Systemd script
    Reindl Harald 
    h.reindl at thelounge.net
       
    Fri Feb 19 11:25:03 UTC 2016
    
    
  
Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés:
> Hi Harald,
> Thanks, but I suspect those are the files that come with the default
> system installation, but not usable (without modifications) if I have
> compiled it from source. Am I right?
well, it should not be that hard to adopt them for your needs or even 
build a proper package containing all that stuff - only over my dead 
body i would do a "make install" on any machine oustide rpmbuild
> On 19/02/16 12:02, Reindl Harald wrote:
>>
>>
>> Am 19.02.2016 um 11:45 schrieb Josep Manel Andrés:
>>> I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init
>>> script we where using on SLES11SP3, but it doesn't seem to work, since
>>> the new version of bind needs to get some libraries copied into the
>>> chroot environment, that's why I am trying to adapt the systemd script
>>> that comes with the version from repos on SLES 12 but so far I didn't
>>> get it working.
>>>
>>> Does anyone has a systemd or init script that works for bind-9.9.8-P3 ?
>>>
>>> What would be the correct procedure to run named as daemon?
>>
>> Fedora contains systemd-units for a long time now
>> _______________________________________________________________________
>>
>> [root at srv-rhsoft:~]$ cat /etc/systemd/system/named.service
>> [Unit]
>> Description=DNS Server
>> After=network.service systemd-networkd.service network-online.target
>> network-wan-bridge.service network-wlan-bridge.service openvpn.service
>>
>> [Service]
>> Type=simple
>> ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
>> ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z
>> /etc/named.conf
>> ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
>> ExecReload=/usr/bin/kill -HUP $MAINPID
>> ExecStop=/usr/bin/kill -TERM $MAINPID
>> ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
>> PrivateTmp=yes
>> PrivateDevices=yes
>> TimeoutSec=25
>> Restart=always
>> RestartSec=1
>> CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN
>> CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
>> CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
>> ReadOnlyDirectories=/var/lib
>> InaccessibleDirectories=-/root
>> InaccessibleDirectories=-/media
>> InaccessibleDirectories=-/boot
>> InaccessibleDirectories=-/home
>> InaccessibleDirectories=-/run/console
>> InaccessibleDirectories=-/run/dbus
>> InaccessibleDirectories=-/run/lock
>> InaccessibleDirectories=-/run/mount
>> InaccessibleDirectories=-/run/systemd/generator
>> InaccessibleDirectories=-/run/systemd/system
>> InaccessibleDirectories=-/run/systemd/users
>> InaccessibleDirectories=-/run/udev
>> InaccessibleDirectories=-/run/user
>> InaccessibleDirectories=-/var/lib/dbus
>> InaccessibleDirectories=-/var/lib/rpm
>> InaccessibleDirectories=-/var/lib/systemd
>> InaccessibleDirectories=-/var/lib/yum
>> InaccessibleDirectories=-/var/spool
>>
>> [Install]
>> WantedBy=multi-user.target
>> _______________________________________________________________________
>>
>> [root at srv-rhsoft:~]$ cat /usr/libexec/setup-named-chroot.sh
>> #!/bin/bash
>>
>> ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys
>> /etc/named.root.key /etc/named.conf
>> /etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf
>> /etc/rndc.key
>> /usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /run/named /var/named
>> /etc/crypto-policies/back-ends/bind.config'
>>
>> usage()
>> {
>>    echo
>>    echo 'This script setups chroot environment for BIND'
>>    echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
>> }
>>
>> if ! [ "$#" -eq 2 ]; then
>>    echo 'Wrong number of arguments'
>>    usage
>>    exit 1
>> fi
>>
>> ROOTDIR="$1"
>>
>> # Exit if ROOTDIR doesn't exist
>> if ! [ -d "$ROOTDIR" ]; then
>>    echo "Root directory $ROOTDIR doesn't exist"
>>    usage
>>    exit 1
>> fi
>>
>> mount_chroot_conf()
>> {
>>    if [ -n "$ROOTDIR" ]; then
>>      for all in $ROOTDIR_MOUNT; do
>>        # Skip nonexistant files
>>        [ -e "$all" ] || continue
>>
>>        # If mount source is a file
>>        if ! [ -d "$all" ]; then
>>          # mount it only if it is not present in chroot or it is empty
>>          if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"`
>> -eq 0 ]; then
>>            touch "$ROOTDIR$all"
>>            mount --bind "$all" "$ROOTDIR$all"
>>          fi
>>        else
>>          # Mount source is a directory. Mount it only if directory in
>> chroot is
>>          # empty.
>>          if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ];
>> then
>>            mount --bind --make-private "$all" "$ROOTDIR$all"
>>          fi
>>        fi
>>      done
>>    fi
>> }
>>
>> umount_chroot_conf()
>> {
>>    if [ -n "$ROOTDIR" ]; then
>>      for all in $ROOTDIR_MOUNT; do
>>        # Check if file is mount target. Do not use /proc/mounts because
>> detecting
>>        # of modified mounted files can fail.
>>        if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
>>          umount "$ROOTDIR$all"
>>          # Remove temporary created files
>>          [ -f "$all" ] && rm -f "$ROOTDIR$all"
>>        fi
>>      done
>>    fi
>> }
>>
>> case "$2" in
>>    on)
>>      mount_chroot_conf
>>      ;;
>>    off)
>>      umount_chroot_conf
>>      ;;
>>    *)
>>      echo 'Second argument has to be "on" or "off"'
>>      usage
>>      exit 1
>> esac
>>
>> exit 0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160219/5850cb5d/attachment.bin>
    
    
More information about the bind-users
mailing list