Permission denied on create journal file causes dynamic updates to fail

[aaronbrooks-gh]

I have configured bind to allow dynamic updates from my LAN, with two bound volumes /etc/bind and /var/cache/bind. When a zone update request is received, it fails with SERVFAIL.

The bind logs reveal it is failing because bind does not have permissions to create the journal file at /etc/bind/zones/db.lan.jnl:

16-Jul-2019 01:32:04.589 client @0x56143cb40b40 172.18.0.3#58468/key dynamic-zone-key: signer "dynamic-zone-key" approved
16-Jul-2019 01:32:04.589 client @0x56143cb40b40 172.18.0.3#58468/key dynamic-zone-key: updating zone 'lan/IN': deleting rrset at 'planetexpress.lan' A
16-Jul-2019 01:32:04.589 client @0x56143cb40b40 172.18.0.3#58468/key dynamic-zone-key: updating zone 'lan/IN': adding an RR at 'planetexpress.lan' A 10.0.0.4
16-Jul-2019 01:32:04.589 /etc/bind/zones/db.lan.jnl: create: permission denied
16-Jul-2019 01:32:04.589 client @0x56143cb40b40 172.18.0.3#58468/key dynamic-zone-key: updating zone 'lan/IN': error: journal open failed: unexpected error

If I run /bin/ash in the running container and use that to execute chmod 770 /etc/bind/zones the dynamic update completes successfully:

16-Jul-2019 01:55:32.427 client @0x55e993fc7960 172.18.0.2#54044/key dynamic-zone-key: signer "dynamic-zone-key" approved
16-Jul-2019 01:55:32.427 client @0x55e993fc7960 172.18.0.2#54044/key dynamic-zone-key: updating zone 'lan/IN': deleting rrset at 'planetexpress.lan' A
16-Jul-2019 01:55:32.427 client @0x55e993fc7960 172.18.0.2#54044/key dynamic-zone-key: updating zone 'lan/IN': adding an RR at 'planetexpress.lan' A 10.0.0.4

[aaronbrooks-gh]

The entrypoint script runs chmod -R 750 /etc/bind which reverts my temporary fix every time the container is restarted.

I propose changing the entrypoint script to use permissions 770 instead of 750 for /etc/bind.

[aaronbrooks-gh]

Looks like I'm actually supposed to put the zone files in /var/cache/bind not /etc/bind as is done on Debian.

PEBKAC...

[ventz]

:)