Re: [knot-dns-users] Issue encountered during a migration from FreeBSD to Gentoo

If no configuration source (config file or confdb) is specified, the server autodetects which one to use. If the confdb exists, it is prefered. So delete this directory '/var/lib/knot/confdb', start the server, and check the logs for something like "info: loaded configuration file '/etc/knot/knot.conf'" On 2019-12-20 19:52, Alarig Le Lay wrote: > No, not at all, and I don’t even specified it in my configuration file: > kaiminus ~ # grep conf /etc/knot/knot.conf > # This is a sample of a minimal configuration file for Knot DNS. > # For more details, see man 5 knot.conf or refer to the server > documentation. > > > On ven. 20 déc. 19:07:45 2019, daniel.salzman(a)nic.cz wrote: > > I have noticed one important thing. The server is started with > > configuration > > stored in a configuration database. Not with the configuration file! > > "info: loaded configuration database '/var/lib/knot/confdb'" > > Is it intentional? > > > > On 2019-12-20 18:29, Alarig Le Lay wrote: > > > I re-did all the procedure on another VM (also gentoo): > > > > > > [testing VM] > > > obelix ~ # emerge -va net-dns/knot > > > obelix ~ # ls -lhd /var/run/knot > > > ls: cannot access '/var/run/knot': No such file or directory > > > obelix ~ # ls -lhd /var/lib/knot/ > > > drwxr-xr-x 2 knot knot 4.0K Dec 20 17:50 /var/lib/knot/ > > > obelix ~ # ls -lh /var/lib/knot/ > > > total 0 > > > obelix ~ # vim ~/.ssh/authorized_keys > > > > > > [backups] > > > backup02 ~ # rsync -av /tmp/alarig/2019-12-19/var/db/knot/ > > > root@obelix.breizh-ix.net:/var/lib/knot/ > > > The authenticity of host 'obelix.breizh-ix.net (2a00:5884:102:1::6)' > > > can't be established. > > > ECDSA key fingerprint is > > > SHA256:gzp3uVzltffjUMslc5olyvhwhx28F9e1YXSy86nOnQo. > > > Are you sure you want to continue connecting (yes/no/[fingerprint])? yes > > > Warning: Permanently added 'obelix.breizh-ix.net,2a00:5884:102:1::6' > > > (ECDSA) to the list of known hosts. > > > sending incremental file list > > > ./ > > > 100.186.234.89.in-addr.arpa.zone > > > 126.91.45.in-addr.arpa.nodnssec > > > 126.91.45.in-addr.arpa.zone > > > 2.0.1.0.4.8.8.5.0.0.a.2.ip6.arpa.zone > > > 2.4.f.0.e.0.a.2.ip6.arpa.nodnssec > > > 2.4.f.0.e.0.a.2.ip6.arpa.zone > > > 208_28.186.234.89.in-addr.arpa.zone > > > 35.186.234.89.in-addr.arpa.zone > > > 4.0.8.0.0.4.1.8.8.5.0.0.a.2.ip6.arpa.zone > > > 67.186.234.89.in-addr.arpa.zone > > > 7.6.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone > > > geoopendata.eu.org.zone > > > no.swordarmor.fr.nodnssec > > > no.swordarmor.fr.zone > > > swordarmor.fr.nodnssec > > > swordarmor.fr.zone > > > confdb/ > > > confdb/data.mdb > > > confdb/lock.mdb > > > journal/ > > > journal/data.mdb > > > journal/lock.mdb > > > keys/ > > > keys/data.mdb > > > keys/lock.mdb > > > keys/keys/ > > > keys/keys/109bcc81665572dabac1484336714f231adc7e6a.pem > > > keys/keys/1beb426dbdf1031928268721dba59522dd47e32e.pem > > > keys/keys/6d271119f9c2feec9d7cc85f4c66c48083f95259.pem > > > keys/keys/7bddece71d6ee9c7e98d99b05a0d8039d688e383.pem > > > keys/keys/7d07589ac2a375f2f1a6fedcad722b91d1883990.pem > > > keys/keys/cddcff459b920d7e429243339a11c1ecd32f723b.pem > > > keys/keys/e3e8ddfc5b7feffd07dce74af5636f1241eaae03.pem > > > keys/keys/f4a66f73462dbcf610f4b911e4ac2c8578917623.pem > > > timers/ > > > timers/data.mdb > > > timers/lock.mdb > > > > > > sent 8,486,759 bytes received 667 bytes 893,413.26 bytes/sec > > > total size is 8,481,722 speedup is 1.00 > > > backup02 ~ # rsync -av > > > /tmp/alarig/2019-12-19/usr/local/etc/knot/knot.conf > > > root@obelix.breizh-ix.net:/etc/knot/ > > > sending incremental file list > > > knot.conf > > > > > > sent 3,166 bytes received 35 bytes 6,402.00 bytes/sec > > > total size is 3,071 speedup is 0.96 > > > > > > [testing machine] > > > obelix ~ # vim ~/.ssh/authorized_keys > > > obelix ~ # ls -lhd /var/lib/knot/ > > > drwxr-x--- 6 553 553 4.0K Dec 18 20:51 /var/lib/knot/ > > > obelix ~ # ls -lh /var/lib/knot/ > > > total 200K > > > -rw-rw---- 1 553 553 378 Dec 31 2017 100.186.234.89.in-addr.arpa.zone > > > -rw-r--r-- 1 root 553 1.2K Dec 18 17:50 126.91.45.in-addr.arpa.nodnssec > > > -rw-rw---- 1 553 553 10K Dec 18 17:50 126.91.45.in-addr.arpa.zone > > > -rw-rw---- 1 553 553 1.5K Dec 31 2017 > > > 2.0.1.0.4.8.8.5.0.0.a.2.ip6.arpa.zone > > > -rw-rw---- 1 553 553 1.1K Dec 31 2017 > > > 208_28.186.234.89.in-addr.arpa.zone > > > -rw-r--r-- 1 root 553 2.0K Dec 17 20:53 > > > 2.4.f.0.e.0.a.2.ip6.arpa.nodnssec > > > -rw-rw---- 1 553 553 13K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.zone > > > -rw-rw---- 1 553 553 430 Dec 31 2017 35.186.234.89.in-addr.arpa.zone > > > -rw-rw---- 1 553 553 535 Apr 13 2018 > > > 4.0.8.0.0.4.1.8.8.5.0.0.a.2.ip6.arpa.zone > > > -rw-rw---- 1 553 553 256 Dec 31 2017 67.186.234.89.in-addr.arpa.zone > > > -rw-rw---- 1 553 553 308 Dec 31 2017 > > > 7.6.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone > > > drwxr-x--- 2 553 553 4.0K May 27 2017 confdb > > > -rw-rw---- 1 553 553 500 Dec 31 2017 geoopendata.eu.org.zone > > > drwxrwx--- 2 553 553 4.0K Nov 17 2017 journal > > > drwxr-x--- 3 553 553 4.0K Nov 17 2017 keys > > > -rw-r--r-- 1 root 553 1.1K Dec 14 16:10 no.swordarmor.fr.nodnssec > > > -rw-rw---- 1 553 553 9.1K Dec 17 19:03 no.swordarmor.fr.zone > > > -rw-r--r-- 1 553 553 14K Dec 14 16:09 swordarmor.fr.nodnssec > > > -rw-rw---- 1 553 553 81K Dec 18 20:51 swordarmor.fr.zone > > > drwxrwx--- 2 553 553 4.0K May 26 2017 timers > > > obelix ~ # chown -R knot: /var/lib/knot/ > > > obelix ~ # ls -lhd /var/lib/knot/ > > > drwxr-x--- 6 knot knot 4.0K Dec 18 20:51 /var/lib/knot/ > > > obelix ~ # ls -lh /var/lib/knot/ > > > total 200K > > > -rw-rw---- 1 knot knot 378 Dec 31 2017 > > > 100.186.234.89.in-addr.arpa.zone > > > -rw-r--r-- 1 knot knot 1.2K Dec 18 17:50 126.91.45.in-addr.arpa.nodnssec > > > -rw-rw---- 1 knot knot 10K Dec 18 17:50 126.91.45.in-addr.arpa.zone > > > -rw-rw---- 1 knot knot 1.5K Dec 31 2017 > > > 2.0.1.0.4.8.8.5.0.0.a.2.ip6.arpa.zone > > > -rw-rw---- 1 knot knot 1.1K Dec 31 2017 > > > 208_28.186.234.89.in-addr.arpa.zone > > > -rw-r--r-- 1 knot knot 2.0K Dec 17 20:53 > > > 2.4.f.0.e.0.a.2.ip6.arpa.nodnssec > > > -rw-rw---- 1 knot knot 13K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.zone > > > -rw-rw---- 1 knot knot 430 Dec 31 2017 35.186.234.89.in-addr.arpa.zone > > > -rw-rw---- 1 knot knot 535 Apr 13 2018 > > > 4.0.8.0.0.4.1.8.8.5.0.0.a.2.ip6.arpa.zone > > > -rw-rw---- 1 knot knot 256 Dec 31 2017 67.186.234.89.in-addr.arpa.zone > > > -rw-rw---- 1 knot knot 308 Dec 31 2017 > > > 7.6.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone > > > drwxr-x--- 2 knot knot 4.0K May 27 2017 confdb > > > -rw-rw---- 1 knot knot 500 Dec 31 2017 geoopendata.eu.org.zone > > > drwxrwx--- 2 knot knot 4.0K Nov 17 2017 journal > > > drwxr-x--- 3 knot knot 4.0K Nov 17 2017 keys > > > -rw-r--r-- 1 knot knot 1.1K Dec 14 16:10 no.swordarmor.fr.nodnssec > > > -rw-rw---- 1 knot knot 9.1K Dec 17 19:03 no.swordarmor.fr.zone > > > -rw-r--r-- 1 knot knot 14K Dec 14 16:09 swordarmor.fr.nodnssec > > > -rw-rw---- 1 knot knot 81K Dec 18 20:51 swordarmor.fr.zone > > > drwxrwx--- 2 knot knot 4.0K May 26 2017 timers > > > obelix ~ # vim /etc/knot/knot.conf # changing paths > > > obelix ~ # knotd -c /etc/knot/knot.conf > > > [on another shell] > > > obelix ~ # ps aux | grep knot > > > root 12101 0.0 0.7 13988 7808 pts/2 S+ 18:17 0:00 view > > > /etc/knot/knot.sample.conf > > > knot 12600 2.8 0.7 22678580 8084 pts/1 Sl+ 18:20 0:00 knotd > > > -c /etc/knot/knot.conf > > > root 12883 0.0 0.2 7572 2028 pts/3 S+ 18:20 0:00 grep > > > --colour=auto knot > > > obelix ~ # dig +short -t SOA swordarmor.fr @localhost > > > kaiminus.swordarmor.fr. hostmaster.swordarmor.fr. 2019121403 14400 3600 > > > 604800 86400 > > > [back to the previous one] > > > obelix ~ # knotd -c /etc/knot/knot.conf > > > ^Cobelix ~ # > > > obelix ~ # > > > obelix ~ # knotd > > > 2019-12-20T18:19:41 info: Knot DNS 2.9.2 starting > > > 2019-12-20T18:19:41 info: loaded configuration database > > > '/var/lib/knot/confdb' > > > 2019-12-20T18:19:41 info: using reuseport for UDP > > > 2019-12-20T18:19:41 info: loading 0 zones > > > 2019-12-20T18:19:41 warning: no zones loaded > > > 2019-12-20T18:19:41 info: starting server > > > 2019-12-20T18:19:41 info: server started in the foreground, PID 12361 > > > 2019-12-20T18:19:41 info: control, binding to '/var/run/knot/knot.sock' > > > 2019-12-20T18:19:41 critical: control, failed to bind socket > > > '/var/run/knot/knot.sock' (operation not permitted) > > > 2019-12-20T18:19:41 info: stopping server > > > 2019-12-20T18:19:41 info: updating persistent timer DB > > > 2019-12-20T18:19:41 warning: failed to update persistent timer DB > > > (operation not permitted) > > > 2019-12-20T18:19:41 info: shutting down > > > obelix ~ # mv /var/lib/knot/ /var/lib/knot.bak > > > obelix ~ # mkdir /var/lib/knot > > > obelix ~ # chown -R knot: /var/lib/knot/ > > > obelix ~ # rc-service knot start > > > * /var/lib/knot/: correcting mode > > > * Starting knot ... > > > [ ok ] > > > obelix ~ # ps aux | grep knot > > > root 12101 0.0 0.7 13988 7808 pts/2 S+ 18:17 0:00 view > > > /etc/knot/knot.sample.conf > > > knot 13389 0.0 0.4 1180648 5044 ? Ssl 18:25 0:00 > > > /usr/sbin/knotd -d > > > root 13536 0.0 0.2 7572 2132 pts/1 S+ 18:25 0:00 grep > > > --colour=auto knot > > > obelix ~ # # so removing /var/lib/knot actually works… > > > obelix ~ # rc-service knot stop > > > * Stoping knot ... > > > [ ok ] > > > obelix ~ # rm -rv /var/lib/knot > > > removed '/var/lib/knot/timers/data.mdb' > > > removed '/var/lib/knot/timers/lock.mdb' > > > removed directory '/var/lib/knot/timers' > > > removed directory '/var/lib/knot' > > > obelix ~ # mv /var/lib/knot.bak/ /var/lib/knot > > > obelix ~ # vim /etc/knot/knot.conf > > > obelix ~ # grep -P '^control|listen:' /etc/knot/knot.conf > > > listen: [ 127.0.0.1@53, ::1@53 ] > > > control: > > > listen: "/tmp/knot/test.sock" > > > obelix ~ # knotd > > > 2019-12-20T18:28:21 info: Knot DNS 2.9.2 starting > > > 2019-12-20T18:28:21 info: loaded configuration database > > > '/var/lib/knot/confdb' > > > 2019-12-20T18:28:21 info: using reuseport for UDP > > > 2019-12-20T18:28:21 info: loading 0 zones > > > 2019-12-20T18:28:21 warning: no zones loaded > > > 2019-12-20T18:28:21 info: starting server > > > 2019-12-20T18:28:21 info: server started in the foreground, PID 14040 > > > 2019-12-20T18:28:21 info: control, binding to '/var/run/knot/knot.sock' > > > 2019-12-20T18:28:21 critical: control, failed to bind socket > > > '/var/run/knot/knot.sock' (operation not permitted) > > > 2019-12-20T18:28:21 info: stopping server > > > 2019-12-20T18:28:21 info: updating persistent timer DB > > > 2019-12-20T18:28:21 warning: failed to update persistent timer DB > > > (operation not permitted) > > > 2019-12-20T18:28:21 info: shutting down > > > obelix ~ # mv /var/lib/knot/ /var/lib/knot.bak > > > obelix ~ # rc-service knot start > > > * /var/lib/knot/: creating directory > > > * /var/lib/knot/: correcting owner > > > * Starting knot ... > > > [ ok ] > > > obelix ~ # ps aux | grep knot > > > root 12101 0.0 0.7 13988 7808 pts/2 S+ 18:17 0:00 view > > > /etc/knot/knot.sample.conf > > > knot 14079 0.0 0.4 1075156 4992 ? Ssl 18:28 0:00 > > > /usr/sbin/knotd -d > > > root 14100 0.0 0.2 7572 2132 pts/1 S+ 18:28 0:00 grep > > > --colour=auto knot > > > obelix ~ # ls -lh /tmp/knot/ > > > total 0 > > > srwxrwx--- 1 knot knot 0 Dec 20 18:28 test.sock > > > > > > > > > On 20/12/2019 16:24, Daniel Salzman wrote: > > > > There is no hardcoded ID in the server data :-) > > > > > > > > Could you try to manually execute the server under root (knotd -c > > > > /etc/knot/knot.conf)? > > > > Could you try to change the control socket location to a non-var > > > > directory > > > > (https://www.knot-dns.cz/docs/2.9/singlehtml/index.html#control-listen)? > > > > > > > > Daniel > > > > > > > > On 12/20/19 3:02 PM, Alarig Le Lay wrote: > > > > > I just found this: > > > > > backup02 ~ # borg mount /home/alarig/backups/kaiminus-old/ > > > > > /tmp/alarig/ > > > > > backup02 ~ # grep knot /tmp/alarig/2019-12-19/etc/passwd > > > > > knot:*:553:553:Knot DNS Server:/nonexistent:/usr/sbin/nologin > > > > > > > > > > kaiminus ~ # grep knot /etc/passwd > > > > > knot:x:53:53:User for knot DNS server:/var/lib/knot:/sbin/nologin > > > > > > > > > > Perhaps the user ID is hardcoded somewhere in the storage and as > > > > > long as > > > > > I had the whole old /var/db/knot inside my new /var/lib/knot, the UID > > > > > 553 (which doesn’t exist on the new system) was used instead of 53? > > > > > > > > > > On 20/12/2019 14:55, Alarig Le Lay wrote: > > > > > > The socket wasn’t created at all, so I tried to touch the > > > > > > file and chown > > > > > > to knot, but same result. As knot dies if the socket doesn’t > > > > > > exist, it > > > > > > wasn’t running until I removed /var/lib/knot. > > > > > > > > > > > > On 20/12/2019 14:44, David Vašek wrote: > > > > > > > I meant, if it helps to *remove* the socket. Sorry. > > > > > > > > > > > > > > David > > > > > > > > > > > > > > On 2019-12-20 14:43, David Vašek wrote: > > > > > > > > Hi, > > > > > > > > > > > > > > > > are you sure, that knot isn't running already (pgrep > > > > > > > > knotd)? If not, > > > > > > > > does it help to remote /var/run/knot/knot.sock manually before you > > > > > > > > start knot? > > > > > > > > > > > > > > > > David > > > > > > > > > > > > > > > > > > > > > > > > On 2019-12-20 13:56, Alarig Le Lay wrote: > > > > > > > > > Here is my config file: https://paste.swordarmor.fr/raw/kXaN > > > > > > > > > > > > > > > > > > The init script: > > > > > > > > > https://gitweb.gentoo.org/repo/sync/gentoo.git/tree/net-dns/knot/files/knot… > > > > > > > > > > > > > > > > > > > > > > > > > > > The content of the dirs (and what I kept in .old): > > > > > > > > > https://paste.swordarmor.fr/raw/IG3K > > > > > > > > > > > > > > > > > > The error wasn’t in the logs but in the shell > > > > > > > > > (and I closed it since > > > > > > > > > then) when I tried to launch it directly from > > > > > > > > > CLI. It was a permission > > > > > > > > > denied on /var/run/knot/knot.sock > > > > > > > > > > > > > > > > > > I don’t recall when I first installed knot on > > > > > > > > > the FreeBSD machine, but > > > > > > > > > it was on the 10th release, so 2014~2015 if I refer to Wikipedia. > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > Alarig > > > > > > > > > > > > > > > > > > On 20/12/2019 13:30, David Vašek wrote: > > > > > > > > > > Hello Alarig, > > > > > > > > > > > > > > > > > > > > could you please send us some more data? The > > > > > > > > > > config file and some > > > > > > > > > > output > > > > > > > > > > would be helpful, i.e. knot.conf, > > > > > > > > > > /etc/init.d/knot, ls -l /var/lib/knot > > > > > > > > > > /var/run/knot, and the knot logfile from the > > > > > > > > > > failed attempt. So far, it > > > > > > > > > > seems to us it should work. Thanks. > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > > > David > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 2019-12-20 09:55, Alarig Le Lay wrote: > > > > > > > > > > > Hi Daniel, > > > > > > > > > > > > > > > > > > > > > > Yes I’m sure the permissions were good, > > > > > > > > > > > they are set by the package. I > > > > > > > > > > > pulled it from the official repo, and > > > > > > > > > > > server.user were already set for > > > > > > > > > > > my old configuration. I also changed the > > > > > > > > > > > storage (s/db/lib) before > > > > > > > > > > > running the daemon. > > > > > > > > > > > Plus, when I started the daemon with an > > > > > > > > > > > empty /var/lib/knot (and just > > > > > > > > > > > rsynced my zones & keys) I didn’t changed any permission. > > > > > > > > > > > > > > > > > > > > > > I don’t use systemd by openrc. > > > > > > > > > > > > > > > > > > > > > > On 20/12/2019 09:30, Daniel Salzman wrote: > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > Are you sure the permissions are right? > > > > > > > > > > > > Do you have 'server.user' configured? > > > > > > > > > > > > Where did you get the Knot DNS package for Gentoo? > > > > > > > > > > > > > > > > > > > > > > > > There are some differences between > > > > > > > > > > > > FreeBSD and Linux packages with > > > > > > > > > > > > systemd enabled. > > > > > > > > > > > > > > > > > > > > > > > > Daniel > > > > > > > > > > > > > > > > > > > > > > > > On 12/19/19 11:33 PM, Alarig Le Lay wrote: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > > > Today I migrated my knot from > > > > > > > > > > > > > FreeBSD to Gentoo (because it > > > > > > > > > > > > > take too > > > > > > > > > > > > > much time to stay on a supported release of FreeBSD) > > > > > > > > > > > > > > > > > > > > > > > > > > I rsynced my knot.conf (and > > > > > > > > > > > > > changed the paths) and > > > > > > > > > > > > > /var/db/knot to > > > > > > > > > > > > > /var/lib/knot > > > > > > > > > > > > > > > > > > > > > > > > > > However, daemon failed to start > > > > > > > > > > > > > because it wasn’t able to bind > > > > > > > > > > > > > to > > > > > > > > > > > > > /var/run/knot/knot.sock, and the > > > > > > > > > > > > > permissions where good. I had to > > > > > > > > > > > > > remove > > > > > > > > > > > > > /var/db/knot and rsync only zones and keys. > > > > > > > > > > > > > > > > > > > > > > > > > > I don’t get the link from files in /var/lib and a denied > > > > > > > > > > > > > permission on > > > > > > > > > > > > > /var/run/knot/knot.sock, so I think that there is a bug here. > > > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > > > > > > >