[Pdns-users] Recursor inside chroot jail?

John Miller johnmill at brandeis.edu
Tue Feb 7 23:27:27 UTC 2012

Hello everyone,

How many of you are running an RPM of the recursors inside a Linux 
chroot jail?  Given the troubles I'm having getting this rolling, I'm 
questioning its wisdom.

OS: Red Hat Enterprise Linux, v. 6.1
Recursor version: Kees Monshouwer's RPM: 

I've also tried the 3.3-1 x86_64 RPM from the PowerDNS website.

Let's say I set chroot=$CHROOT_DIR in recursor.conf, keep the default 
socket-dir=/var/run, and start up the recursor.  No problem--starts fine.

Now if I run

rec_control ping

I get the following error:

Fatal: Unable to connect to remote 
'/var/run/pdns_recursor.controlsocket': Connection refused

This is to be expected: rec_control's looking for the socket in 
/var/run, while the recursor's looking in $CHROOT_DIR/var/run.  If I put 
the entire /var/run directory inside the chroot, then symlinked /var/run 
to $CHROOT_DIR/var/run, things would work.  But why should the chroot 
environment know about my other pidfiles?

So now let's say I set socket-dir=/var/run/powerdns, and symlink 
/var/run/powerdns to $CHROOT_DIR/var/run/powerdns.  The recursor starts 
fine and puts the socket where I expect it.  It also puts the pidfile 
there.  Now when I go to shut down the recursor, I have to kill the 
process and delete the pidfile manually--the initscript looks for the 
pidfile in /var/run.  This happens with both the x86_64 RPM on the site 
and with Kees' version.

Looks like the solution here is to edit the initscript.  Is that what 
everyone's done for this problem?

John Miller
Brandeis University

More information about the Pdns-users mailing list