phroggy.com: Weblog Archive: Upgrading BIND on Slackware

Upgrading BIND on Slackware (Thursday, July 10^th, 2008)

So I was working on upgrading BIND on a server running Slackware 10.2, when I ran into a nasty error:

# /etc/rc.d/rc.bind restart
Stopping BIND:  /usr/sbin/rndc stop
Using killall named on additional BIND processes...
Starting BIND:  /usr/sbin/named
WARNING:  named did not start.  Perhaps this is because
the “capability” module required by newer kernels is
not loaded (or built into the kernel)?
Attempting to load security capability module:
/sbin/modprobe capability
modprobe: Can't locate module capability
Attempting to start named again:  /usr/sbin/named
FAILED:  Sorry, but even after attempting to load
the “capability” module, named did not start.
There may be a different configuration error that
needs fixing.  Good luck!

As it turns out, the problem has absolutely nothing to do with the “capability” module, which doesn't exist in the Linux 2.4 kernel that Slackware 10.2 uses. On this particular server, I chose to ignore the assurances in the comments in /etc/rc.d/rc.bind that modern versions of BIND are perfectly safe to run as root, so I have a user called “named” and I modified the rc script to launch BIND as /usr/sbin/named -u named (safer than using the same “nobody” that a bunch of other stuff uses). That's all well and good, and per the instructions in the comments, I chown'd /var/run/named so it's owned by the “named” user.

The problem is, when you upgrade BIND, /var/run/named gets chown'd back to root.root, which causes a fatal error when BIND can't write its process ID to /var/run/named/named.pid. The confusing thing is, Slackware's rc.bind script assumes that any fatal error must be because the “capability” module (which doesn't even exist on this kernel) isn't loaded, so it prints a nasty warning, tries to load it with modprobe, and prints another error message when that fails too.

Once I figured out what the problem was (the real reason BIND wouldn't start was clearly stated in /var/log/syslog) it was easy to fix: just chown named.daemon /var/run/named /var/named (if you don't do the latter BIND will run, but you'll get “the working directory is not writable” errors). But since the error message displayed on screen is so misleading, I thought I should share my experience, in case anyone else runs into the same problem.