Designate

rndc: 'addzone' failed: permission denied

Bug #1788982 reported by men
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Designate
New
Undecided
Unassigned

Bug Description

openstack Q
centos7.5

I don't know why I still have permission to create ?u"rndc: 'addzone' failed: permission denied\n".
chown root:named /etc/designate/rndc.key
chmod +r /etc/designate/rndc.key
chown -R named:root /var/named/
chown -R named:root /var/run/named/

[root@controller01 ~]# openstack zone create --email <email address hidden> example.com.
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| action | CREATE |
| attributes | |
| created_at | 2018-08-25T04:26:38.000000 |
| description | None |
| email | <email address hidden> |
| id | 720daa4a-9f0b-48eb-80ae-ddd55fed734e |
| masters | |
| name | example.com. |
| pool_id | 794ccc2c-d751-44fe-b57f-8894c9f5c842 |
| project_id | 8f472ac6453e4214b0f722217e5656f2 |
| serial | 1535171198 |
| status | PENDING |
| transferred_at | None |
| ttl | 3600 |
| type | PRIMARY |
| updated_at | None |
| version | 1 |
+----------------+--------------------------------------+

[root@controller01 ~]# tail -f /var/log/designate/worker.log
2018-08-25 12:27:08.919 2894618 INFO designate.backend.impl_bind9 [req-74da1f5d-8d6c-445d-a03b-0c6b9151750d - - - - -] RNDC call failure: Unexpected error while running command.
Command: sudo designate-rootwrap /etc/designate/rootwrap.conf rndc -s 127.0.0.1 -p 953 -k /etc/designate/rndc.key addzone example.com { type slave; masters { 127.0.0.1 port 5354;}; file "slave.example.com.720daa4a-9f0b-48eb-80ae-ddd55fed734e"; };
Exit code: 1
Stdout: u''
Stderr: u"rndc: 'addzone' failed: permission denied\n"
2018-08-25 12:27:08.920 2894618 INFO designate.worker.tasks.zone [req-74da1f5d-8d6c-445d-a03b-0c6b9151750d - - - - -] Failed to CREATE zone example.com. on target 596575b9-5fd8-451a-9b5d-3100bee8dcae on attempt 3, Error: Unexpected error while running command.
Command: sudo designate-rootwrap /etc/designate/rootwrap.conf rndc -s 127.0.0.1 -p 953 -k /etc/designate/rndc.key addzone example.com { type slave; masters { 127.0.0.1 port 5354;}; file "slave.example.com.720daa4a-9f0b-48eb-80ae-ddd55fed734e"; };
Exit code: 1
Stdout: u''
Stderr: u"rndc: 'addzone' failed: permission denied\n".

[root@controller01 ~]# egrep -v "^#|^$" /etc/designate/designate.conf
[DEFAULT]
[backend:agent:bind9]
[backend:agent:denominator]
[backend:agent:djbdns]
[backend:agent:gdnsd]
[backend:agent:knot2]
[coordination]
[cors]
[database]
[handler:neutron_floatingip]
[handler:nova_fixed]
[healthcheck]
[heartbeat_emitter]
[keystone_authtoken]
auth_type = password
username = designate
password = 123456
project_name = service
project_domain_name = Default
user_domain_name = Default
www_authenticate_uri = http://51.0.1.210:5000/
auth_url = http://51.0.1.210:5000/
memcached_servers = controller01:11211,controller02:11211,controller03:11211
[matchmaker_redis]
[monasca:statsd]
[network_api:neutron]
[oslo_concurrency]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[pool_manager_cache:memcache]
[pool_manager_cache:sqlalchemy]
[producer_task:delayed_notify]
[producer_task:periodic_exists]
[producer_task:periodic_secondary_refresh]
[producer_task:worker_periodic_recovery]
[producer_task:zone_purge]
[proxy]
[service:agent]
[service:api]
listen = 51.0.1.201:9001
auth_strategy = keystone
api_base_uri = http://51.0.1.210:9001/
enable_api_v2 = True
enabled_extensions_v2 = quotas, reports
[service:central]
[service:mdns]
[service:pool_manager]
[service:producer]
[service:sink]
[service:worker]
enabled = True
notify = True
[service:zone_manager]
[ssl]
[storage:sqlalchemy]
connection = mysql+pymysql://designate:DESIGNATE_DBPASS@51.0.1.210/designate

Revision history for this message
ephem (tpiperatgod) wrote :

May be the reason below:

1.ensure the "allow-new-zones yes;" is included in the "options" section ["/etc/bind/named.conf.options" in ubuntu; "/etc/named.conf" in centos]

options {
    ......
 allow-new-zones yes;
 ......
};

2.ensure the "controls" section and the "key include" statement are included in the config file ["/etc/bind/named.conf.options" in ubuntu; "/etc/named.conf" in centos]

controls section:

controls {
        inet * port 953
          allow { any; } keys { "designate"; };
};

key include statement:

include "/etc/designate/designate_rndc.key";

3.ensure the BIND9 server can write "master file" or "slave file" into the directory defined in the "options" section ["/etc/bind/named.conf.options" in ubuntu; "/etc/named.conf" in centos]

options {
    ......
 directory "/var/named";
 ......
};

I notice that you have done the operation: "chown -R named:root /var/named/"

And even can try this: "chmod 777 -R /var/named/"

4.restart the BIND9 server

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.