.8.8.5.0.0.a.2.ip6.arpa.zone -rw-rw---- 1 553 553 1.1K Dec 31 2017 208_28.186.234.89.in-addr.arpa.zone -rw-r--r-- 1 root 553 2.0K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.nodnssec -rw-rw---- 1 553 553 13K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.zone -rw-rw---- 1 553 553 430 Dec 31 2017 35.186.234.89.in-addr.arpa.zone -rw-rw---- 1 553 553 535 Apr 13 2018 4.0.8.0.0.4.1.8.8.5.0.0.a.2.ip6.arpa.zone -rw-rw---- 1 553 553 256 Dec 31 2017 67.186.234.89.in-addr.arpa.zone -rw-rw---- 1 553 553 308 Dec 31 2017 7.6.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone drwxr-x--- 2 553 553 4.0K May 27 2017 confdb -rw-rw---- 1 553 553 500 Dec 31 2017 geoopendata.eu.org.zone drwxrwx--- 2 553 553 4.0K Nov 17 2017 journal drwxr-x--- 3 553 553 4.0K Nov 17 2017 keys -rw-r--r-- 1 root 553 1.1K Dec 14 16:10 no.swordarmor.fr.nodnssec -rw-rw---- 1 553 553 9.1K Dec 17 19:03 no.swordarmor.fr.zone -rw-r--r-- 1 553 553 14K Dec 14 16:09 swordarmor.fr.nodnssec -rw-rw---- 1 553 553 81K Dec 18 20:51 swordarmor.fr.zone drwxrwx--- 2 553 553 4.0K May 26 2017 timers obelix ~ # chown -R knot: /var/lib/knot/ obelix ~ # ls -lhd /var/lib/knot/ drwxr-x--- 6 knot knot 4.0K Dec 18 20:51 /var/lib/knot/ obelix ~ # ls -lh /var/lib/knot/ total 200K -rw-rw---- 1 knot knot 378 Dec 31 2017 100.186.234.89.in-addr.arpa.zone -rw-r--r-- 1 knot knot 1.2K Dec 18 17:50 126.91.45.in-addr.arpa.nodnssec -rw-rw---- 1 knot knot 10K Dec 18 17:50 126.91.45.in-addr.arpa.zone -rw-rw---- 1 knot knot 1.5K Dec 31 2017 2.0.1.0.4.8.8.5.0.0.a.2.ip6.arpa.zone -rw-rw---- 1 knot knot 1.1K Dec 31 2017 208_28.186.234.89.in-addr.arpa.zone -rw-r--r-- 1 knot knot 2.0K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.nodnssec -rw-rw---- 1 knot knot 13K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.zone -rw-rw---- 1 knot knot 430 Dec 31 2017 35.186.234.89.in-addr.arpa.zone -rw-rw---- 1 knot knot 535 Apr 13 2018 4.0.8.0.0.4.1.8.8.5.0.0.a.2.ip6.arpa.zone -rw-rw---- 1 knot knot 256 Dec 31 2017 67.186.234.89.in-addr.arpa.zone -rw-rw---- 1 knot knot 308 Dec 31 2017 7.6.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone drwxr-x--- 2 knot knot 4.0K May 27 2017 confdb -rw-rw---- 1 knot knot 500 Dec 31 2017 geoopendata.eu.org.zone drwxrwx--- 2 knot knot 4.0K Nov 17 2017 journal drwxr-x--- 3 knot knot 4.0K Nov 17 2017 keys -rw-r--r-- 1 knot knot 1.1K Dec 14 16:10 no.swordarmor.fr.nodnssec -rw-rw---- 1 knot knot 9.1K Dec 17 19:03 no.swordarmor.fr.zone -rw-r--r-- 1 knot knot 14K Dec 14 16:09 swordarmor.fr.nodnssec -rw-rw---- 1 knot knot 81K Dec 18 20:51 swordarmor.fr.zone drwxrwx--- 2 knot knot 4.0K May 26 2017 timers obelix ~ # vim /etc/knot/knot.conf # changing paths obelix ~ # knotd -c /etc/knot/knot.conf [on another shell] obelix ~ # ps aux | grep knot root 12101 0.0 0.7 13988 7808 pts/2 S+ 18:17 0:00 view /etc/knot/knot.sample.conf knot 12600 2.8 0.7 22678580 8084 pts/1 Sl+ 18:20 0:00 knotd -c /etc/knot/knot.conf root 12883 0.0 0.2 7572 2028 pts/3 S+ 18:20 0:00 grep --colour=auto knot obelix ~ # dig +short -t SOA swordarmor.fr @localhost kaiminus.swordarmor.fr. hostmaster.swordarmor.fr. 2019121403 14400 3600 604800 86400 [back to the previous one] obelix ~ # knotd -c /etc/knot/knot.conf ^Cobelix ~ # obelix ~ # obelix ~ # knotd 2019-12-20T18:19:41 info: Knot DNS 2.9.2 starting 2019-12-20T18:19:41 info: loaded configuration database '/var/lib/knot/confdb' 2019-12-20T18:19:41 info: using reuseport for UDP 2019-12-20T18:19:41 info: loading 0 zones 2019-12-20T18:19:41 warning: no zones loaded 2019-12-20T18:19:41 info: starting server 2019-12-20T18:19:41 info: server started in the foreground, PID 12361 2019-12-20T18:19:41 info: control, binding to '/var/run/knot/knot.sock' 