I re-did all the procedure on another VM (also gentoo):
[testing VM]
obelix ~ # emerge -va net-dns/knot
obelix ~ # ls -lhd /var/run/knot
ls: cannot access '/var/run/knot': No such file or directory
obelix ~ # ls -lhd /var/lib/knot/
drwxr-xr-x 2 knot knot 4.0K Dec 20 17:50 /var/lib/knot/
obelix ~ # ls -lh /var/lib/knot/
total 0
obelix ~ # vim ~/.ssh/authorized_keys
[backups]
backup02 ~ # rsync -av /tmp/alarig/2019-12-19/var/db/knot/
root@obelix.breizh-ix.net:/var/lib/knot/
The authenticity of host 'obelix.breizh-ix.net (2a00:5884:102:1::6)'
can't be established.
ECDSA key fingerprint is SHA256:gzp3uVzltffjUMslc5olyvhwhx28F9e1YXSy86nOnQo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'obelix.breizh-ix.net,2a00:5884:102:1::6'
(ECDSA) to the list of known hosts.
sending incremental file list
./
100.186.234.89.in-addr.arpa.zone
126.91.45.in-addr.arpa.nodnssec
126.91.45.in-addr.arpa.zone
2.0.1.0.4.8.8.5.0.0.a.2.ip6.arpa.zone
2.4.f.0.e.0.a.2.ip6.arpa.nodnssec
2.4.f.0.e.0.a.2.ip6.arpa.zone
208_28.186.234.89.in-addr.arpa.zone
35.186.234.89.in-addr.arpa.zone
4.0.8.0.0.4.1.8.8.5.0.0.a.2.ip6.arpa.zone
67.186.234.89.in-addr.arpa.zone
7.6.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone
geoopendata.eu.org.zone
no.swordarmor.fr.nodnssec
no.swordarmor.fr.zone
swordarmor.fr.nodnssec
swordarmor.fr.zone
confdb/
confdb/data.mdb
confdb/lock.mdb
journal/
journal/data.mdb
journal/lock.mdb
keys/
keys/data.mdb
keys/lock.mdb
keys/keys/
keys/keys/109bcc81665572dabac1484336714f231adc7e6a.pem
keys/keys/1beb426dbdf1031928268721dba59522dd47e32e.pem
keys/keys/6d271119f9c2feec9d7cc85f4c66c48083f95259.pem
keys/keys/7bddece71d6ee9c7e98d99b05a0d8039d688e383.pem
keys/keys/7d07589ac2a375f2f1a6fedcad722b91d1883990.pem
keys/keys/cddcff459b920d7e429243339a11c1ecd32f723b.pem
keys/keys/e3e8ddfc5b7feffd07dce74af5636f1241eaae03.pem
keys/keys/f4a66f73462dbcf610f4b911e4ac2c8578917623.pem
timers/
timers/data.mdb
timers/lock.mdb
sent 8,486,759 bytes received 667 bytes 893,413.26 bytes/sec
total size is 8,481,722 speedup is 1.00
backup02 ~ # rsync -av
/tmp/alarig/2019-12-19/usr/local/etc/knot/knot.conf
root@obelix.breizh-ix.net:/etc/knot/
sending incremental file list
knot.conf
sent 3,166 bytes received 35 bytes 6,402.00 bytes/sec
total size is 3,071 speedup is 0.96
[testing machine]
obelix ~ # vim ~/.ssh/authorized_keys
obelix ~ # ls -lhd /var/lib/knot/
drwxr-x--- 6 553 553 4.0K Dec 18 20:51 /var/lib/knot/
obelix ~ # ls -lh /var/lib/knot/
total 200K
-rw-rw---- 1 553 553 378 Dec 31 2017 100.186.234.89.in-addr.arpa.zone
-rw-r--r-- 1 root 553 1.2K Dec 18 17:50 126.91.45.in-addr.arpa.nodnssec
-rw-rw---- 1 553 553 10K Dec 18 17:50 126.91.45.in-addr.arpa.zone
-rw-rw---- 1 553 553 1.5K Dec 31 2017
2.0.1.0.4.8.8.5.0.0.a.2.ip6.arpa.zone
-rw-rw---- 1 553 553 1.1K Dec 31 2017 208_28.186.234.89.in-addr.arpa.zone
-rw-r--r-- 1 root 553 2.0K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.nodnssec
-rw-rw---- 1 553 553 13K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.zone
-rw-rw---- 1 553 553 430 Dec 31 2017 35.186.234.89.in-addr.arpa.zone
-rw-rw---- 1 553 553 535 Apr 13 2018
4.0.8.0.0.4.1.8.8.5.0.0.a.2.ip6.arpa.zone
-rw-rw---- 1 553 553 256 Dec 31 2017 67.186.234.89.in-addr.arpa.zone
-rw-rw---- 1 553 553 308 Dec 31 2017
7.6.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone
drwxr-x--- 2 553 553 4.0K May 27 2017 confdb
-rw-rw---- 1 553 553 500 Dec 31 2017 geoopendata.eu.org.zone
drwxrwx--- 2 553 553 4.0K Nov 17 2017 journal
