0

Running inside an OpenVZ guest, it is not possible to use the AppArmor as discussed, so I am trying to configure BIND9 to run in chroot.

Following the documentation, I struggled until I found that in Ubuntu 15.04 and 16.04 do not honour /etc/default/bind9. Then I made the modification through $ sudo systemctl edit bind9 and I got the following in my log:

starting BIND 9.10.3-P4-Ubuntu <id:ebd72b3> -f -t /var/named/run-root -u bind

So far, so good. Until the following appeared in the log:

named[3398]: ENGINE_by_id failed (crypto failure)
named[3398]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
named[3398]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
named[3398]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
named[3398]: initializing DST: crypto failure
named[3398]: exiting (due to fatal error)
systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE

Any ideas on how to resolve this?

Edit:

This seems to be a bug that is found in Debian: Debian Bug 820974 and an older one that is supposed to be fixed Debian Bug 696661.

Community
  • 1
Alexander Radev
  • 101
  • 1
  • 4
  • If I were to guess, I'd say that Ubuntu's documentation may be outdated in terms of which files need to exist in the chroot dir. – Håkan Lindqvist Oct 01 '16 at 11:17
  • @HåkanLindqvist, it is apparent that it is outdated. However, I am guessing that this should work as it seem to be picking up the `-t` option. And this is causing the problem. – Alexander Radev Oct 01 '16 at 11:37
  • Yes, `named` picks up on `-t` (not really anything to do with Ubuntu), but it's then entirely reliant on your preparations to actually be able to work. – Håkan Lindqvist Oct 01 '16 at 11:52
  • @HåkanLindqvist, any suggestions where this can be described better? – Alexander Radev Oct 01 '16 at 13:00

1 Answers1

3

I think, at its core, this boils down to a more general question about how to run something chrooted.
The chroot directory which you prepare must contain all the files needed at run-time and if this is not well documented one approach it to simply observe what files the chrooted process is attempting to use.

In this specific case, the error message indicates that some library is being dynamically loaded but that the library isn't there (presumably because the library is being loaded after the chroot() call, but that the library files are not present in the new root.

The error message isn't clear about the details but it sounds like it's some crypto related extensions or somesuch (probably for openssl) which are being dynamically loaded at runtime.

As it doesn't appear to be properly documented by the distributor what files need to be copied, I would suggest simply using strace to see which file(s) it tries to open before that error.

First of all, to reproduce the problem I fired up an Ubuntu 16.04 instance, disabled apparmor and did the steps from the Ubuntu guide you linked and made sure I got the right error:

# named -g -f -u bind -t /chroot/named
01-Oct-2016 17:36:25.539 starting BIND 9.10.3-P4-Ubuntu <id:ebd72b3> -g -f -u bind -t /chroot/named
01-Oct-2016 17:36:25.539 built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE'
01-Oct-2016 17:36:25.539 ----------------------------------------------------
01-Oct-2016 17:36:25.539 BIND 9 is maintained by Internet Systems Consortium,
01-Oct-2016 17:36:25.539 Inc. (ISC), a non-profit 501(c)(3) public-benefit
01-Oct-2016 17:36:25.539 corporation.  Support and training for BIND 9 are
01-Oct-2016 17:36:25.539 available at https://www.isc.org/support
01-Oct-2016 17:36:25.539 ----------------------------------------------------
01-Oct-2016 17:36:25.539 adjusted limit on open files from 65536 to 1048576
01-Oct-2016 17:36:25.539 found 1 CPU, using 1 worker thread
01-Oct-2016 17:36:25.539 using 1 UDP listener per interface
01-Oct-2016 17:36:25.539 using up to 4096 sockets
01-Oct-2016 17:36:25.541 ENGINE_by_id failed (crypto failure)
01-Oct-2016 17:36:25.541 error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
01-Oct-2016 17:36:25.541 error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
01-Oct-2016 17:36:25.541 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
01-Oct-2016 17:36:25.541 initializing DST: crypto failure
01-Oct-2016 17:36:25.541 exiting (due to fatal error)
#

So, next step, just throw strace at it. Lots of output but the last bit of it:

