Plesk 12.5, bind9 and Ubuntu 14.04 Apparmor Issues

1

After settings up Plesk 12.5 on my new Ubuntu 14 server, I found out that bind9 (DNS server) was not running like the others from the service interface, so I tried to start the service or program but I received the following error.

Plesk 12.5

image credit: www.conetix.com.au

Error: Unable to make action: Unable to manage service by dnsmng: (‘start’, ‘dns’). Error: dnsmng: Service /etc/init.d/bind9 failed to start

Error from /var/log/messages reads:

Kernel: [6858.107517] type=1503 audit (1375351936.035:25):  operation=”open” pid=21824 parent=21822 profile=”/usr/sbin/named” requested_mask=”::r” denied_mask=”::r” fsuid=107 ouid=0 name=”/var/named/run-root/etc/named.conf”

The cause of this is that apparmor is not letting Plesk panel to access what it need to work with Plesk. Odin team advises that you disable Apparmor as it is not supported by Plesk.

So I will show you how to do that;

How to disable Apparmor on Plesk server

  1. First we check if bind9 is installed with the following command
# dpkg --status apparmor | grep -i status

The output will be;

Status: install ok installed

2. Now run the following command one after the other

# /etc/init.d/apparmor stop
# /etc/init.d/apparmor teardown
# update-rc.d -f apparmor remove

3. Update or reinstall bind9 packages using apt-get

# apt-get install bind9

4. Update the list of installed components in Plesk with the following command

# /opt/psa/admin/bin/packagemng --set-dirty-flag
# /opt/psa/admin/bin/packagemng --list

After that go back to plesk admin panel, go to tools & settings under server management go to services management then restart bind from there.

Update 15/03/2016

After a week of using the plesk server i decided to update some programs using apt-get update and apt-get upgrade and there it was Bind9 update available but it failed install because of apparmor is enabled again. I got the below error

Stopping domain name service… bind9                                 [ OK ]
 * Starting domain name service… bind9                                 [fail]
invoke-rc.d: initscript bind9, action “restart” failed.
dpkg: error processing package bind9 (–configure):
 subprocess installed post-installation script returned error exit status 1
Setting up usbutils (1:007-2ubuntu1.1) …
Setting up cloud-init (0.7.5-0ubuntu1.17) …
Leaving ‘diversion of /etc/init/ureadahead.conf to /etc/init/ureadahead.conf.disabled by cloud-init’
Processing triggers for libc-bin (2.19-0ubuntu6.7) …
Errors were encountered while processing:
 bind9
E: Sub-process /usr/bin/dpkg returned an error code (1)
On checking the log file i found the below error message in the log /var/log/syslog;
[62079.088894] type=1400 audit(1457566503.779:11): apparmor=”DENIED” operation=”open” profile=”/usr/sbin/named” name=”/var/named/run-root/etc/named.conf” pid=2627 comm=”named” requested_mask=”r” denied_mask=”r” fsuid=108 ouid=0
We will be adding it to the local file so it will interfere with bind9 again, so open the following files using your best editor mine is NANO. If you are not doing this as root don’t forget to add sudo
nano /etc/apparmor.d/local/usr.sbin.named

add the below text to the file;

# Allow Plesks configuration for bind9 to run with Apparmor peacefully
/var/named/run-root/** rwm,

after that you need to reload the file so changes can take effects, using the following command;

# Reload Apparmor profile
service apparmor reload

# Start bind9, should work now
service bind9 start

Now you need to restart Plesk Panel

service psa restart
Below is the message i received after successfully implementing this.
Setting up bind9 (1:9.9.5.dfsg-3ubuntu0.8) …
 * Stopping domain name service… bind9                                 [ OK ]
 * Starting domain name service… bind9   

Preference: