Bind9 (named) won't start inside a Debian 9 CT, no IPv4/6 interfaces found (solution: was due to enabling AppArmor)

kpv · August 4, 2020, 7:23pm

Hi all,

Back in January 2020 I launched a Debian 9 container and installed the Virtualmin/Webmin web control panel. The host system is Ubuntu 18.04 with LXD 3.0.3.

This Debian 9 container (which uses several popular programs, like Apache2, Postfix and Bind9) had been running fine for several months. I did experiments with assigning it both a private IP (with NAT) and a public IPv4 (macvlan) etc.

Anyway, yesterday I did an “apt upgrade” (to Debian 9.13) and then rebooted the container, after which the Bind9 nameserver won’t start anymore, because it can’t find neither an IPv4 nor a IPv6 address! I have stop/start/rebooted it 20+ times …

I wonder if Bind9 gets confused by the strange interface names (e.g. eth0@if359) used by LXD (note: Virtualmin/Webmin has an issue with finding the external interface of a LXD CT, due to the perl regexp it uses to parse the output of “ip addr”).

Any ideas how to troubleshoot this problem? Below I’m attaching some info:

root@vm01:~# systemctl list-units --state=failed
  UNIT                          LOAD   ACTIVE SUB    DESCRIPTION
● sys-kernel-config.mount       loaded failed failed Configuration File System
● bind9.service                 loaded failed failed BIND Domain Name Server
● systemd-journald-audit.socket loaded failed failed Journal Audit Socket     

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

3 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
root@vm01:~#
root@vm01:~# systemctl status bind9.service
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-08-04 21:22:09 EEST; 3min 52s ago
     Docs: man:named(8)
  Process: 363 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE)
  Process: 306 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 306 (code=exited, status=1/FAILURE)

Aug 04 21:22:09 vm01.mydomain.tld named[306]: no IPv6 interfaces found
Aug 04 21:22:09 vm01.mydomain.tld named[306]: no IPv4 interfaces found
Aug 04 21:22:09 vm01.mydomain.tld named[306]: not listening on any interfaces
Aug 04 21:22:09 vm01.mydomain.tld named[306]: generating session key for dynamic DNS
Aug 04 21:22:09 vm01.mydomain.tld named[306]: sizing zone task pool based on 5 zones
Aug 04 21:22:09 vm01.mydomain.tld systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
Aug 04 21:22:09 vm01.mydomain.tld rndc[363]: rndc: connect failed: 127.0.0.1#953: connection refused
Aug 04 21:22:09 vm01.mydomain.tld systemd[1]: bind9.service: Control process exited, code=exited status=1
Aug 04 21:22:09 vm01.mydomain.tld systemd[1]: bind9.service: Unit entered failed state.
Aug 04 21:22:09 vm01.mydomain.tld systemd[1]: bind9.service: Failed with result 'exit-code'.
root@vm01:~# 
root@vm01:~# netstat -ntulp | fgrep 53
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      316/systemd-resolve 
tcp6       0      0 :::5355                 :::*                    LISTEN      316/systemd-resolve 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           316/systemd-resolve 
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           316/systemd-resolve 
udp6       0      0 :::5355                 :::*                                316/systemd-resolve 
root@vm01:~# 

