After upgrading from net-dns-bind-9.4.1_p1, named failed to start with the error message "Starting named: named: capset failed: Operation not permitted: please ensure that the capset kernel module is loaded. see insmod(8)". Version 9.4.1_p1 worked fine with the same USE flags. There is a warning about threads and a vserver environment, so even though I am not using a vserver environment I disabled the threads USE flag and then named started correctly. [ebuild R ] net-dns/bind-9.4.2 USE="berkdb doc idn ipv6 ldap odbc postgres resolvconf ssl -dlz -mysql (-selinux) -threads -urandom" 0 kB emerge --info Portage 2.1.5_rc6 (default/linux/x86/2008.0/desktop, gcc-4.2.3, glibc-2.7-r2, 2.6.25-gentoo-r2 i686) ================================================================= System uname: 2.6.25-gentoo-r2 i686 Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz Timestamp of tree: Sat, 03 May 2008 19:15:02 +0000 app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r11, 2.5.2-r2 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.2.3 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.62 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.25-r1 ACCEPT_KEYWORDS="x86 ~x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=native -mtune=native -pipe -ggdb" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -march=native -mtune=native -pipe -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="buildsyspkg distlocks installsources parallel-fetch sandbox sfperms splitdebug strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://gentoo.blueyonder.co.uk http://gentoo.tiscali.nl/ http://gentoo.mirror.solnet.ch http://pandemonium.tiscali.de/pub/gentoo/" LANG="en_GB.UTF-8" LC_ALL="en_GB.UTF-8" LDFLAGS="" LINGUAS="en_GB en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/musicbrainz /usr/portage/local/layman/sunrise /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac aalib acl acpi aim alsa apache2 arts audiofile avi bash-completion berkdb bluetooth bonobo branding browserplugin bzip2 bzlib cairo caps cddb cdparanoia cdr cjk cli cracklib crypt cups curl cvs dbus directfb doc dri dts dvd dvdr dvdread eds emacs emboss encode esd ethereal evo examples exif expat fam fbcon ffmpeg fftw firefox flac foomaticdb fortran ftp gcj gd gdbm gif glut gmp gnome gnome-keyring gnutls gphoto2 gpm graphviz gstreamer gtk gtk2 gtkhtml guile hal iconv icq idn ieee1394 imagemagick imlib ipv6 isdnlog jabber jack java javascript jbig jce jpeg jpeg2k junit kde kdehiddenvisibility kerberos ladspa latex lcms ldap leim libgda libnotify libsamplerate libwww lirc lm_sensors logrotate lua m17n-lib mad matroska mbox midi mikmod milter mime mmap mmx mng modplug mono mp3 mpeg mpi mplayer msn mudflap musepack ncurses nls nptl nptlonly nsplugin odbc offensive ogg oggvorbis openal opengl openmp oscar oss pam pcntl pcre pdf perl png postgres ppds pppd profile pulseaudio python qt3 qt3support qt4 quicktime readline recode reflection ruby sasl sdl seamonkey session sharedmem sndfile snmp sockets sox speex spell spl sqlite3 sse sse2 ssl startup-notification subversion svg sysvipc tcl tcltk tcpd tetex theora threads tiff tk truetype uicktime unicode usb v4l v4l2 vim-syntax vorbis win32codecs wmf wxwindows x264 x86 xattr xcb xface xine xml xml2 xorg xulrunner xv xvid yahoo zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" CAMERAS="canon ptp2" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB en" LIRC_DEVICES="asusdh" USERLAND="GNU" VIDEO_CARDS="radeon vesa fbdev vga" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #0) > After upgrading from net-dns-bind-9.4.1_p1, named failed to start with the > error message "Starting named: named: capset failed: Operation not permitted: > please ensure that the capset kernel module is loaded. see insmod(8)". Version > 9.4.1_p1 worked fine with the same USE flags. There is a warning about threads > and a vserver environment, so even though I am not using a vserver environment > I disabled the threads USE flag and then named started correctly. you have the capability module available (or directly built into your kernel)?
Same here - SECURITY_CAPABILITIES is set to "=y" in .config (by GRSEC), kernel = hardened-sources-2.6.24-r1
Created attachment 151787 [details] Kernel Configuration I think that I have enabled all of the capability options. grepping the kernel source I cannot see any indication of a module called 'capset'
emerge -1 sys-libs/libcap
Sorry I'll be don't right. USE="-threads" emerge -av net-dns/bind && emerge -1 sys-libs/libcap
You might be interested in this thread of the linux kernel mailing list: http://www.gossamer-threads.com/lists/linux/kernel/875073 As it seems libcap needs an update..
