解决方法
/usr/sbin/named -u named -g &
由named进程导致CPU使用过高问题
报错日志
Jun 26 10:26:03 localhost named[1906]: managed-keys-zone ./IN: sync_keyzone:dns_journal_open -> unexpected error
Jun 26 10:26:12 localhost named[1906]: error (no valid RRSIG) resolving '168.192.in-addr.arpa/DS/IN': 8.8.8.8#53
Jun 26 10:26:12 localhost named[1906]: error (network unreachable) resolving '168.192.in-addr.arpa/DS/IN': 2001:503:ba3e::2:30#53
Jun 26 10:26:12 localhost named[1906]: error (network unreachable) resolving '168.192.in-addr.arpa/DS/IN': 2001:500:13::73#53
Jun 26 10:26:12 localhost named[1906]: error (network unreachable) resolving '168.192.in-addr.arpa/DS/IN': 2001:500:87::87#53
Jun 26 10:26:12 localhost named[1906]: error (network unreachable) resolving '168.192.in-addr.arpa/DS/IN': 2001:500:f0::63#53此时僵尸进程14个
出现error (no valid RRSIG) 是因为安全设置的三个选项 (一般不需要开启着三个选项 可以直接注释)设置如下
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
重启named
看日志 只剩一个错误
Jun 26 10:56:33 localhost named[10967]: managed-keys-zone ./IN: journal rollforward failed: unexpecte
看cpu占用依然很高
[root@ostaer named]# /usr/sbin/named -g &
[1] 23304
[root@ostaer named]# 26-Jun-2014 11:05:38.357 starting BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 -g
26-Jun-2014 11:05:38.357 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
26-Jun-2014 11:05:38.357 ----------------------------------------------------
26-Jun-2014 11:05:38.357 BIND 9 is maintained by Internet Systems Consortium,
26-Jun-2014 11:05:38.357 Inc. (ISC), a non-profit 501(c)(3) public-benefit
26-Jun-2014 11:05:38.357 corporation. Support and training for BIND 9 are
26-Jun-2014 11:05:38.357 available at https://www.isc.org/support
26-Jun-2014 11:05:38.357 ----------------------------------------------------
26-Jun-2014 11:05:38.357 adjusted limit on open files from 4096 to 1048576
26-Jun-2014 11:05:38.357 found 4 CPUs, using 4 worker threads
26-Jun-2014 11:05:38.358 using up to 4096 sockets
26-Jun-2014 11:05:38.365 loading configuration from '/etc/named.conf'
26-Jun-2014 11:05:38.365 /etc/named.conf:13: change directory to '/var/named' failed: permission denied
26-Jun-2014 11:05:38.365 /etc/named.conf:13: parsing failed
26-Jun-2014 11:05:38.396 loading configuration: permission denied
26-Jun-2014 11:05:38.396 exiting (due to fatal error)
^C
[1]+ Exit 1 /usr/sbin/named -g
提示/etc/named.conf:13: change directory to '/var/named' failed: permission denied
检查区域文件权限
[root@ostaer named]# ll -d /var/named
drwxr-x---. 6 named named 4096 Jun 26 11:17 /var/named正确
以named用户运行
[root@ostaer named]# /usr/sbin/named -u named -g &
[1] 31401
[root@ostaer named]# 26-Jun-2014 11:11:50.100 starting BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 -u named -g
26-Jun-2014 11:11:50.100 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
26-Jun-2014 11:11:50.100 ----------------------------------------------------
26-Jun-2014 11:11:50.100 BIND 9 is maintained by Internet Systems Consortium,
26-Jun-2014 11:11:50.100 Inc. (ISC), a non-profit 501(c)(3) public-benefit
26-Jun-2014 11:11:50.100 corporation. Support and training for BIND 9 are
26-Jun-2014 11:11:50.100 available at https://www.isc.org/support
26-Jun-2014 11:11:50.100 ----------------------------------------------------
26-Jun-2014 11:11:50.100 adjusted limit on open files from 4096 to 1048576
26-Jun-2014 11:11:50.100 found 4 CPUs, using 4 worker threads
26-Jun-2014 11:11:50.103 using up to 4096 sockets
26-Jun-2014 11:11:50.112 loading configuration from '/etc/named.conf'
26-Jun-2014 11:11:50.113 reading built-in trusted keys from file '/etc/named.iscdlv.key'
26-Jun-2014 11:11:50.115 using default UDP/IPv4 port range: [1024, 65535]
26-Jun-2014 11:11:50.115 using default UDP/IPv6 port range: [1024, 65535]
26-Jun-2014 11:11:50.237 listening on IPv4 interface lo, 127.0.0.1#53
26-Jun-2014 11:11:50.243 listening on IPv4 interface eth0, 172.16.7.129#53
26-Jun-2014 11:11:50.280 listening on IPv6 interface lo, ::1#53
26-Jun-2014 11:11:50.324 Could not open '/var/run/named/named.pid'.
26-Jun-2014 11:11:50.324 Please check file and directory permissions or reconfigure the filename.
26-Jun-2014 11:11:50.324 could not open file '/var/run/named/named.pid': Permission denied
26-Jun-2014 11:11:50.324 generating session key for dynamic DNS
26-Jun-2014 11:11:50.324 Could not open '/var/run/named/session.key'.
26-Jun-2014 11:11:50.325 Please check file and directory permissions or reconfigure the filename.
26-Jun-2014 11:11:50.325 could not open file '/var/run/named/session.key': Permission denied
26-Jun-2014 11:11:50.325 could not create /var/run/named/session.key
26-Jun-2014 11:11:50.325 failed to generate session key for dynamic DNS: permission denied
26-Jun-2014 11:11:50.325 sizing zone task pool based on 7 zones
26-Jun-2014 11:11:50.379 using built-in DLV key for view _default
26-Jun-2014 11:11:50.380 set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
26-Jun-2014 11:11:50.380 Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
26-Jun-2014 11:11:50.380 automatic empty zone: 127.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 254.169.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 2.0.192.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 100.51.198.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 113.0.203.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: D.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 8.E.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 9.E.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: A.E.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: B.E.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
26-Jun-2014 11:11:50.471 command channel listening on 127.0.0.1#953
26-Jun-2014 11:11:50.471 command channel listening on ::1#953
26-Jun-2014 11:11:50.555 ignoring config file logging statement due to -g option
26-Jun-2014 11:11:50.563 zone 0.in-addr.arpa/IN: loaded serial 0
26-Jun-2014 11:11:50.568 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
26-Jun-2014 11:11:50.569 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
26-Jun-2014 11:11:50.574 zone localhost.localdomain/IN: loaded serial 0
26-Jun-2014 11:11:50.574 zone localhost/IN: loaded serial 0
26-Jun-2014 11:11:50.574 zone sirun.net/IN: loading from master file sirun.net.zone failed: file not found
26-Jun-2014 11:11:50.574 zone sirun.net/IN: not loaded due to errors.
26-Jun-2014 11:11:50.618 managed-keys-zone ./IN: loaded serial 0
26-Jun-2014 11:11:50.627 running
没有报错 查看CPU 已经恢复正常
查看僵尸进程# ps -ef |grep -e '^[zZ]'
结果:没有僵尸进程
总结:
原因未知 报错无法重现
原named服务可能被强制以root执行
查看named进程 需要注意权限问题
[root@ostaer init.d]# ps -ef | grep named | grep -v grep
named 15480 1 0 11:23 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot