bind9 service cannot be started: rndc: connect failed: 127.0.0.1#953:

Symptoms

While trying to start bind9 service the following errors can be found in /var/log/syslog :

Aug 22 20:31:16 Plesk001 systemd[1]: Starting BIND Domain Name Server... 
Aug 22 20:31:16 Plesk001 systemd[1]: Started BIND Domain Name Server. 
Aug 22 20:31:16 Plesk001 systemd[1]: bind9.service: main process exited, code=exited, status=1/FAILURE 
Aug 22 20:31:16 Plesk001 systemd[1]: Unit bind9.service entered failed state.

The bind9 status shows the following:

# service bind9 status
● bind9.service - BIND Domain Name Server
Loaded: loaded (/etc/systemd/system/bind9.service; enabled)
Drop-In: /run/systemd/generator/bind9.service.d
└─50-insserv.conf-$named.conf
Active: failed (Result: exit-code) since Tue 2017-08-22 18:16:28 EDT; 2min 36s ago
Aug 22 18:16:28 example.com systemd[1]: Started BIND Domain Name Server.
Aug 22 18:16:28 example.com systemd[1]: bind9.service: main process exited, co...RE
Aug 22 18:16:28 example.com rndc[19883]: rndc: connect failed: 127.0.0.1#953: ...ed
Aug 22 18:16:28 example.com systemd[1]: bind9.service: control process exited,...=1
Aug 22 18:16:28 example.com systemd[1]: Unit bind9.service entered failed state.

If use strace utility:

# strace -vvvttTfs4096 -o bind9.log /usr/sbin/named -f -t /var/named/run-root -c /etc/named.conf -u bind -n 2

then the following output can be found in bind9.log :

connect(3, {sa_family=AF_LOCAL, sun_path="/dev/log"}, 110) = -1 EACCES (Permission denied) <0.000024> 

open("/etc/named.conf", O_RDONLY) = -1 EACCES (Permission denied) <0.000017>

Kernel output shows that it is a proxmox container:

# uname -a
Linux Plesk001 4.4.59-1-pve #1 SMP PVE 4.4.59-87 (Tue, 25 Apr 2017 09:01:58 +0200) x86_64 GNU/Linux

Cause

Hardware node blocks /usr/sbin/named .

Resolution

Note: the issue can be fixed only on a Hardware node side.

Below workaround can be applied:

1. Create copies of /usr/sbin/named , /etc/init.d/bind9 , /etc/systemd/system/bind9.service and /lib/systemd/system/bind9.service files:

   # cp -p /usr/sbin/named /usr/sbin/bind_custom
   # cp -p /etc/init.d/bind9 /etc/init.d/bind9.orig
   # cp -p /etc/systemd/system/bind9.service /etc/systemd/system/bind9.service.orig
   # cp -p /lib/systemd/system/bind9.service /lib/systemd/system/bind9.service.orig

2. Change from /usr/sbin/named to /usr/sbin/bind_custom in below files:

   # sed -i 's/\/usr\/sbin\/named/\/usr\/sbin\/bind_custom/g' /etc/init.d/bind9
   # sed -i 's/\/usr\/sbin\/named/\/usr\/sbin\/bind_custom/g' /etc/systemd/system/bind9.service
   # sed -i 's/\/usr\/sbin\/named/\/usr\/sbin\/bind_custom/g' /lib/systemd/system/bind9.service

3. Start bind9 service:

   # systemctl daemon-reload
   # service bind9 start

4. Check its status:

   # service bind9 status
   bind9.service BIND Domain Name Server
   Loaded: loaded (/etc/systemd/system/bind9.service; enabled)
   Drop-In: /run/systemd/generator/bind9.service.d
   └─50-insserv.conf-$named.conf Active: active (running) since Wed 2017-08-23 14:35:48 EDT; 6min ago