Plesk 11, bind9 and Ubuntu 12.04 Apparmor problems

Tuesday, February 26, 2013 - 02:37
  • Failover miscellaneous icon
  • Ubuntu circle of friends logo.

After installing Plesk 11 on a fresh install of Ubuntu 12.04 you may find that bind9 (The DNS server) fails to start from the services interface. It gave me the following message:

  1. Unable to make action: Unable to manage service by dnsmng: dnsmng: Service /etc/init.d/bind9 failed to start ('--start', 'dns')

If you dig into your syslog (ie. tail /var/log/syslog), you will see a message much like this:

  1. A # denotes blanked out numerals as they will be different on every system.
  2.  
  3. Feb ## ##:##:## holding named[####]: starting BIND 9.8.1-P1 -t /var/named/run-root -c /etc/named.conf -u bind
  4. <-- snip -->
  5. Feb ## ##:##:## holding named[####]: initializing DST: openssl failure
  6. Feb ## ##:##:## holding named[####]: exiting (due to fatal error)
  7. Feb ## ##:##:## holding kernel: [####.####] type=#### audit(########.####:####): apparmor="DENIED" operation="open" parent=#### profile="/usr/sbin/named" name="/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=#### comm="named" requested_mask="r" denied_mask="r" fsuid=#### ouid=####

The problem is that Apparmor is stopping bind9 from accessing what it needs to run with Plesk's configuration. Parrallels advises that you disable Apparmor as it is not supported by Plesk. I did not wish to do this so instead I added allow rules to bind9's Apparmor profile.

I'm assuming you are running as root, otherwise you will need to put 'sudo' before the below commands. First, grab your favourite text editor and open /etc/apparmor.d/local/usr.sbin.named (We are adding it to the local profile so that it will not interfere with possible updates to the main /etc/apparmor.d/usr.sbin.named profile) and add the following:

  1. # Allow Plesks configuration for bind9 to run with Apparmor
  2. /var/named/run-root/** rwm,
Then we need to:
  1. # Reload Apparmor profiles
  2. service apparmor reload
  3. # Start bind9, which should start without error now
  4. service bind9 start

You should now be able to refresh the list of services on the services management page and see that bind9 is now running, if not, you may need to restart Plesk like so:

  1. service psa restart

You should now have that issue sorted out without having to do the, in my opinion, drastic measure of completely ripping Apparmor out of your system. I can't comment on the security of the Apparmor allow rule above as I am no expert on Apparmor profiles, but I think overall it's better than no Apparmor at all for everything.

References:

Userdel.org: Plesk: DNS Server installed but Bind9 won’t load
Apparmor Policy Layout: ${APPARMOR.D}/local/
Author: Ryan Solomon
Ryan is a partner at desiDev, he likes open source software and QfG meeps.

Hi Ryan,

Hi Ryan,

Thanks for sharing these details with us. I was wondering if you could assist me on setting up the plesk failover server. Do you have any experience in setting up the plesk failover ?

Thanks,