Regarding compiling BIND 9.10.3-p4 on a SystemD Distro
Tony Finch
dot at dotat.at
Wed Mar 23 11:38:18 UTC 2016
Reindl Harald <h.reindl at thelounge.net> wrote:
> Am 23.03.2016 um 11:54 schrieb Tony Finch:
> >
> > There's a sample unit file in the chroot setup instructions at
> > https://wiki.debian.org/Bind9
> >
> > (It looks a bit half-baked to me since it doesn't seem to have any way to
> > signal systemd that named has finished starting, but it's probably OK for
> > practice purposes.)
>
> there is nothing half-baked - sysvinit had no concept of knowing anything
> about a process at all and even did not recoginze if it crashed 2 seconds
> after start
>
> a Type=simple unit (which is the default) has no need to signal anything,
> there is only one process without forking, hence "-f Run the server in the
> foreground (i.e. do not daemonize)"
Yes, I understand all that.
For instance (wrt -f), my rc scripts use `rndc stop -p` so they can wait
for named to completely stop; this is necessary so that it can restart
reliably. (If you restart named too fast it can fail to bind to its TCP
listening socket because the previous named still owns it.) As I
understand it, systemd has enough process monitoring intelligence to do
that by default.
The problem that I alluded to above is that if you have services that
depend on the DNS, there should be a mechanism for the DNS server to say
when it is ready and that it's OK to start services that need DNS. I don't
know the right way to specify that to systemd: maybe it needs a socket
unit file as well?
> the only half-baken is that (as sadly most services) it don't make use of
> restart and security capabilities of systemd
These are useful tips, thanks.
> Restart=always
> RestartSec=1
> CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Dogger: West or northwest backing southwest later, 3 or 4, occasionally 5
later. Slight. Occasional rain or drizzle. Good, occasionally poor.
More information about the bind-users
mailing list