drwxr-x--- 3 553 553 4.0K Nov 17 2017 keys
-rw-r--r-- 1 root 553 1.1K Dec 14 16:10 no.swordarmor.fr.nodnssec
-rw-rw---- 1 553 553 9.1K Dec 17 19:03 no.swordarmor.fr.zone
-rw-r--r-- 1 553 553 14K Dec 14 16:09 swordarmor.fr.nodnssec
-rw-rw---- 1 553 553 81K Dec 18 20:51 swordarmor.fr.zone
drwxrwx--- 2 553 553 4.0K May 26 2017 timers
obelix ~ # chown -R knot: /var/lib/knot/
obelix ~ # ls -lhd /var/lib/knot/
drwxr-x--- 6 knot knot 4.0K Dec 18 20:51 /var/lib/knot/
obelix ~ # ls -lh /var/lib/knot/
total 200K
-rw-rw---- 1 knot knot 378 Dec 31 2017 100.186.234.89.in-addr.arpa.zone
-rw-r--r-- 1 knot knot 1.2K Dec 18 17:50 126.91.45.in-addr.arpa.nodnssec
-rw-rw---- 1 knot knot 10K Dec 18 17:50 126.91.45.in-addr.arpa.zone
-rw-rw---- 1 knot knot 1.5K Dec 31 2017
2.0.1.0.4.8.8.5.0.0.a.2.ip6.arpa.zone
-rw-rw---- 1 knot knot 1.1K Dec 31 2017 208_28.186.234.89.in-addr.arpa.zone
-rw-r--r-- 1 knot knot 2.0K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.nodnssec
-rw-rw---- 1 knot knot 13K Dec 17 20:53 2.4.f.0.e.0.a.2.ip6.arpa.zone
-rw-rw---- 1 knot knot 430 Dec 31 2017 35.186.234.89.in-addr.arpa.zone
-rw-rw---- 1 knot knot 535 Apr 13 2018
4.0.8.0.0.4.1.8.8.5.0.0.a.2.ip6.arpa.zone
-rw-rw---- 1 knot knot 256 Dec 31 2017 67.186.234.89.in-addr.arpa.zone
-rw-rw---- 1 knot knot 308 Dec 31 2017
7.6.3.8.4.8.8.5.0.0.a.2.ip6.arpa.zone
drwxr-x--- 2 knot knot 4.0K May 27 2017 confdb
-rw-rw---- 1 knot knot 500 Dec 31 2017 geoopendata.eu.org.zone
drwxrwx--- 2 knot knot 4.0K Nov 17 2017 journal
drwxr-x--- 3 knot knot 4.0K Nov 17 2017 keys
-rw-r--r-- 1 knot knot 1.1K Dec 14 16:10 no.swordarmor.fr.nodnssec
-rw-rw---- 1 knot knot 9.1K Dec 17 19:03 no.swordarmor.fr.zone
-rw-r--r-- 1 knot knot 14K Dec 14 16:09 swordarmor.fr.nodnssec
-rw-rw---- 1 knot knot 81K Dec 18 20:51 swordarmor.fr.zone
drwxrwx--- 2 knot knot 4.0K May 26 2017 timers
obelix ~ # vim /etc/knot/knot.conf # changing paths
obelix ~ # knotd -c /etc/knot/knot.conf
[on another shell]
obelix ~ # ps aux | grep knot
root 12101 0.0 0.7 13988 7808 pts/2 S+ 18:17 0:00 view
/etc/knot/knot.sample.conf
knot 12600 2.8 0.7 22678580 8084 pts/1 Sl+ 18:20 0:00 knotd
-c /etc/knot/knot.conf
root 12883 0.0 0.2 7572 2028 pts/3 S+ 18:20 0:00 grep
--colour=auto knot
obelix ~ # dig +short -t SOA swordarmor.fr @localhost
kaiminus.swordarmor.fr. hostmaster.swordarmor.fr. 2019121403 14400 3600
604800 86400
[back to the previous one]
obelix ~ # knotd -c /etc/knot/knot.conf
^Cobelix ~ #
obelix ~ #
obelix ~ # knotd
2019-12-20T18:19:41 info: Knot DNS 2.9.2 starting
2019-12-20T18:19:41 info: loaded configuration database
'/var/lib/knot/confdb'
2019-12-20T18:19:41 info: using reuseport for UDP
2019-12-20T18:19:41 info: loading 0 zones
2019-12-20T18:19:41 warning: no zones loaded
2019-12-20T18:19:41 info: starting server
2019-12-20T18:19:41 info: server started in the foreground, PID 12361
2019-12-20T18:19:41 info: control, binding to '/var/run/knot/knot.sock'
2019-12-20T18:19:41 critical: control, failed to bind socket
'/var/run/knot/knot.sock' (operation not permitted)
2019-12-20T18:19:41 info: stopping server
2019-12-20T18:19:41 info: updating persistent timer DB
2019-12-20T18:19:41 warning: failed to update persistent timer DB
(operation not permitted)
2019-12-20T18:19:41 info: shutting down
obelix ~ # mv /var/lib/knot/ /var/lib/knot.bak
obelix ~ # mkdir /var/lib/knot
obelix ~ # chown -R knot: /var/lib/knot/
obelix ~ # rc-service knot start
* /var/lib/knot/: correcting mode
* Starting knot ...
