[Opendnssec-user] Problem with configuration; terse output

Nick Urbanik nicku at nicku.org
Thu Feb 16 23:09:05 UTC 2023 

Dear Barry,

Thank you for taking the time to reply.

On 16/02/23 11:05 +0100, Berry van Halderen wrote:
>On 2023-02-16 01:40, Nick Urbanik via Opendnssec-user wrote:
>> Dear Folks,
>>
>> I am attempting to start ods-enforcerd on Fedora 37.
>>
>> journalctl shows this:
>> [engine] enforcerd (pid: 1233258) stopped with exitcode 3
>>
>> Running on the command line shows this:
>> $ sudo -u ods /usr/sbin/ods-enforcerd -d -v -v -v -v -v
>> OpenDNSSEC key and signing policy enforcer version 2.1.10
>> setup failed: Database error
>
>Dear Nick,
>
>I see that you want to run OpenDNSSEC as a specific user.  It is better
>to do this in the configuration.  In the conf.xml you can specify
>a <User> and <Group> such that OpenDNSSEC will drop priviledges and
>run as this user and/or group, after it has done some essential stuff.
>This will avoid a number of problems, especially forgetting to use the
>sudo command and having all your files owned by root and then figuring
>out next time why nothing works when using the sudo again.

I am just using the configuration provided by Fedora, with systemd
running with user, group as ods.  The default configuration also has
User and Group as ods in conf.xml.

>> tcpdump shows no network connection to the database.
>>
>> Here is part of my /etc/opendnssec/conf.xml:
>>                 <Datastore>
>>                         <MySQL>
>>                                 <Host Port="3306">localhost</Host>
>>                                 <Database>opendnssec</Database>
>>                                 <Username>ods</Username>
>>
>> <Password>Cherry7Chunky8Voyage</Password>
>>                         </MySQL>
>>                 </Datastore>
>
>Given the database is set-up correctly and available through the command
>line, and you using "sudo", I suspect the MySQL/MariaDB socket might not
>be available for the "ods" user.

Shouldn't ods-enforcerd be trying to connect to the database through
TCP port 3306 on localhost?  Yet tcpdump shows no attempts.  I suspect
that ods-enforcerd doesn't like some other aspect of my configuration,
but it seems reluctant to let me know.

>Verify /var/run/mysql/mysql.sock (your mileage may vary depending on
>your distribution) can be accessed by the "ods" user.

The mariadb socket is readable by all:
$ ls -l /var/lib/mysql/mysql.sock
srwxrwxrwx. 1 mysql mysql 0 Feb 16 10:21 /var/lib/mysql/mysql.sock

>ods-enforcer-db-setup has probably not be run as the ods user, so
>could use the same settings, hence my suspicioun.

I'll nuke the database and start again, see if I get any joy.  The
software seems reluctant to tell me enough for me to understand what
it doesn't like about the way I set it up.

>Best regards,
>\Berry
>
>> I can connect to mariadb with:
>> mysql -h 127.0.0.1 -u ods -pCherry7Chunky8Voyage opendnssec
>> ...
>> MariaDB [opendnssec]> show tables;
>> +----------------------+
>> | Tables_in_opendnssec |
>> +----------------------+
>> | databaseVersion      |
>> | hsmKey               |
>> | keyData              |
>> | keyDependency        |
>> | keyState             |
>> | policy               |
>> | policyKey            |
>> | zone                 |
>> +----------------------+
>> 8 rows in set (0.001 sec)
>>
>> Can anyone suggest how to get more information to troubleshoot?

Thank you for your suggestions.
-- 
Nick Urbanik             http://nicku.org           nicku at nicku.org
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24

More information about the Opendnssec-user mailing list