Systemd script
Reindl Harald
h.reindl at thelounge.net
Fri Feb 19 11:25:03 UTC 2016
Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés:
> Hi Harald,
> Thanks, but I suspect those are the files that come with the default
> system installation, but not usable (without modifications) if I have
> compiled it from source. Am I right?
well, it should not be that hard to adopt them for your needs or even
build a proper package containing all that stuff - only over my dead
body i would do a "make install" on any machine oustide rpmbuild
> On 19/02/16 12:02, Reindl Harald wrote:
>>
>>
>> Am 19.02.2016 um 11:45 schrieb Josep Manel Andrés:
>>> I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init
>>> script we where using on SLES11SP3, but it doesn't seem to work, since
>>> the new version of bind needs to get some libraries copied into the
>>> chroot environment, that's why I am trying to adapt the systemd script
>>> that comes with the version from repos on SLES 12 but so far I didn't
>>> get it working.
>>>
>>> Does anyone has a systemd or init script that works for bind-9.9.8-P3 ?
>>>
>>> What would be the correct procedure to run named as daemon?
>>
>> Fedora contains systemd-units for a long time now
>> _______________________________________________________________________
>>
>> [root at srv-rhsoft:~]$ cat /etc/systemd/system/named.service
>> [Unit]
>> Description=DNS Server
>> After=network.service systemd-networkd.service network-online.target
>> network-wan-bridge.service network-wlan-bridge.service openvpn.service
>>
>> [Service]
>> Type=simple
>> ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
>> ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z
>> /etc/named.conf
>> ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
>> ExecReload=/usr/bin/kill -HUP $MAINPID
>> ExecStop=/usr/bin/kill -TERM $MAINPID
>> ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
>> PrivateTmp=yes
>> PrivateDevices=yes
>> TimeoutSec=25
>> Restart=always
>> RestartSec=1
>> CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN
>> CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
>> CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
>> ReadOnlyDirectories=/var/lib
>> InaccessibleDirectories=-/root
>> InaccessibleDirectories=-/media
>> InaccessibleDirectories=-/boot
>> InaccessibleDirectories=-/home
>> InaccessibleDirectories=-/run/console
>> InaccessibleDirectories=-/run/dbus
>> InaccessibleDirectories=-/run/lock
>> InaccessibleDirectories=-/run/mount
>> InaccessibleDirectories=-/run/systemd/generator
>> InaccessibleDirectories=-/run/systemd/system
>> InaccessibleDirectories=-/run/systemd/users
>> InaccessibleDirectories=-/run/udev
>> InaccessibleDirectories=-/run/user
>> InaccessibleDirectories=-/var/lib/dbus
>> InaccessibleDirectories=-/var/lib/rpm
>> InaccessibleDirectories=-/var/lib/systemd
>> InaccessibleDirectories=-/var/lib/yum
>> InaccessibleDirectories=-/var/spool
>>
>> [Install]
>> WantedBy=multi-user.target
>> _______________________________________________________________________
>>
>> [root at srv-rhsoft:~]$ cat /usr/libexec/setup-named-chroot.sh
>> #!/bin/bash
>>
>> ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys
>> /etc/named.root.key /etc/named.conf
>> /etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf
>> /etc/rndc.key
>> /usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /run/named /var/named
>> /etc/crypto-policies/back-ends/bind.config'
>>
>> usage()
>> {
>> echo
>> echo 'This script setups chroot environment for BIND'
>> echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
>> }
>>
>> if ! [ "$#" -eq 2 ]; then
>> echo 'Wrong number of arguments'
>> usage
>> exit 1
>> fi
>>
>> ROOTDIR="$1"
>>
>> # Exit if ROOTDIR doesn't exist
>> if ! [ -d "$ROOTDIR" ]; then
>> echo "Root directory $ROOTDIR doesn't exist"
>> usage
>> exit 1
>> fi
>>
>> mount_chroot_conf()
>> {
>> if [ -n "$ROOTDIR" ]; then
>> for all in $ROOTDIR_MOUNT; do
>> # Skip nonexistant files
>> [ -e "$all" ] || continue
>>
>> # If mount source is a file
>> if ! [ -d "$all" ]; then
>> # mount it only if it is not present in chroot or it is empty
>> if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"`
>> -eq 0 ]; then
>> touch "$ROOTDIR$all"
>> mount --bind "$all" "$ROOTDIR$all"
>> fi
>> else
>> # Mount source is a directory. Mount it only if directory in
>> chroot is
>> # empty.
>> if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ];
>> then
>> mount --bind --make-private "$all" "$ROOTDIR$all"
>> fi
>> fi
>> done
>> fi
>> }
>>
>> umount_chroot_conf()
>> {
>> if [ -n "$ROOTDIR" ]; then
>> for all in $ROOTDIR_MOUNT; do
>> # Check if file is mount target. Do not use /proc/mounts because
>> detecting
>> # of modified mounted files can fail.
>> if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
>> umount "$ROOTDIR$all"
>> # Remove temporary created files
>> [ -f "$all" ] && rm -f "$ROOTDIR$all"
>> fi
>> done
>> fi
>> }
>>
>> case "$2" in
>> on)
>> mount_chroot_conf
>> ;;
>> off)
>> umount_chroot_conf
>> ;;
>> *)
>> echo 'Second argument has to be "on" or "off"'
>> usage
>> exit 1
>> esac
>>
>> exit 0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160219/5850cb5d/attachment.bin>
More information about the bind-users
mailing list