PowerDNS fails to start with the following error when using the
Feb 04 09:04:15 host.name.tld systemd: pdns.service: main process exited, code=exited, status=218/CAPABILITIES
Feb 04 09:04:15 host.name.tld systemd: Failed to start PowerDNS Authoritative Server.
Feb 04 09:04:15 host.name.tld systemd: Unit pdns.service entered failed state.
Feb 04 09:04:15 host.name.tld systemd: pdns.service failed.
In cPanel & WHM version 94, we ship a new RPM for PowerDNS that includes a few additions to the systemd unit file. It appears that these changes are incompatible with older kernels and therefore prevent PowerDNS from starting.
We have opened an internal case for our development team to investigate this further; for reference, the case number is CPANEL-35848. Follow this article to receive an email notification when a solution is published in the product.
The issue has thus far only been observed with servers using extremely old kernels (+3 years old), thus the recommended workaround is to update your system's kernel to the latest available version:
yum update kernel
As an alternative and/or temporary measure to bring DNS online, you may consider trying to change from PowerDNS to BIND:
WARNING: If you switch your nameserver away from PowerDNS, your DNS server will no longer serve DNSSEC records.
You must ensure that the domains do not have DS records configured at their domain registrar.
Failure to do so will cause DNS resolution issues.
Are you sure you want to switch to "bind" [y/n]? y
Should you require PowerDNS for your operational environment, there is another temporary solution for use until the kernel can be updated (e.g., on VPSes that require hardware-node-level administrative action). It is imperative to understand that this decreases the inherent security of the PowerDNS installation, and we therefore strongly recommend updating the kernel as the best practice for resolution.
First, make an
override.conf file for PowerDNS as shown below:
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
Then reload the
systemctl daemon, and restart the PowerDNS service:
systemctl restart pdns.service
systemctl status pdns.service
● pdns.service - PowerDNS Authoritative Server
Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: disabled
Active: active (running) since Wed 2021-03-03 11:54:24 EST; 6s ago
Main PID: 19871 (pdns_server)
└─19871 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
Should you run into any issues with this process, please open a ticket for further assistance.