[Pdns-users] [Q] pdsn recursor chroot environment error : rec_control = Fatal: Unable to receive message over control channel: Success

Thu Nov 3 13:57:23 UTC 2011

On Thu, Nov 03, 2011 at 01:45:58PM +0100, JKL wrote:
> On 10/31/2011 09:18 PM, Aki Tuomi wrote:
> > On Mon, Oct 31, 2011 at 06:00:38PM +0100, Peter van Dijk wrote:
> >> Hello S,
> >>
> >> On Oct 27, 2011, at 15:57 , J4K wrote:
> >>
> >>> root at sa51 /var/spool/powerdns/var/run # ls -l
> >>> total 0
> >>> lrwxrwxrwx 1 root root 36 Oct 27 15:37 pdns_recursor.controlsocket ->
> >>> /var/run/pdns_recursor.controlsocket
> >>> lrwxrwxrwx 1 root root 26 Oct 27 15:37 pdns_recursor.pid ->
> >>> /var/run/pdns_recursor.pid
> >> Symlink targets are subject to chroot rules too. When viewed within the chroot, your symlinks are just pointing to themselves. I would suggest experimenting with hardlinking them, or making the symlinks the other way around.
> >>
> >> Note that when I try here, the socket ends up outside of the chroot but rec_control is still unable to get a response from the recursor.
> >>
> >> Please let me know whether you get this running with symlinks or hard links in the right direction; if not, I will investigate whether there are bugs in this area.
> >>
> >> Kind regards,
> >> Peter van Dijk
> >>
> > Actually, this problem is easily solved after you understand how unix sockets
> > really work. The issue at hand is that the location (directory) of the socket
> > must be same for both parties, at least, it must seem so. 
> >
> > The Unix sockets work by having a server socket somewhere, and when you connect
> > to it, you (usually) create a client socket in the same directory, and provide
> > the directory of that to the server. And this usually causes problems with 
> > chroots, because you'll be merrily telling the server that "hi, i am connecting
> > from /chroot/var/run/.client.sock.25235, please write me back there". 
> >
> > The other problem is that the Server must be able to access the Client socket, 
> > so the socket directory must be within the chrooted environment. 
> >
> > To solve this problem elegantly, we assume that your program has socket in
> >
> > /var/run/pdns.sock
> >
> > Which then becomes chrooted as
> >
> > /chroot/var/run/pdns.sock
> >
> > Now. to fix this, you'll just have to symlink /chroot/var/run/pdns under
> > /var/run
> >
> > Now the server sees your sockets (both the client *and* server have their own
> > socket), under /var/run/pdns.
> >
> > ---
> > Aki Tuomi
> >
> 
> Hi Aki,
> 
>     I gave up using a chroot, but still I have the same error message:
> 
> root at sa51 / # grep chroot /etc/powerdns/recursor.conf
> # chroot    switch to chroot jail
> # chroot=./
> 
> root at sa51 / # ls -l /var/run/pdns_recursor.controlsocket
> srwxr-xr-x 1 root root 0 Nov  3 12:56 /var/run/pdns_recursor.controlsocket
> root at sa51 / # ls -l /var/run/pdns_recursor.pid
> -rw-r--r-- 1 root root 4 Nov  3 12:56 /var/run/pdns_recursor.pid
> 
> root at sa51 / # rec_control  ping
> Fatal: Unable to connect to remote
> '/var/run/pdns_recursor.controlsocket': Connection refused
> 

Different error, this is Connection Refused, which means that the server
refused to speak to you. 

Aki Tuomi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20111103/b5259dc7/attachment-0001.sig>