# strace named -g -f -u bind -t /chroot/named
...
open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = -1 ENOENT (No such file or directory)
futex(0x7f61561bb0a8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
gettimeofday({1475343388, 821162}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 ENGINE_"..., 6201-Oct-2016 17:36:28.821 ENGINE_by_id failed (crypto failure)
) = 62
gettimeofday({1475343388, 821239}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 error:2"..., 11901-Oct-2016 17:36:28.821 error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
) = 119
gettimeofday({1475343388, 821314}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 error:2"..., 9801-Oct-2016 17:36:28.821 error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
) = 98
gettimeofday({1475343388, 821376}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 error:2"..., 10701-Oct-2016 17:36:28.821 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
) = 107
gettimeofday({1475343388, 821604}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 initial"..., 5801-Oct-2016 17:36:28.821 initializing DST: crypto failure
) = 58
gettimeofday({1475343388, 821668}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "01-Oct-2016 17:36:28.821 exiting"..., 5401-Oct-2016 17:36:28.821 exiting (due to fatal error)
) = 54
exit_group(1)                           = ?
+++ exited with 1 +++

So, this bit seems to be a perfect match for what is the problem, right after this it starts printing the error message.

open("/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

So, what if we simply copy the /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/ directory into the chroot directory set up for bind?

# mkdir -p /chroot/named/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines
# cp -a /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/* /chroot/named/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/

(You may want to consider some different approach, maybe a bind mount? But these appears to be the files that, one way or another, need to exist in the chroot)

At this point I got entirely self-explanatory errors from named itself, easily solved by copying all of /etc/bind/ instead of just one of the files as well as the /var/cache/bind/ directory into the bind chroot.

After this:

