Help - Bind 9.3.2 die after run several days
Alex Tang
alextang at cms.hkcable.com
Mon Mar 27 07:58:19 UTC 2006
thx your suggestion.
i checked out that
# ulimit -a
time(seconds) unlimited
file(blocks) unlimited
data(kbytes) unlimited
stack(kbytes) 8192
coredump(blocks) unlimited
nofiles(descriptors) 1024
vmemory(kbytes) unlimited
the data size is unlimited
Q1. does it relate to stack size ?
my stack size in named.conf does not define and use default but any one knows the default stack szie
find bind 9 reference manual, it only indicate that
stacksize
The maximum amount of stack memory the server may use. The default is default
on the other hand, the bind cannot log down any error when die,
Q2. which log i should turn on for troubleshoot ?
follow are logs i have turned on
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { debug_file; };
category general { debug_file; };
category security { debug_file; };
category database { debug_file; };
category resolver { event_file; };
category client { query_file; };
category unmatched { query_file; };
category network { event_file; };
category dispatch { debug_file; };
category delegation-only { event_file; };
category queries { query_file; };
category config { debug_file; };
category lame-servers { event_file; };
a part of config file
options {
directory "/var/named";
pid-file "/var/run/named.pid" ;
memstatistics-file "/var/log/named.memstats";
statistics-file "/var/log/named.stats";
dump-file "/var/log/named.db";
allow-query { xxxxxx };
version "DNS Sserver";
hostname "DNS";
check-names response ignore;
max-ncache-ttl 3600;
interface-interval 0;
max-cache-ttl 604800;
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On Behalf Of tsar.peter at gmail.com
Sent: Friday, March 24, 2006 4:16 AM
To: comp-protocols-dns-bind at isc.org
Subject: Re: Help - Bind 9.3.2 die after run several days
Are you hitting resource limits ( maxdatasize) or simular ?
You _might_ need kernel adjustment ( i'm no solaris guru so don't
ask me how)
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Alex Tang
> Sent: Tuesday, March 21, 2006 11:53 AM
> To: bind-users at isc.org; bind9-bugs at isc.org
> Subject: Help - Bind 9.3.2 die after run several days
> Importance: High
>
>
> Hi All
>
> We are an ISP. I have upgraded my cache only dns from bind 8.37 to
> bind9.32, the new bind's performance very good but it will die after
> run several days when busy hour. Would you give me any idea to tune
> the bind or my chroot procedure has some problem ?
>
> thx very much
>
> Dns Type: bind 9.3.2 , Cache only,
>
> Run on change root and 2 cpu
> /bind.9.3.2/usr/local/sbin/named -u dns -t /bind.9.3.2 -n 2
>
> Complied with mult-thread and disable IPV6
> ./configure --prefix=/bind.9.3.2/usr/local --disable-ipv6
> --enable-threads --sysconfdir=/etc --localstatedir=/var
>
> Server platform
> SunOS dns 5.8 Generic_108528-27 sun4u sparc SUNW,Sun-Fire-V210
> 2cpu
>
> 2G physical memory
> check by top the bind use about 800M and physical memory remain 700M
> swap memory remain 4.7G
> disk space used 50% only
>
> check by prstat
> PROCESS/NLWP
> named/7
> cpu usage about 48% - 50 % when busy hr
>
> no. of query about 400 - 500 when busy hr
>
> the network traffic abut 2.5M outgoing and 1.8M incomming when busy hr
>
> when die , cannot find out any error message in log
> only this message in the query log
>
> no more recursive clients: quota reached
>
> My chroot procedure is reference from
> http://cookbook.linuxsecurity.com/sp/
> bind9_20010430.html#BM2__Setup_chroot_and_install_BIND
>
> the major difference with my procedure is mknod of tcp and udp, ldd
> named, etc
>
> this is my chroot procedure
> ===================================
> Chroot Procedure for BIND 9.3.2 in Solaris 8
> The following steps assume use of the C-Shell. We start by setting a
> variable for the chroot environment (jail) location, and setting umask
> so that all files copied can be read by both groups and world. These
> commands are designed to be copied and pasted.
>
> 1. Set destination directories for chroot jail, everything will be
> installed in subdirectories of this tree.