[ ok ]
obelix ~ # ps aux | grep knot
root 12101 0.0 0.7 13988 7808 pts/2 S+ 18:17 0:00 view
/etc/knot/knot.sample.conf
knot 13389 0.0 0.4 1180648 5044 ? Ssl 18:25 0:00
/usr/sbin/knotd -d
root 13536 0.0 0.2 7572 2132 pts/1 S+ 18:25 0:00 grep
--colour=auto knot
obelix ~ # # so removing /var/lib/knot actually works…
obelix ~ # rc-service knot stop
* Stoping knot ...
[ ok ]
obelix ~ # rm -rv /var/lib/knot
removed '/var/lib/knot/timers/data.mdb'
removed '/var/lib/knot/timers/lock.mdb'
removed directory '/var/lib/knot/timers'
removed directory '/var/lib/knot'
obelix ~ # mv /var/lib/knot.bak/ /var/lib/knot
obelix ~ # vim /etc/knot/knot.conf
obelix ~ # grep -P '^control|listen:' /etc/knot/knot.conf
listen: [ 127.0.0.1@53, ::1@53 ]
control:
listen: "/tmp/knot/test.sock"
obelix ~ # knotd
2019-12-20T18:28:21 info: Knot DNS 2.9.2 starting
2019-12-20T18:28:21 info: loaded configuration database
'/var/lib/knot/confdb'
2019-12-20T18:28:21 info: using reuseport for UDP
2019-12-20T18:28:21 info: loading 0 zones
2019-12-20T18:28:21 warning: no zones loaded
2019-12-20T18:28:21 info: starting server
2019-12-20T18:28:21 info: server started in the foreground, PID 14040
2019-12-20T18:28:21 info: control, binding to '/var/run/knot/knot.sock'
2019-12-20T18:28:21 critical: control, failed to bind socket
'/var/run/knot/knot.sock' (operation not permitted)
2019-12-20T18:28:21 info: stopping server
2019-12-20T18:28:21 info: updating persistent timer DB
2019-12-20T18:28:21 warning: failed to update persistent timer DB
(operation not permitted)
2019-12-20T18:28:21 info: shutting down
obelix ~ # mv /var/lib/knot/ /var/lib/knot.bak
obelix ~ # rc-service knot start
* /var/lib/knot/: creating directory
* /var/lib/knot/: correcting owner
* Starting knot ...
[ ok ]
obelix ~ # ps aux | grep knot
root 12101 0.0 0.7 13988 7808 pts/2 S+ 18:17 0:00 view
/etc/knot/knot.sample.conf
knot 14079 0.0 0.4 1075156 4992 ? Ssl 18:28 0:00
/usr/sbin/knotd -d
root 14100 0.0 0.2 7572 2132 pts/1 S+ 18:28 0:00 grep
--colour=auto knot
obelix ~ # ls -lh /tmp/knot/
total 0
srwxrwx--- 1 knot knot 0 Dec 20 18:28 test.sock
On 20/12/2019 16:24, Daniel Salzman wrote:
There is no hardcoded ID in the server data :-)
Could you try to manually execute the server under root (knotd -c /etc/knot/knot.conf)?
Could you try to change the control socket location to a non-var directory
(
https://www.knot-dns.cz/docs/2.9/singlehtml/index.html#control-listen)?
Daniel
On 12/20/19 3:02 PM, Alarig Le Lay wrote:
> I just found this:
> backup02 ~ # borg mount /home/alarig/backups/kaiminus-old/ /tmp/alarig/
> backup02 ~ # grep knot /tmp/alarig/2019-12-19/etc/passwd
> knot:*:553:553:Knot DNS Server:/nonexistent:/usr/sbin/nologin
>
> kaiminus ~ # grep knot /etc/passwd
> knot:x:53:53:User for knot DNS server:/var/lib/knot:/sbin/nologin
>
> Perhaps the user ID is hardcoded somewhere in the storage and as long as
> I had the whole old /var/db/knot inside my new /var/lib/knot, the UID
> 553 (which doesn’t exist on the new system) was used instead of 53?
>
> On 20/12/2019 14:55, Alarig Le Lay wrote:
>> The socket wasn’t created at all, so I tried to touch the file and chown
>> to knot, but same result. As knot dies if the socket doesn’t exist, it
>> wasn’t running until I removed /var/lib/knot.
>>
>> On 20/12/2019 14:44, David Vašek wrote:
>>> I meant, if it helps to *remove* the socket. Sorry.
>>>
>>> David
>>>
>>> On 2019-12-20 14:43, David Vašek wrote:
>>>> Hi,
>>>>
>>>> are you sure, that knot isn't running already (pgrep knotd)? If not,
>>>> does it help to remote /var/run/knot/knot.sock manually before you
>>>> start knot?
>>>>
>>>> David
>>>>
>>>>
>>>> On 2019-12-20 13:56, Alarig Le Lay wrote:
>>>>> Here is my config file:
https://paste.swordarmor.fr/raw/kXaN
>>>>>
>>>>> The init script:
>>>>>
https://gitweb.gentoo.org/repo/sync/gentoo.git/tree/net-dns/knot/files/knot…
>>>>>
>>>>>
>>>>> The content of the dirs (and what I kept in .old):
>>>>>
https://paste.swordarmor.fr/raw/IG3K
>>>>>
>>>>> The error wasn’t in the logs but in the shell (and I closed it since
>>>>> then) when I tried to launch it directly from CLI. It was a
permission
>>>>> denied on /var/run/knot/knot.sock
>>>>>
>>>>> I don’t recall when I first installed knot on the FreeBSD machine,
but
>>>>> it was on the 10th release, so 2014~2015 if I refer to Wikipedia.
>>>>>
>>>>> Regards,
>>>>> Alarig
>>>>>
>>>>> On 20/12/2019 13:30, David Vašek wrote:
>>>>>> Hello Alarig,
>>>>>>
>>>>>> could you please send us some more data? The config file and
some
>>>>>> output
>>>>>> would be helpful, i.e. knot.conf, /etc/init.d/knot, ls -l
/var/lib/knot
>>>>>> /var/run/knot, and the knot logfile from the failed attempt. So
far, it
>>>>>> seems to us it should work. Thanks.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> David
>>>>>>
>>>>>>
>>>>>> On 2019-12-20 09:55, Alarig Le Lay wrote:
>>>>>>> Hi Daniel,
>>>>>>>
>>>>>>> Yes I’m sure the permissions were good, they are set by the
package. I
>>>>>>> pulled it from the official repo, and server.user were
already set for
>>>>>>> my old configuration. I also changed the storage (s/db/lib)
before
>>>>>>> running the daemon.
>>>>>>> Plus, when I started the daemon with an empty /var/lib/knot
(and just
>>>>>>> rsynced my zones & keys) I didn’t changed any
permission.
>>>>>>>
>>>>>>> I don’t use systemd by openrc.
>>>>>>>
>>>>>>> On 20/12/2019 09:30, Daniel Salzman wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Are you sure the permissions are right?
>>>>>>>> Do you have 'server.user' configured?
>>>>>>>> Where did you get the Knot DNS package for Gentoo?
>>>>>>>>
>>>>>>>> There are some differences between FreeBSD and Linux
packages with
>>>>>>>> systemd enabled.
>>>>>>>>
>>>>>>>> Daniel
>>>>>>>>
>>>>>>>> On 12/19/19 11:33 PM, Alarig Le Lay wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Today I migrated my knot from FreeBSD to Gentoo
(because it take too
>>>>>>>>> much time to stay on a supported release of FreeBSD)
>>>>>>>>>
>>>>>>>>> I rsynced my knot.conf (and changed the paths) and
/var/db/knot to
>>>>>>>>> /var/lib/knot
>>>>>>>>>
>>>>>>>>> However, daemon failed to start because it wasn’t
able to bind to
>>>>>>>>> /var/run/knot/knot.sock, and the permissions where
good. I had to
>>>>>>>>> remove
>>>>>>>>> /var/db/knot and rsync only zones and keys.
>>>>>>>>>
>>>>>>>>> I don’t get the link from files in /var/lib and a
denied
>>>>>>>>> permission on
>>>>>>>>> /var/run/knot/knot.sock, so I think that there is a
bug here.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>
>