[Pdns-users] [Q] pdsn recursor chroot environment error : rec_control = Fatal: Unable to receive message over control channel: Success

Aki Tuomi cmouse at youzen.ext.b2.fi
Mon Oct 31 20:18:01 UTC 2011

On Mon, Oct 31, 2011 at 06:00:38PM +0100, Peter van Dijk wrote:
> Hello S,
> On Oct 27, 2011, at 15:57 , J4K wrote:
> > root at sa51 /var/spool/powerdns/var/run # ls -l
> > total 0
> > lrwxrwxrwx 1 root root 36 Oct 27 15:37 pdns_recursor.controlsocket ->
> > /var/run/pdns_recursor.controlsocket
> > lrwxrwxrwx 1 root root 26 Oct 27 15:37 pdns_recursor.pid ->
> > /var/run/pdns_recursor.pid
> Symlink targets are subject to chroot rules too. When viewed within the chroot, your symlinks are just pointing to themselves. I would suggest experimenting with hardlinking them, or making the symlinks the other way around.
> Note that when I try here, the socket ends up outside of the chroot but rec_control is still unable to get a response from the recursor.
> Please let me know whether you get this running with symlinks or hard links in the right direction; if not, I will investigate whether there are bugs in this area.
> Kind regards,
> Peter van Dijk

Actually, this problem is easily solved after you understand how unix sockets
really work. The issue at hand is that the location (directory) of the socket
must be same for both parties, at least, it must seem so. 

The Unix sockets work by having a server socket somewhere, and when you connect
to it, you (usually) create a client socket in the same directory, and provide
the directory of that to the server. And this usually causes problems with 
chroots, because you'll be merrily telling the server that "hi, i am connecting
from /chroot/var/run/.client.sock.25235, please write me back there". 

The other problem is that the Server must be able to access the Client socket, 
so the socket directory must be within the chrooted environment. 

To solve this problem elegantly, we assume that your program has socket in


Which then becomes chrooted as


Now. to fix this, you'll just have to symlink /chroot/var/run/pdns under

Now the server sees your sockets (both the client *and* server have their own
socket), under /var/run/pdns.

Aki Tuomi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20111031/d7f6e130/attachment-0001.sig>

More information about the Pdns-users mailing list