> csh
> unset noclobber
> set jail='/bind.9.3.2';
> umask 022;
>
> 2. Set up empty directories and links for chroot environment:
> cd /
> mkdir -p /bind.9.3.2
> cd /bind.9.3.2/
>
> mkdir -p {dev,opt,usr,var,etc};
> mkdir -p var/{run,log,named} usr/lib;
> mkdir -p usr/local/etc
> mkdir -p usr/share/lib/zoneinfo;
>
> 3. Create a user and group account for BIND:
> groupadd dns;
>
> useradd -d /bind.9.3.2 -s /bin/false -g named -c "BIND daemon" -m dns
>
> Create an identical user and group account within the chroot:
>
> grep dns /etc/passwd >> /bind.9.3.2/etc/passwd
> grep dns /etc/shadow >> /bind.9.3.2/etc/shadow
> grep dns /etc/group >> /bind.9.3.2/etc/group
>
> Don't allow the BIND account to use ftp:
> echo "dns" >> /etc/ftpusers
> 4. Install the bind distribution
>
>
> cd /home/installation/bind-9.3.2
> ./configure --prefix=/bind.9.3.2/usr/local --disable-ipv6
> --enable-threads --sysconfdir=/etc --localstatedir=/var
>
> make install
>
> 5. Copy system files needed to the chroot environment
>
> cd /bind.9.3.2
> cp /etc/{syslog.conf,netconfig,nsswitch.conf,resolv.conf,TIMEZONE}
> /bind.9.3.2/etc
> Use ldd to see what shared object libraries named relies on:
> ldd /bind.9.3.2/usr/local/sbin/named
>
> # ldd /bind.9.3.2/usr/local/sbin/named
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libpthread.so.1 => /usr/lib/libpthread.so.1
> libthread.so.1 => /usr/lib/libthread.so.1
> libc.so.1 => /usr/lib/libc.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> /usr/platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
>
> cp -p /usr/lib/libnsl.so.1 \
> /usr/lib/libsocket.so.1 /usr/lib/libc.so.1 \
> /usr/lib/libthread.so.1 /usr/lib/libpthread.so.1 \
> /usr/lib/libdl.so.1 /usr/lib/libmp.so.2 \
> /usr/platform/SUNW,Sun-Fire-V210 /lib/libc_psr.so.1 \
> /bind.9.3.2/usr/lib
>
> Copy over Timezone files
>
> mkdir -p /bind.9.3.2/usr/share/lib/zoneinfo;
> cp -p -R /usr/share/lib/zoneinfo/ /bind.9.3.2/usr/share/lib/
>
> Create a loop-back for syslog.
> mkdir /bind.9.3.2/etc/.syslog_door
> mount -F lofs /etc/.syslog_door /bind.9.3.2/etc/.syslog_door
>
>
> Create a directory for DNS data; we assume it is in /var/named:
>
> mkdir -p /bind.9.3.2/var/named/system
>
> 6. Setting up DNS Data Files
>
> cp -p /home/installation/new_dns/named.conf /bind.9.3.2/etc/
> cp -p /home/installation/new_dns/rndc.conf /bind.9.3.2/etc
> cp -p /home/installation/new_dns/rndc.key /bind.9.3.2/etc
>
> cp -p /home/installation/new_dns/db.cache
> /bind.9.3.2/var/named/system/
> cp -p /home/installation/new_dns/db.127.0.0
> /bind.9.3.2/var/named/system/
>
>
> 4. Setting Jail Permissions
>
> Next, we set permissions on files, so that root owns files and named
> can read all files and write some files. Then, disable any SUID/SGID
> files.
> The PID file is put in /var/run and not /usr/local, because we don't
> want the named user to be able to write to /usr/local/etc (and hence
> named.conf). The location of the PID file is specified in named.conf.
>
> cd /bind.9.3.2
>
> chgrp -R dns *
>
> # remove group write from var, write access to opt and usr
> chmod -R g-w var;
> chmod -R a-w opt usr;
>
> chmod 770 /bind.9.3.2/var/named;
>
> touch /bind.9.3.2/var/run/named.pid
> touch /bind.9.3.2/var/log/debug_dns.log
> touch /bind.9.3.2/var/log/event_dns.log
> touch /bind.9.3.2/var/log/query_dns.log
> touch /bind.9.3.2/var/log/named.memstats
> touch /bind.9.3.2/var/log/named.stats
> touch /bind.9.3.2/var/log/named.db
> chown dns:dns /bind.9.3.2/var/log/* /bind.9.3.2/var/run/named.pid;
>
> chgrp -R dns /bind.9.3.2/var/log /bind.9.3.2/var/run;
> chmod 774 /bind.9.3.2/var/run /bind.9.3.2/var/log;
> chmod -R o-r /bind.9.3.2/var/run /bind.9.3.2/var/log;
>
> # Allow named to access BIND config file:
> chgrp named /bind.9.3.2/etc;
> chown root:dns /bind.9.3.2/etc/named.conf;
> chmod 644 /bind.9.3.2/etc/named.conf;
> chown root:dns /bind.9.3.2/etc/rndc.*;
> chmod 644 /bind.9.3.2/etc/rndc.*;
> chmod 755 /bind.9.3.2/etc;
>
> # Remove SUID or SGID bits, if any exist:
> find . -type f -exec chmod ug-s {} \;
>
> # Remove world access:
> chmod -R o-w * /bind.9.3.2/usr
> 7. Set up devices for communication, console, syslog, etc.
> cd /bind.9.3.2/dev
> mknod tcp c 42 0
> mknod udp c 41 0
> mknod log c 21 5
> mknod null c 13 2
> mknod zero c 13 12
> chgrp sys null zero
> chmod 666 null
>
> mknod conslog c 21 0
> mknod syscon c 0 0
> chmod 620 syscon
> chgrp tty syscon
> chgrp sys conslog
>
> On Solaris 8, provide access to /dev/random, by
>
> cd /bind.9.3.2/dev
> mknod random c 35 0
> chgrp sys random
> chmod 644 random
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
More information about the bind-users
mailing list