Skip to main content

PowerDNS fails to start with "status=218/CAPABILITIES" after update to cPanel & WHM version 94

Axel Cervera
  • Updated

Symptoms

PowerDNS fails to start with the following error when using the /scripts/restartsrv_pdns script:

 

Startup Log
	Feb 04 09:04:15 host.name.tld systemd[1]: pdns.service: main process exited, code=exited, status=218/CAPABILITIES
	Feb 04 09:04:15 host.name.tld systemd[1]: Failed to start PowerDNS Authoritative Server.
	Feb 04 09:04:15 host.name.tld systemd[1]: Unit pdns.service entered failed state.
	Feb 04 09:04:15 host.name.tld systemd[1]: pdns.service failed.

 

Description

In cPanel & WHM version 94, we ship a new RPM for PowerDNS that includes a few additions to the systemd unit file. It appears that these changes are incompatible with older kernels and therefore prevent PowerDNS from starting.

 

We have opened an internal case for our development team to investigate this further; for reference, the case number is CPANEL-35848. Follow this article to receive an email notification when a solution is published in the product. 

 

Workaround

The issue has thus far only been observed with servers using extremely old kernels (+3 years old), thus the recommended workaround is to update your system's kernel to the latest available version:

 

yum update kernel

 

As an alternative and/or temporary measure to bring DNS online, you may consider trying to change from PowerDNS to BIND:

 

/scripts/setupnameserver bind

 

WARNING: If you switch your nameserver away from PowerDNS, your DNS server will no longer serve DNSSEC records.
You must ensure that the domains do not have DS records configured at their domain registrar.
Failure to do so will cause DNS resolution issues.

Are you sure you want to switch to "bind" [y/n]? y

 

Should you require PowerDNS for your operational environment, there is another temporary solution for use until the kernel can be updated (e.g., on VPSes that require hardware-node-level administrative action).  It is imperative to understand that this decreases the inherent security of the PowerDNS installation, and we therefore strongly recommend updating the kernel as the best practice for resolution.

 

First, make an override.conf file for PowerDNS as shown below:

  1. 1. mkdir /etc/systemd/system/pdns.service.d/
    2. vi /etc/systemd/system/pdns.service.d/override.conf
    3. cat /etc/systemd/system/pdns.service.d/override.conf
  2. [Service]
    User=root
    Group=root
    AmbientCapabilities=
    CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT CAP_DAC_READ_SEARCH

 

Then reload the systemctl daemon, and restart the PowerDNS service:

  1. 1. systemctl daemon-reload
    2. systemctl restart pdns.service
    3. systemctl status pdns.service
  2. ● pdns.service - PowerDNS Authoritative Server
       Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: disabled
      Drop-In: /etc/systemd/system/pdns.service.d
               └─override.conf
       Active: active (running) since Wed 2021-03-03 11:54:24 EST; 6s ago
         Docs: man:pdns_server(1)
               man:pdns_control(1)
               https://doc.powerdns.com
     Main PID: 19871 (pdns_server)
       CGroup: /system.slice/pdns.service
               └─19871 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no

 

Should you run into any issues with this process, please open a ticket for further assistance.

Related articles