(In reply to comment #6) > You might be interested in this thread of the linux kernel mailing list: > > http://www.gossamer-threads.com/lists/linux/kernel/875073 > > As it seems libcap needs an update.. > This indicates an upgrade to libcap-2.05 but it is failing for me using libcap-2.08-r1
(In reply to comment #6) > You might be interested in this thread of the linux kernel mailing list: > > http://www.gossamer-threads.com/lists/linux/kernel/875073 > > As it seems libcap needs an update.. > ldd `which named` | grep cap
The problem arose after the upgrade linux-headers-2.6.25. Bind and squid stopped working. If compile bind with linux-headers-2.6.24 - everything works. By analogy of how this issue decided by squid, i`m made little patch, solves this problem with bind-9.4.2. Compile and work fine with USE="threads" and linux-headers-2.6.25-r3 diff -Nuar bind-9.4.2.orig/bin/named/unix/os.c bind-9.4.2/bin/named/unix/os.c --- bind-9.4.2.orig/bin/named/unix/os.c 2006-02-04 01:51:38.000000000 +0200 +++ bind-9.4.2/bin/named/unix/os.c 2008-06-03 10:21:56.000000000 +0300 @@ -159,7 +159,11 @@ return; memset(&caphead, 0, sizeof(caphead)); +#ifdef _LINUX_CAPABILITY_VERSION_1 + caphead.version = _LINUX_CAPABILITY_VERSION_1; +#else caphead.version = _LINUX_CAPABILITY_VERSION; +#endif caphead.pid = 0; memset(&cap, 0, sizeof(cap)); cap.effective = caps;
(In reply to comment #9) Thank you! This works fine here :) Now i can compile with threads!
I would have an purpose maybe ;) What about using _LINUX_CAPABILITY_VERSION_3 and libcap 2.10? This works also, but fixes the nasty warning: warning: `named' uses 32-bit capabilities (legacy support in use) The only thing is, that we need >=sys-libs/libcap-2.10 for it...
Conrad Kostecki is right. i modified the ebuild and the patch, compilation was smooth. named started, no warning messages in dmesg, normal operation for some hours. # diff -Nuar /usr/portage/net-dns/bind/bind-9.5.0_p1-r2.ebuild /usr/portage/local/blackbit/net-dns/bind/bind-9.5.0_p1-r2.ebuild --- /usr/portage/net-dns/bind/bind-9.5.0_p1-r2.ebuild 2008-07-27 10:56:35.000000000 +0200 +++ /usr/portage/local/blackbit/net-dns/bind/bind-9.5.0_p1-r2.ebuild 2008-08-01 17:16:09.809471034 +0200 @@ -26,7 +26,8 @@ RDEPEND="${DEPEND} selinux? ( sec-policy/selinux-bind ) - resolvconf? ( || ( net-dns/openresolv net-dns/resolvconf-gentoo ) )" + resolvconf? ( || ( net-dns/openresolv net-dns/resolvconf-gentoo ) ) + threads? ( >=sys-libs/libcap-2.1.0 )" S="${WORKDIR}/${PN}-${MY_PV}" @@ -57,6 +58,8 @@ "${i}" done + use threads && epatch "${FILESDIR}"/${PN}-9.5.0-libcap.patch + use dlz && epatch "${FILESDIR}"/${PN}-9.4.0-dlzbdb-close_cursor.patch # bind fails to reconnect to MySQL5 databases, bug #180720, patch by Nicolas Brousse # # cat /usr/portage/local/blackbit/net-dns/bind/files/bind-9.5.0-libcap.patch --- bin/named/unix/os.c 2008-08-01 15:20:07.401472392 +0200 +++ bin/named/unix/os.c 2008-08-01 15:24:13.941474019 +0200 @@ -170,7 +170,11 @@ return; #ifndef HAVE_LIBCAP memset(&caphead, 0, sizeof(caphead)); +#ifdef _LINUX_CAPABILITY_VERSION_3 + caphead.version = _LINUX_CAPABILITY_VERSION_3; +#else caphead.version = _LINUX_CAPABILITY_VERSION; +#endif caphead.pid = 0; memset(&cap, 0, sizeof(cap)); cap.effective = caps; #
bind-9.5.0_p2 does not seem to correct this problem. i was able to build and start 9.5.0_p2 with a unmodified ebuild or adding the patch. some time later i got in the log [kernel] warning: `named' uses deprecated v2 capabilities in a way that may be insecure. since it was linked to libcap (there is no dependency for it in the ebuild!) i could no more start bind after unmerging libcap. was 9.5.0_p1 linked to libcap too? i guess so, but cannot check easily because the ebuild was removed from the tree. building 9.5.0_p2 without libcap is possible, but it does not start with well known "Starting named: named: capset failed: Operation not permitted: please ensure that the capset kernel module is loaded. see insmod(8)" the ebuild modification and dependency for libcap >=2.10 seems to work best. normal operation and no warnings. the file to which the patch is applied was not changed, so the patch can be used unchanged.
This should be fixed in =bind-9.4.2_p2-r1 and =bind-9.5.0_p2-r1. Please test and reopen this bug if necessary.
(In reply to comment #14) > This should be fixed in =bind-9.4.2_p2-r1 and =bind-9.5.0_p2-r1. Please test > and reopen this bug if necessary. > I just can't understand after reading this post, how a version of bind wothout the patch and the dependency could go stable???
