Systemd script

Reindl Harald h.reindl at thelounge.net
Fri Feb 19 11:02:13 UTC 2016



Am 19.02.2016 um 11:45 schrieb Josep Manel Andrés:
> I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init
> script we where using on SLES11SP3, but it doesn't seem to work, since
> the new version of bind needs to get some libraries copied into the
> chroot environment, that's why I am trying to adapt the systemd script
> that comes with the version from repos on SLES 12 but so far I didn't
> get it working.
>
> Does anyone has a systemd or init script that works for bind-9.9.8-P3 ?
>
> What would be the correct procedure to run named as daemon?

Fedora contains systemd-units for a long time now
_______________________________________________________________________

[root at srv-rhsoft:~]$ cat /etc/systemd/system/named.service
[Unit]
Description=DNS Server
After=network.service systemd-networkd.service network-online.target 
network-wan-bridge.service network-wlan-bridge.service openvpn.service

[Service]
Type=simple
ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z 
/etc/named.conf
ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/kill -TERM $MAINPID
ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
PrivateTmp=yes
PrivateDevices=yes
TimeoutSec=25
Restart=always
RestartSec=1
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN 
CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
InaccessibleDirectories=-/root
InaccessibleDirectories=-/media
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
InaccessibleDirectories=-/var/lib/dbus
InaccessibleDirectories=-/var/lib/rpm
InaccessibleDirectories=-/var/lib/systemd
InaccessibleDirectories=-/var/lib/yum
InaccessibleDirectories=-/var/spool

[Install]
WantedBy=multi-user.target
_______________________________________________________________________

[root at srv-rhsoft:~]$ cat /usr/libexec/setup-named-chroot.sh
#!/bin/bash

ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys 
/etc/named.root.key /etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /run/named /var/named
/etc/crypto-policies/back-ends/bind.config'

usage()
{
   echo
   echo 'This script setups chroot environment for BIND'
   echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
}

if ! [ "$#" -eq 2 ]; then
   echo 'Wrong number of arguments'
   usage
   exit 1
fi

ROOTDIR="$1"

# Exit if ROOTDIR doesn't exist
if ! [ -d "$ROOTDIR" ]; then
   echo "Root directory $ROOTDIR doesn't exist"
   usage
   exit 1
fi

mount_chroot_conf()
{
   if [ -n "$ROOTDIR" ]; then
     for all in $ROOTDIR_MOUNT; do
       # Skip nonexistant files
       [ -e "$all" ] || continue

       # If mount source is a file
       if ! [ -d "$all" ]; then
         # mount it only if it is not present in chroot or it is empty
         if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` 
-eq 0 ]; then
           touch "$ROOTDIR$all"
           mount --bind "$all" "$ROOTDIR$all"
         fi
       else
         # Mount source is a directory. Mount it only if directory in 
chroot is
         # empty.
         if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
           mount --bind --make-private "$all" "$ROOTDIR$all"
         fi
       fi
     done
   fi
}

umount_chroot_conf()
{
   if [ -n "$ROOTDIR" ]; then
     for all in $ROOTDIR_MOUNT; do
       # Check if file is mount target. Do not use /proc/mounts because 
detecting
       # of modified mounted files can fail.
       if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
         umount "$ROOTDIR$all"
         # Remove temporary created files
         [ -f "$all" ] && rm -f "$ROOTDIR$all"
       fi
     done
   fi
}

case "$2" in
   on)
     mount_chroot_conf
     ;;
   off)
     umount_chroot_conf
     ;;
   *)
     echo 'Second argument has to be "on" or "off"'
     usage
     exit 1
esac

exit 0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160219/e0b5b222/attachment-0001.bin>


More information about the bind-users mailing list