# named -g -f -u bind -t /chroot/named
01-Oct-2016 17:51:01.159 starting BIND 9.10.3-P4-Ubuntu <id:ebd72b3> -g -f -u bind -t /chroot/named
01-Oct-2016 17:51:01.159 built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE'
01-Oct-2016 17:51:01.159 ----------------------------------------------------
01-Oct-2016 17:51:01.159 BIND 9 is maintained by Internet Systems Consortium,
01-Oct-2016 17:51:01.159 Inc. (ISC), a non-profit 501(c)(3) public-benefit
01-Oct-2016 17:51:01.159 corporation.  Support and training for BIND 9 are
01-Oct-2016 17:51:01.159 available at https://www.isc.org/support
01-Oct-2016 17:51:01.159 ----------------------------------------------------
01-Oct-2016 17:51:01.159 adjusted limit on open files from 65536 to 1048576
01-Oct-2016 17:51:01.159 found 1 CPU, using 1 worker thread
01-Oct-2016 17:51:01.159 using 1 UDP listener per interface
01-Oct-2016 17:51:01.159 using up to 4096 sockets
01-Oct-2016 17:51:01.163 loading configuration from '/etc/bind/named.conf'
01-Oct-2016 17:51:01.164 reading built-in trusted keys from file '/etc/bind/bind.keys'
01-Oct-2016 17:51:01.164 GeoIP Country (IPv4) (type 1) DB not available
01-Oct-2016 17:51:01.164 GeoIP Country (IPv6) (type 12) DB not available
01-Oct-2016 17:51:01.164 GeoIP City (IPv4) (type 2) DB not available
01-Oct-2016 17:51:01.164 GeoIP City (IPv4) (type 6) DB not available
01-Oct-2016 17:51:01.164 GeoIP City (IPv6) (type 30) DB not available
01-Oct-2016 17:51:01.164 GeoIP City (IPv6) (type 31) DB not available
01-Oct-2016 17:51:01.164 GeoIP Region (type 3) DB not available
01-Oct-2016 17:51:01.164 GeoIP Region (type 7) DB not available
01-Oct-2016 17:51:01.164 GeoIP ISP (type 4) DB not available
01-Oct-2016 17:51:01.164 GeoIP Org (type 5) DB not available
01-Oct-2016 17:51:01.164 GeoIP AS (type 9) DB not available
01-Oct-2016 17:51:01.164 GeoIP Domain (type 11) DB not available
01-Oct-2016 17:51:01.164 GeoIP NetSpeed (type 10) DB not available
01-Oct-2016 17:51:01.164 using default UDP/IPv4 port range: [1024, 65535]
01-Oct-2016 17:51:01.165 using default UDP/IPv6 port range: [1024, 65535]
01-Oct-2016 17:51:01.165 listening on IPv6 interfaces, port 53
01-Oct-2016 17:51:01.166 listening on IPv4 interface lo, 127.0.0.1#53
01-Oct-2016 17:51:01.166 listening on IPv4 interface eth0, 172.31.2.127#53
01-Oct-2016 17:51:01.167 generating session key for dynamic DNS
01-Oct-2016 17:51:01.167 sizing zone task pool based on 5 zones
01-Oct-2016 17:51:01.169 using built-in root key for view _default
01-Oct-2016 17:51:01.169 set up managed keys zone for view _default, file 'managed-keys.bind'
01-Oct-2016 17:51:01.170 automatic empty zone: 10.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 16.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 17.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 18.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 19.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 20.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 21.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 22.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 23.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 24.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 25.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 26.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 27.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 28.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 29.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 30.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 31.172.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 168.192.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 64.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 65.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.170 automatic empty zone: 66.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 67.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 68.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 69.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 70.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 71.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 72.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 73.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 74.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 75.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 76.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 77.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 78.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 79.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 80.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 81.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 82.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 83.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 84.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 85.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 86.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 87.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.171 automatic empty zone: 88.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 89.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 90.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 91.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 92.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 93.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 94.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 95.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 96.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 97.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 98.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 99.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 100.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 101.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 102.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 103.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 104.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 105.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 106.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 107.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 108.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.172 automatic empty zone: 109.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 110.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 111.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 112.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 113.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 114.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 115.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 116.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 117.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 118.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 119.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 120.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 121.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 122.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 123.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 124.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 125.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 126.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 127.100.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 254.169.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 2.0.192.IN-ADDR.ARPA
01-Oct-2016 17:51:01.173 automatic empty zone: 100.51.198.IN-ADDR.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 113.0.203.IN-ADDR.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: D.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 8.E.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 9.E.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: A.E.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: B.E.F.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
01-Oct-2016 17:51:01.174 automatic empty zone: EMPTY.AS112.ARPA
01-Oct-2016 17:51:01.176 configuring command channel from '/etc/bind/rndc.key'
01-Oct-2016 17:51:01.176 command channel listening on 127.0.0.1#953
01-Oct-2016 17:51:01.176 configuring command channel from '/etc/bind/rndc.key'
01-Oct-2016 17:51:01.176 command channel listening on ::1#953
01-Oct-2016 17:51:01.176 the working directory is not writable
01-Oct-2016 17:51:01.176 not using config file logging statement for logging due to -g option
01-Oct-2016 17:51:01.176 managed-keys.bind.jnl: create: permission denied
01-Oct-2016 17:51:01.176 managed-keys-zone: sync_keyzone:dns_journal_open -> unexpected error
01-Oct-2016 17:51:01.176 managed-keys-zone: unable to synchronize managed keys: unexpected error
01-Oct-2016 17:51:01.177 zone 0.in-addr.arpa/IN: loaded serial 1
01-Oct-2016 17:51:01.178 zone 127.in-addr.arpa/IN: loaded serial 1
01-Oct-2016 17:51:01.179 zone localhost/IN: loaded serial 2
01-Oct-2016 17:51:01.180 zone 255.in-addr.arpa/IN: loaded serial 1
01-Oct-2016 17:51:01.181 all zones loaded
01-Oct-2016 17:51:01.181 running
Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • Hey Håkan, thank for the detailed explanation. Is there any chance to make these libraries load before the `chroot()` call? – Alexander Radev Oct 03 '16 at 18:55
  • Hmm, this looks like an upstream bug in debian and the workaround would not be sustainable in the long term as pointed in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820974#15 (see Message #15) – Alexander Radev Oct 03 '16 at 20:32
  • 1
    Rather than running a binary and observing what dynamic libraries get called with `strace` you can list all dynamic libraries that are required by a binary with the [**`ldd`**](https://linux.die.net/man/1/ldd) command. – HBruijn Oct 03 '16 at 23:19
  • @HBruijn I don't believe that will work in this case, for much the same reason as why this library wasn't loaded with the other libraries at start time (long before `chroot`), these libraries appear to be loaded dynamically at runtime (ie through `dlopen`/`dlsym` calls). – Håkan Lindqvist Oct 04 '16 at 06:22