root@vm01:~# tail -500 /var/log/syslog|fgrep named
Aug  4 21:22:09 vm01 named[306]: starting BIND 9.10.3-P4-Debian <id:ebd72b3> -f -u bind
Aug  4 21:22:09 vm01 named[306]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-6uRwke/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Aug  4 21:22:09 vm01 named[306]: ----------------------------------------------------
Aug  4 21:22:09 vm01 named[306]: BIND 9 is maintained by Internet Systems Consortium,
Aug  4 21:22:09 vm01 named[306]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Aug  4 21:22:09 vm01 named[306]: corporation.  Support and training for BIND 9 are
Aug  4 21:22:09 vm01 named[306]: available at https://www.isc.org/support
Aug  4 21:22:09 vm01 named[306]: ----------------------------------------------------
Aug  4 21:22:09 vm01 named[306]: found 8 CPUs, using 8 worker threads
Aug  4 21:22:09 vm01 named[306]: using 4 UDP listeners per interface
Aug  4 21:22:09 vm01 named[306]: loading configuration from '/etc/bind/named.conf'
Aug  4 21:22:09 vm01 named[306]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Aug  4 21:22:09 vm01 named[306]: initializing GeoIP Country (IPv4) (type 1) DB
Aug  4 21:22:09 vm01 named[306]: GEO-106FREE 20170512 Bu
Aug  4 21:22:09 vm01 named[306]: initializing GeoIP Country (IPv6) (type 12) DB
Aug  4 21:22:09 vm01 named[306]: GEO-106FREE 20170512 Bu
Aug  4 21:22:09 vm01 named[306]: GeoIP City (IPv4) (type 2) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP City (IPv4) (type 6) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP City (IPv6) (type 30) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP City (IPv6) (type 31) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP Region (type 3) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP Region (type 7) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP ISP (type 4) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP Org (type 5) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP AS (type 9) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP Domain (type 11) DB not available
Aug  4 21:22:09 vm01 named[306]: GeoIP NetSpeed (type 10) DB not available
Aug  4 21:22:09 vm01 named[306]: using default UDP/IPv4 port range: [32768, 60999]
Aug  4 21:22:09 vm01 named[306]: using default UDP/IPv6 port range: [32768, 60999]
Aug  4 21:22:09 vm01 named[306]: ../../../../lib/isc/unix/net.c:151: unexpected error:
Aug  4 21:22:09 vm01 named[306]: socket() failed: Permission denied
Aug  4 21:22:09 vm01 named[306]: ../../../../lib/isc/unix/net.c:151: unexpected error:
Aug  4 21:22:09 vm01 named[306]: socket() failed: Permission denied
Aug  4 21:22:09 vm01 named[306]: no IPv6 interfaces found
Aug  4 21:22:09 vm01 named[306]: no IPv4 interfaces found
Aug  4 21:22:09 vm01 named[306]: not listening on any interfaces
Aug  4 21:22:09 vm01 named[306]: generating session key for dynamic DNS
Aug  4 21:22:09 vm01 named[306]: sizing zone task pool based on 5 zones
Aug  4 21:22:09 vm01 named[306]: ../../../bin/named/server.c:3037: unexpected error:
Aug  4 21:22:09 vm01 named[306]: unable to obtain neither an IPv4 nor an IPv6 dispatch
Aug  4 21:22:09 vm01 named[306]: loading configuration: unexpected error
Aug  4 21:22:09 vm01 named[306]: exiting (due to fatal error)
root@vm01:~# 
root@vm01:~# ip ad li
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
358: eth0@if359: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:b2:e3:61 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.177.88.76/24 brd 10.177.88.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:feb2:e361/64 scope link 
       valid_lft forever preferred_lft forever
root@vm01:~# 
root@vm01:~# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.177.88.76  netmask 255.255.255.0  broadcast 10.177.88.255
        inet6 fe80::216:3eff:feb2:e361  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:b2:e3:61  txqueuelen 1000  (Ethernet)
        RX packets 125  bytes 16067 (15.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 147  bytes 13883 (13.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 8  bytes 400 (400.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 400 (400.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@vm01:~#
root@vm01:~# ip ro li
default via 10.177.88.1 dev eth0 
10.177.88.0/24 dev eth0 proto kernel scope link src 10.177.88.76 
root@vm01:~# 

root@vm01:~# cat /etc/resolv.conf 
domain lxd
search lxd
nameserver 10.177.88.1
root@vm01:~# cat /etc/default/bind9 
# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-u bind"
root@vm01:~# grep -v "//" /etc/bind/named.conf.options | grep -v ^$
options {
	directory "/var/cache/bind";
	forwarders {
		1.1.1.1;
		1.0.0.1;
		8.8.8.8;
	};
	dnssec-validation auto;
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
};
root@vm01:~# 

root@vm01:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=8.46 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=8.44 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=8.49 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=8.69 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=8.66 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 8.445/8.554/8.695/0.133 ms
root@vm01:~# 

root@vm01:/tmp# apt-get update && apt-get upgrade
Ign:1 http://deb.debian.org/debian stretch InRelease
Hit:2 http://security.debian.org/debian-security stretch/updates InRelease
Hit:3 http://deb.debian.org/debian stretch Release
Hit:5 https://packages.sury.org/php stretch InRelease
Hit:6 http://software.virtualmin.com/vm/6/gpl/apt virtualmin-stretch InRelease
Hit:7 http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal InRelease
Reading package lists... Done                      
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@vm01:/tmp# cat /etc/debian_version 
9.13
root@vm01:/tmp# dpkg -l|fgrep bind
ii  bind9                            1:9.10.3.dfsg.P4-12.3+deb9u6                                  amd64        Internet Domain Name Server
ii  bind9utils                       1:9.10.3.dfsg.P4-12.3+deb9u6                                  amd64        Utilities for BIND
ii  libapparmor-perl                 2.11.0-3+deb9u2                                               amd64        AppArmor library Perl bindings
ii  libbind9-140:amd64               1:9.10.3.dfsg.P4-12.3+deb9u6                                  amd64        BIND9 Shared Library used by BIND
ii  python3-pyinotify                0.9.6-1                                                       all          simple Linux inotify Python bindings
ii  python3-systemd                  233-1                                                         amd64        Python 3 bindings for systemd
root@vm01:/tmp#

stgraber · August 4, 2020, 7:50pm

Does that still happen if you restart the service itself?

Maybe it just tried to start too early?

kpv · August 4, 2020, 7:57pm

Yes, it still happens when I restart bind9 itself. Also when I reboot or stop/start the whole Debian 9 vm01 container. Every other service except bind9 seems to work OK.

PS: I just tried installing the newer bind9 9.11.5.P4 from stretch-backports, in case it was due to some weird incompatibility, but the problem remains …

stgraber · August 4, 2020, 8:05pm

The permission error is almost certainly the problem, though it’s unclear what that refers to.

stgraber · August 4, 2020, 8:07pm

stgraber@castiana:~$ lxc launch images:debian/9 debian9
Creating debian9
Starting debian9                            
stgraber@castiana:~$ lxc exec debian9 bash
root@debian9:~# apt install bind9
Reading package lists... 1%
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  bind9utils bzip2 dh-python file geoip-database libbind9-140 libdns162 libgeoip1 libicu57 libirs141 libisc160 libisccc140 libisccfg140 liblwres141
  libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 libssl1.1 libxml2 mime-support
  python3 python3-minimal python3.5 python3.5-minimal readline-common sgml-base xml-core xz-utils
Suggested packages:
  dnsutils bind9-doc resolvconf ufw bzip2-doc libdpkg-perl geoip-bin python3-doc python3-tk python3-venv python3.5-venv python3.5-doc binutils binfmt-support
  readline-doc sgml-base-doc debhelper
The following NEW packages will be installed:
  bind9 bind9utils bzip2 dh-python file geoip-database libbind9-140 libdns162 libgeoip1 libicu57 libirs141 libisc160 libisccc140 libisccfg140 liblwres141
  libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 libssl1.1 libxml2 mime-support
  python3 python3-minimal python3.5 python3.5-minimal readline-common sgml-base xml-core xz-utils
0 upgraded, 34 newly installed, 0 to remove and 0 not upgraded.
Need to get 22.1 MB of archives.
After this operation, 86.8 MB of additional disk space will be used.
Get:1 http://deb.debian.org/debian stretch/main amd64 libssl1.1 amd64 1.1.0l-1~deb9u1 [1358 kB]
Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 libpython3.5-minimal amd64 3.5.3-1+deb9u2 [575 kB]
Get:3 http://security.debian.org/debian-security stretch/updates/main amd64 python3.5-minimal amd64 3.5.3-1+deb9u2 [1695 kB]
Get:4 http://security.debian.org/debian-security stretch/updates/main amd64 libpython3.5-stdlib amd64 3.5.3-1+deb9u2 [2169 kB]
Get:5 http://deb.debian.org/debian stretch/main amd64 python3-minimal amd64 3.5.3-1 [35.3 kB]
Get:6 http://deb.debian.org/debian stretch/main amd64 mime-support all 3.60 [36.7 kB] 
Get:7 http://deb.debian.org/debian stretch/main amd64 libmpdec2 amd64 2.4.2-1 [85.2 kB]
Get:8 http://deb.debian.org/debian stretch/main amd64 readline-common all 7.0-3 [70.4 kB]
Get:9 http://deb.debian.org/debian stretch/main amd64 libreadline7 amd64 7.0-3 [151 kB]
Get:10 http://deb.debian.org/debian stretch/main amd64 libsqlite3-0 amd64 3.16.2-5+deb9u1 [572 kB]
Get:11 http://deb.debian.org/debian stretch/main amd64 libpython3-stdlib amd64 3.5.3-1 [18.6 kB]
Get:12 http://deb.debian.org/debian stretch/main amd64 dh-python all 2.20170125 [86.8 kB]
Get:13 http://security.debian.org/debian-security stretch/updates/main amd64 python3.5 amd64 3.5.3-1+deb9u2 [230 kB]
Get:14 http://deb.debian.org/debian stretch/main amd64 python3 amd64 3.5.3-1 [21.6 kB]
Get:15 http://deb.debian.org/debian stretch/main amd64 sgml-base all 1.29 [14.8 kB]
Get:16 http://deb.debian.org/debian stretch/main amd64 bzip2 amd64 1.0.6-8.1 [47.5 kB]
Get:17 http://deb.debian.org/debian stretch/main amd64 libmagic-mgc amd64 1:5.30-1+deb9u3 [222 kB]
Get:18 http://deb.debian.org/debian stretch/main amd64 libmagic1 amd64 1:5.30-1+deb9u3 [111 kB]
Get:19 http://deb.debian.org/debian stretch/main amd64 file amd64 1:5.30-1+deb9u3 [64.2 kB]
Get:20 http://deb.debian.org/debian stretch/main amd64 libgeoip1 amd64 1.6.9-4 [90.5 kB]
Get:21 http://deb.debian.org/debian stretch/main amd64 libicu57 amd64 57.1-6+deb9u4 [7699 kB]
Get:22 http://deb.debian.org/debian stretch/main amd64 libxml2 amd64 2.9.4+dfsg1-2.2+deb9u2 [920 kB]
Get:23 http://deb.debian.org/debian stretch/main amd64 libisc160 amd64 1:9.10.3.dfsg.P4-12.3+deb9u6 [398 kB]
Get:24 http://deb.debian.org/debian stretch/main amd64 libdns162 amd64 1:9.10.3.dfsg.P4-12.3+deb9u6 [1078 kB]
Get:25 http://deb.debian.org/debian stretch/main amd64 libisccc140 amd64 1:9.10.3.dfsg.P4-12.3+deb9u6 [199 kB]
Get:26 http://deb.debian.org/debian stretch/main amd64 libisccfg140 amd64 1:9.10.3.dfsg.P4-12.3+deb9u6 [223 kB]
Get:27 http://deb.debian.org/debian stretch/main amd64 libbind9-140 amd64 1:9.10.3.dfsg.P4-12.3+deb9u6 [206 kB]
Get:28 http://deb.debian.org/debian stretch/main amd64 libirs141 amd64 1:9.10.3.dfsg.P4-12.3+deb9u6 [200 kB]
Get:29 http://deb.debian.org/debian stretch/main amd64 liblwres141 amd64 1:9.10.3.dfsg.P4-12.3+deb9u6 [214 kB]
Get:30 http://deb.debian.org/debian stretch/main amd64 xz-utils amd64 5.2.2-1.2+b1 [266 kB]
Get:31 http://deb.debian.org/debian stretch/main amd64 bind9utils amd64 1:9.10.3.dfsg.P4-12.3+deb9u6 [375 kB]
Get:32 http://deb.debian.org/debian stretch/main amd64 bind9 amd64 1:9.10.3.dfsg.P4-12.3+deb9u6 [549 kB]
Get:33 http://deb.debian.org/debian stretch/main amd64 geoip-database all 20170512-1 [2112 kB]
Get:34 http://deb.debian.org/debian stretch/main amd64 xml-core all 0.17 [23.2 kB]
Fetched 22.1 MB in 1s (15.2 MB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libssl1.1:amd64.
(Reading database ... 10690 files and directories currently installed.)
Preparing to unpack .../00-libssl1.1_1.1.0l-1~deb9u1_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.0l-1~deb9u1) ...
Selecting previously unselected package libpython3.5-minimal:amd64.
Preparing to unpack .../01-libpython3.5-minimal_3.5.3-1+deb9u2_amd64.deb ...
Unpacking libpython3.5-minimal:amd64 (3.5.3-1+deb9u2) ...
Selecting previously unselected package python3.5-minimal.
Preparing to unpack .../02-python3.5-minimal_3.5.3-1+deb9u2_amd64.deb ...
Unpacking python3.5-minimal (3.5.3-1+deb9u2) ...
Selecting previously unselected package python3-minimal.
Preparing to unpack .../03-python3-minimal_3.5.3-1_amd64.deb ...
Unpacking python3-minimal (3.5.3-1) ...
Selecting previously unselected package mime-support.
Preparing to unpack .../04-mime-support_3.60_all.deb ...
Unpacking mime-support (3.60) ...
Selecting previously unselected package libmpdec2:amd64.
Preparing to unpack .../05-libmpdec2_2.4.2-1_amd64.deb ...
Unpacking libmpdec2:amd64 (2.4.2-1) ...
Selecting previously unselected package readline-common.
Preparing to unpack .../06-readline-common_7.0-3_all.deb ...
Unpacking readline-common (7.0-3) ...
Selecting previously unselected package libreadline7:amd64.
Preparing to unpack .../07-libreadline7_7.0-3_amd64.deb ...
Unpacking libreadline7:amd64 (7.0-3) ...
Selecting previously unselected package libsqlite3-0:amd64.
Preparing to unpack .../08-libsqlite3-0_3.16.2-5+deb9u1_amd64.deb ...
Unpacking libsqlite3-0:amd64 (3.16.2-5+deb9u1) ...
Selecting previously unselected package libpython3.5-stdlib:amd64.
Preparing to unpack .../09-libpython3.5-stdlib_3.5.3-1+deb9u2_amd64.deb ...
Unpacking libpython3.5-stdlib:amd64 (3.5.3-1+deb9u2) ...
Selecting previously unselected package python3.5.
Preparing to unpack .../10-python3.5_3.5.3-1+deb9u2_amd64.deb ...
Unpacking python3.5 (3.5.3-1+deb9u2) ...
Selecting previously unselected package libpython3-stdlib:amd64.
Preparing to unpack .../11-libpython3-stdlib_3.5.3-1_amd64.deb ...
Unpacking libpython3-stdlib:amd64 (3.5.3-1) ...
Selecting previously unselected package dh-python.
Preparing to unpack .../12-dh-python_2.20170125_all.deb ...
Unpacking dh-python (2.20170125) ...
Setting up libssl1.1:amd64 (1.1.0l-1~deb9u1) ...
Setting up libpython3.5-minimal:amd64 (3.5.3-1+deb9u2) ...
Setting up python3.5-minimal (3.5.3-1+deb9u2) ...
Setting up python3-minimal (3.5.3-1) ...
Selecting previously unselected package python3.
(Reading database ... 11674 files and directories currently installed.)
Preparing to unpack .../00-python3_3.5.3-1_amd64.deb ...
Unpacking python3 (3.5.3-1) ...
Selecting previously unselected package sgml-base.
Preparing to unpack .../01-sgml-base_1.29_all.deb ...
Unpacking sgml-base (1.29) ...
Selecting previously unselected package bzip2.
Preparing to unpack .../02-bzip2_1.0.6-8.1_amd64.deb ...
Unpacking bzip2 (1.0.6-8.1) ...
Selecting previously unselected package libmagic-mgc.
Preparing to unpack .../03-libmagic-mgc_1%3a5.30-1+deb9u3_amd64.deb ...
Unpacking libmagic-mgc (1:5.30-1+deb9u3) ...
Selecting previously unselected package libmagic1:amd64.
Preparing to unpack .../04-libmagic1_1%3a5.30-1+deb9u3_amd64.deb ...
Unpacking libmagic1:amd64 (1:5.30-1+deb9u3) ...
Selecting previously unselected package file.
Preparing to unpack .../05-file_1%3a5.30-1+deb9u3_amd64.deb ...
Unpacking file (1:5.30-1+deb9u3) ...
Selecting previously unselected package libgeoip1:amd64.
Preparing to unpack .../06-libgeoip1_1.6.9-4_amd64.deb ...
Unpacking libgeoip1:amd64 (1.6.9-4) ...
Selecting previously unselected package libicu57:amd64.
Preparing to unpack .../07-libicu57_57.1-6+deb9u4_amd64.deb ...
Unpacking libicu57:amd64 (57.1-6+deb9u4) ...
Selecting previously unselected package libxml2:amd64.
Preparing to unpack .../08-libxml2_2.9.4+dfsg1-2.2+deb9u2_amd64.deb ...
Unpacking libxml2:amd64 (2.9.4+dfsg1-2.2+deb9u2) ...
Selecting previously unselected package libisc160:amd64.
Preparing to unpack .../09-libisc160_1%3a9.10.3.dfsg.P4-12.3+deb9u6_amd64.deb ...
Unpacking libisc160:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Selecting previously unselected package libdns162:amd64.
Preparing to unpack .../10-libdns162_1%3a9.10.3.dfsg.P4-12.3+deb9u6_amd64.deb ...
Unpacking libdns162:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Selecting previously unselected package libisccc140:amd64.
Preparing to unpack .../11-libisccc140_1%3a9.10.3.dfsg.P4-12.3+deb9u6_amd64.deb ...