2019-12-20T18:19:41 critical: control, failed to bind socket '/var/run/knot/knot.sock' (operation not permitted) 2019-12-20T18:19:41 info: stopping server 2019-12-20T18:19:41 info: updating persistent timer DB 2019-12-20T18:19:41 warning: failed to update persistent timer DB (operation not permitted) 2019-12-20T18:19:41 info: shutting down obelix ~ # mv /var/lib/knot/ /var/lib/knot.bak obelix ~ # mkdir /var/lib/knot obelix ~ # chown -R knot: /var/lib/knot/ obelix ~ # rc-service knot start * /var/lib/knot/: correcting mode * Starting knot ... [ ok ] obelix ~ # ps aux | grep knot root 12101 0.0 0.7 13988 7808 pts/2 S+ 18:17 0:00 view /etc/knot/knot.sample.conf knot 13389 0.0 0.4 1180648 5044 ? Ssl 18:25 0:00 /usr/sbin/knotd -d root 13536 0.0 0.2 7572 2132 pts/1 S+ 18:25 0:00 grep --colour=auto knot obelix ~ # # so removing /var/lib/knot actually works… obelix ~ # rc-service knot stop * Stoping knot ... [ ok ] obelix ~ # rm -rv /var/lib/knot removed '/var/lib/knot/timers/data.mdb' removed '/var/lib/knot/timers/lock.mdb' removed directory '/var/lib/knot/timers' removed directory '/var/lib/knot' obelix ~ # mv /var/lib/knot.bak/ /var/lib/knot obelix ~ # vim /etc/knot/knot.conf obelix ~ # grep -P '^control|listen:' /etc/knot/knot.conf listen: [ 127.0.0.1@53, ::1@53 ] control: listen: "/tmp/knot/test.sock" obelix ~ # knotd 2019-12-20T18:28:21 info: Knot DNS 2.9.2 starting 2019-12-20T18:28:21 info: loaded configuration database '/var/lib/knot/confdb' 2019-12-20T18:28:21 info: using reuseport for UDP 2019-12-20T18:28:21 info: loading 0 zones 2019-12-20T18:28:21 warning: no zones loaded 2019-12-20T18:28:21 info: starting server 2019-12-20T18:28:21 info: server started in the foreground, PID 14040 2019-12-20T18:28:21 info: control, binding to '/var/run/knot/knot.sock' 2019-12-20T18:28:21 critical: control, failed to bind socket '/var/run/knot/knot.sock' (operation not permitted) 2019-12-20T18:28:21 info: stopping server 2019-12-20T18:28:21 info: updating persistent timer DB 2019-12-20T18:28:21 warning: failed to update persistent timer DB (operation not permitted) 2019-12-20T18:28:21 info: shutting down obelix ~ # mv /var/lib/knot/ /var/lib/knot.bak obelix ~ # rc-service knot start * /var/lib/knot/: creating directory * /var/lib/knot/: correcting owner * Starting knot ... [ ok ] obelix ~ # ps aux | grep knot root 12101 0.0 0.7 13988 7808 pts/2 S+ 18:17 0:00 view /etc/knot/knot.sample.conf knot 14079 0.0 0.4 1075156 4992 ? Ssl 18:28 0:00 /usr/sbin/knotd -d root 14100 0.0 0.2 7572 2132 pts/1 S+ 18:28 0:00 grep --colour=auto knot obelix ~ # ls -lh /tmp/knot/ total 0 srwxrwx--- 1 knot knot 0 Dec 20 18:28 test.sock On 20/12/2019 16:24, Daniel Salzman wrote: > There is no hardcoded ID in the server data :-) > > Could you try to manually execute the server under root (knotd -c > /etc/knot/knot.conf)? > Could you try to change the control socket location to a non-var > directory > (https://www.knot-dns.cz/docs/2.9/singlehtml/index.html#control-listen)? > > Daniel > > On 12/20/19 3:02 PM, Alarig Le Lay wrote: >> I just found this: >> backup02 ~ # borg mount /home/alarig/backups/kaiminus-old/ >> /tmp/alarig/ >> backup02 ~ # grep knot /tmp/alarig/2019-12-19/etc/passwd >> knot:*:553:553:Knot DNS Server:/nonexistent:/usr/sbin/nologin >> >> kaiminus ~ # grep knot /etc/passwd >> knot:x:53:53:User for knot DNS server:/var/lib/knot:/sbin/nologin >> >> Perhaps the user ID is hardcoded somewhere in the storage and as long >> as >> I had the whole old /var/db/knot inside my new /var/lib/knot, the UID >> 553 (which doesn’t exist on the new system) was used instead of 53? >> >> On 20/12/2019 14:55, Alarig Le Lay wrote: >>> The socket wasn’t created at all, so I tried to touch the file and >>> chown >>> to knot, but same result. As knot dies if the socket doesn’t exist, >>> it >>> wasn’t running until I removed /var/lib/knot. >>> >>> On 20/12/2019 14:44, David Vašek wrote: >>>> I meant, if it helps to *remove* the socket. Sorry. >>>> >>>> David >>>> >>>> On 2019-12-20 14:43, David Vašek wrote: >>>>> Hi, >>>>> >>>>> are you sure, that knot isn't running already (pgrep knotd)? If >>>>> not, >>>>> does it help to remote /var/run/knot/knot.sock manually before you >>>>> start knot? >>>>> >>>>> David >>>>> >>>>> >>>>> On 2019-12-20 13:56, Alarig Le Lay wrote: >>>>>> Here is my config file: https://paste.swordarmor.fr/raw/kXaN >>>>>> >>>>>> The init script: >>>>>> https://gitweb.gentoo.org/repo/sync/gentoo.git/tree/net-dns/knot/files/knot… >>>>>> >>>>>> >>>>>> The content of the dirs (and what I kept in .old): >>>>>> https://paste.swordarmor.fr/raw/IG3K >>>>>> >>>>>> The error wasn’t in the logs but in the shell (and I closed it >>>>>> since >>>>>> then) when I tried to launch it directly from CLI. It was a >>>>>> permission >>>>>> denied on /var/run/knot/knot.sock >>>>>> >>>>>> I don’t recall when I first installed knot on the FreeBSD >>>>>> machine, but >>>>>> it was on the 10th release, so 2014~2015 if I refer to Wikipedia. >>>>>> >>>>>> Regards, >>>>>> Alarig >>>>>> >>>>>> On 20/12/2019 13:30, David Vašek wrote: >>>>>>> Hello Alarig, >>>>>>> >>>>>>> could you please send us some more data? The config file and >>>>>>> some >>>>>>> output >>>>>>> would be helpful, i.e. knot.conf, /etc/init.d/knot, ls -l >>>>>>> /var/lib/knot >>>>>>> /var/run/knot, and the knot logfile from the failed attempt. So >>>>>>> far, it >>>>>>> seems to us it should work. Thanks. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> David >>>>>>> >>>>>>> >>>>>>> On 2019-12-20 09:55, Alarig Le Lay wrote: >>>>>>>> Hi Daniel, >>>>>>>> >>>>>>>> Yes I’m sure the permissions were good, they are set by the >>>>>>>> package. I >>>>>>>> pulled it from the official repo, and server.user were already >>>>>>>> set for >>>>>>>> my old configuration. I also changed the storage (s/db/lib) >>>>>>>> before >>>>>>>> running the daemon. >>>>>>>> Plus, when I started the daemon with an empty /var/lib/knot >>>>>>>> (and just >>>>>>>> rsynced my zones & keys) I didn’t changed any permission. >>>>>>>> >>>>>>>> I don’t use systemd by openrc. >>>>>>>> >>>>>>>> On 20/12/2019 09:30, Daniel Salzman wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Are you sure the permissions are right? >>>>>>>>> Do you have 'server.user' configured? >>>>>>>>> Where did you get the Knot DNS package for Gentoo? >>>>>>>>> >>>>>>>>> There are some differences between FreeBSD and Linux packages >>>>>>>>> with >>>>>>>>> systemd enabled. >>>>>>>>> >>>>>>>>> Daniel >>>>>>>>> >>>>>>>>> On 12/19/19 11:33 PM, Alarig Le Lay wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Today I migrated my knot from FreeBSD to Gentoo (because it >>>>>>>>>> take too >>>>>>>>>> much time to stay on a supported release of FreeBSD) >>>>>>>>>> >>>>>>>>>> I rsynced my knot.conf (and changed the paths) and >>>>>>>>>> /var/db/knot to >>>>>>>>>> /var/lib/knot >>>>>>>>>> >>>>>>>>>> However, daemon failed to start because it wasn’t able to >>>>>>>>>> bind to >>>>>>>>>> /var/run/knot/knot.sock, and the permissions where good. I >>>>>>>>>> had to >>>>>>>>>> remove >>>>>>>>>> /var/db/knot and rsync only zones and keys. >>>>>>>>>> >>>>>>>>>> I don’t get the link from files in /var/lib and a denied >>>>>>>>>> permission on >>>>>>>>>> /var/run/knot/knot.sock, so I think that there is a bug here. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>> >>