configure bind9 not jailed

igorino

igorino

Hello

How can I install or configure dns/bind98 or dns/bind99 (on FreeBSD 9.1) not to run in jails? I'm asking this because a Samba4 installation with BIND requires an unjailed BIND environment. The script /etc/rc.d/named doesn't like the addition of
Code: 
named_chrootdir=""
named_pidfile="[PID PATH]"
...
in /etc/rc.conf, it seems that script was made only for a jailed environment. What is the proper way to set BIND 9 to run unjailed?

Thank you.
 
igorino said:
How can I install or configure bind98 or bind99 (on FreeBSD 9.1) not to run in jails? I'm asking this because a samba4 installation with bind requires an unjailed bind environment.
Click to expand...
Actually that isn't perse true. Although from what I've read so far it doesn't appear to be very straightforward, it should be doable to point Samba to the chrooted BIND environment.

So, for example, if Samba uses /usr/local/samba/private/named.conf then you could also try and point this to something like /var/named/usr/local/samba/private/named.conf, thus becoming accessible within the BIND chroot.

Running both processes in a chrooted environment does indeed seem impossible, but I can't even be sure about that since I haven't really given that much thought.

igorino said:
The script /etc/rc.d/named doesnt like the addition of named_chrootdir="" named_pidfile="[PID PATH]" ... in /etc/rc.conf, it seems that script was made only for a jailed environment. What is the proper way to set bind9 to run unjailed?
Click to expand...
To my knowledge this is indeed unsupported in the BIND version which is part of the FreeBSD base system. Therefore you should grab BIND from the ports collection, for example dns/bind98 (if you wish to keep using the same version).

With this version you'll need to explicitly specify the chroot point using the named_chrootdir option in /usr/local/etc/rc.conf. Don't use the option and BIND won't be running in a chroot environment (as far as I know; I'm using the version of the base system myself).
 
ShelLuser said:
So, for example, if Samba uses /usr/local/samba/private/named.conf then you could also try and point this to something like /var/named/usr/local/samba/private/named.conf, thus becoming accessible within the BIND chroot.
Click to expand...
Understood, I'll try that later. Besides I guess there are more files that BIND need access to. I'm relying on the statements of a howto about the DNS BIND backend from the samba.org wiki Dns-backend_bind.
 
I had no success making hard links, nor editing /etc/mtree/BIND.chroot.dist (added so much entries that there was no reason to have a jail at all). I ended up installing the port dns/bind98 and inserting
Code: 
named_chrootdir=""
in /etc/rc.conf (since I marked REPLACE_BASE option in that port) instead.

Thank you very much @ShelLuser!
 
Last edited by a moderator:
Actually as @ShelLuser pointed out by default BIND runs unjailed and you don't have to do anything special. I just have
Code: 
named_enable="YES"
in /etc/rc.conf and it runs unjailed.

But what puzzles me is, I can't understand why you have installed dns/bind98?
 
Last edited by a moderator:
The default BIND in the base system run chroot(1)ed by default but you don't notice it right away because the configuration directory /etc/namedb is a symbolic link to the chroot directory under /var/named.
 
kpa said:
The default BIND in the base system run chroot(1)ed by default but you don't notice it right away because the configuration directory /etc/namedb is a symbolic link to the chroot directory under /var/named.
Click to expand...

Thanks for pointing that out. I wasn't aware of that.
 
ShelLuser said:
Uhm, that's not what I pointed out up there :\
Click to expand...

Sorry, my mistake. I remember it was midnight here and I was sleepy while reading this thread. So, I inferred the wrong point/idea from your answer.

Sorry, If I bothered you.
 
I'd just like to point out that chroot(8) isn't the same as jail(8). The sooner this confusion is cleared up, the better. :)

Since it's not run in a jail, there shouldn't be anything preventing Samba from doing its thing with Bind, as long as Samba isn't chrooted or jailed.
 
You must log in or register to reply here.
Back
Top