Unpacking libisccc140:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Selecting previously unselected package libisccfg140:amd64.
Preparing to unpack .../12-libisccfg140_1%3a9.10.3.dfsg.P4-12.3+deb9u6_amd64.deb ...
Unpacking libisccfg140:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Selecting previously unselected package libbind9-140:amd64.
Preparing to unpack .../13-libbind9-140_1%3a9.10.3.dfsg.P4-12.3+deb9u6_amd64.deb ...
Unpacking libbind9-140:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Selecting previously unselected package libirs141:amd64.
Preparing to unpack .../14-libirs141_1%3a9.10.3.dfsg.P4-12.3+deb9u6_amd64.deb ...
Unpacking libirs141:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Selecting previously unselected package liblwres141:amd64.
Preparing to unpack .../15-liblwres141_1%3a9.10.3.dfsg.P4-12.3+deb9u6_amd64.deb ...
Unpacking liblwres141:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Selecting previously unselected package xz-utils.
Preparing to unpack .../16-xz-utils_5.2.2-1.2+b1_amd64.deb ...
Unpacking xz-utils (5.2.2-1.2+b1) ...
Selecting previously unselected package bind9utils.
Preparing to unpack .../17-bind9utils_1%3a9.10.3.dfsg.P4-12.3+deb9u6_amd64.deb ...
Unpacking bind9utils (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Selecting previously unselected package bind9.
Preparing to unpack .../18-bind9_1%3a9.10.3.dfsg.P4-12.3+deb9u6_amd64.deb ...
Unpacking bind9 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Selecting previously unselected package geoip-database.
Preparing to unpack .../19-geoip-database_20170512-1_all.deb ...
Unpacking geoip-database (20170512-1) ...
Selecting previously unselected package xml-core.
Preparing to unpack .../20-xml-core_0.17_all.deb ...
Unpacking xml-core (0.17) ...
Setting up readline-common (7.0-3) ...
Setting up mime-support (3.60) ...
Setting up geoip-database (20170512-1) ...
Setting up libreadline7:amd64 (7.0-3) ...
Setting up sgml-base (1.29) ...
Setting up libgeoip1:amd64 (1.6.9-4) ...
Setting up libicu57:amd64 (57.1-6+deb9u4) ...
Setting up libxml2:amd64 (2.9.4+dfsg1-2.2+deb9u2) ...
Setting up libmagic-mgc (1:5.30-1+deb9u3) ...
Setting up bzip2 (1.0.6-8.1) ...
Setting up libmagic1:amd64 (1:5.30-1+deb9u3) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up xz-utils (5.2.2-1.2+b1) ...
update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode
Processing triggers for systemd (232-25+deb9u12) ...
Setting up liblwres141:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Setting up libsqlite3-0:amd64 (3.16.2-5+deb9u1) ...
Setting up xml-core (0.17) ...
Setting up libmpdec2:amd64 (2.4.2-1) ...
Setting up libisc160:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Setting up libpython3.5-stdlib:amd64 (3.5.3-1+deb9u2) ...
Setting up file (1:5.30-1+deb9u3) ...
Setting up libisccc140:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Setting up python3.5 (3.5.3-1+deb9u2) ...
Setting up libpython3-stdlib:amd64 (3.5.3-1) ...
Setting up libdns162:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Setting up libisccfg140:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Setting up libirs141:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Setting up libbind9-140:amd64 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Setting up python3 (3.5.3-1) ...
running python rtupdate hooks for python3.5...
running python post-rtupdate hooks for python3.5...
Setting up dh-python (2.20170125) ...
Setting up bind9utils (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Setting up bind9 (1:9.10.3.dfsg.P4-12.3+deb9u6) ...
Adding group `bind' (GID 109) ...
Done.
Adding system user `bind' (UID 106) ...
Adding new user `bind' (UID 106) with group `bind' ...
Not creating home directory `/var/cache/bind'.
wrote key file "/etc/bind/rndc.key"
#
Created symlink /etc/systemd/system/multi-user.target.wants/bind9.service → /lib/systemd/system/bind9.service.
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for sgml-base (1.29) ...
Processing triggers for systemd (232-25+deb9u12) ...
root@debian9:~# dpkg -l | grep bind
ii  bind9                      1:9.10.3.dfsg.P4-12.3+deb9u6 amd64        Internet Domain Name Server
ii  bind9utils                 1:9.10.3.dfsg.P4-12.3+deb9u6 amd64        Utilities for BIND
ii  libbind9-140:amd64         1:9.10.3.dfsg.P4-12.3+deb9u6 amd64        BIND9 Shared Library used by BIND
root@debian9:~# systemctl start bind9
root@debian9:~# ps aux | grep named
bind         719  0.0  0.1 434192 19264 ?        Ssl  20:06   0:00 /usr/sbin/named -f -u bind
root         727  0.0  0.0  14500   820 ?        S+   20:06   0:00 grep named
root@debian9:~#

stgraber · August 4, 2020, 8:08pm

Thought that’s on a 20.04 host but I’m not sure what in 18.04 could cause this.

kpv · August 4, 2020, 8:19pm

Strangely Bind9 used to work for months on this particular Debian 9 CT (vm01), until I rebooted it yesterday. The only changes I had done to it from LXD side were configuring macvlan (for assigning it a public IPv4) and then back to bridged (with NAT).

$ lxc config show vm01 --expanded
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Debian stretch amd64 (20200121_09:09)
  image.os: Debian
  image.release: stretch
  image.serial: "20200121_09:09"
  volatile.base_image: 594467907e3a5583689e8d9e867eebbc74037561526ab5fe46cfc989989de893
  volatile.eth0.hwaddr: 00:16:3e:22:33:11
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: RUNNING
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

Bind9 currently works fine on another Debian 9 and a Debian 10 CTs on the same host (Ubuntu 18.04 with LXD 3.0.3)

kpv · August 4, 2020, 8:30pm

Here are the differences between two identical CTs, one that has problem with Bind9 (vm01) another that runs fine (vm02). Both vm01 and vm02 are running Debian 9, on vm01 I installed Virtualmin/Webmin whereas on vm02 ISPconfig.

$ lxc config show vm01 --expanded > /tmp/vm01.txt
$ lxc config show vm02 --expanded > /tmp/vm02.txt
$ diff /tmp/vm01.txt /tmp/vm02.txt
4c4
<   image.description: Debian stretch amd64 (20200121_09:09)
---
>   image.description: Debian stretch amd64 (20191019_05:24)
7,9c7,9
<   image.serial: "20200121_09:09"
<   volatile.base_image: 594467907e3a5583689e8d9e867eebbc74037561526ab5fe46cfc989989de893
<   volatile.eth0.hwaddr: 00:16:3e:22:33:11
---
>   image.serial: "20191019_05:24"
>   volatile.base_image: 60def082b85d4d5bf60e76a1d9f9640b378a35028a2cb3af6f57e852df4ff866
>   volatile.eth0.hwaddr: 00:16:3e:22:33:12
$

kpv · August 4, 2020, 8:34pm

Thankfully these CTs are for testing, but I’m worried that one day I might reboot a production container and it will just stop working

stgraber · August 4, 2020, 8:47pm

Yeah, that’s very confusing. I wonder what may have changed within the container…
The diff you provided doesn’t really show anything that’d explain this.

Is there any error in dmesg around the time you start bind9?

kpv · August 4, 2020, 8:49pm

I found the issue, it was due to enabling AppArmor on vm01 (a few weeks ago, but hadn’t rebooted it since).

Once I removed AppArmor, Bind9 started fine. Sorry for all the “excitement” …

PS: I guess last night my mind was fixated on the interface naming convention (eg eth0@if567), due to Webmin having a bug for years that can’t find the IPv4/IPv6 and I have to manually patch the perl source for every upgrade …