PowerDNS: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
 
(12 intermediate revisions by the same user not shown)
Line 41: Line 41:
==Logging with systemd and syslog-ng==
==Logging with systemd and syslog-ng==


1. Tell the journald of systemd to forward messages to syslog:
I had problems with multiply the log lines over syslog and polluting the disks with redundant log entries.<br>
In <i>/etc/systemd/journald.conf</i> set it from
So I found a way to bind the daemon output to a dedicated systemd <i>namespace</i> and catch them later in syslog-ng.
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
#ForwardToSyslog=yes
$ sudo systemctl edit pdns-recursor.service
</syntaxhighlight>
</syntaxhighlight>
to
<syntaxhighlight lang=Ini>
[Service]
ExecStart=
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no
LogNamespace=pdns-recursor
</syntaxhighlight>
 
/etc/powerdns/recursor.d/syslog.conf
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
ForwardToSyslog=yes
log-timestamp=no
quiet=no
disable-syslog=no
</syntaxhighlight>
</syntaxhighlight>


Then restart the journald
 
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
# systemctl restart systemd-journald.service
$ sudo systemctl restart pdns-recursor.service  
</syntaxhighlight>
after that you will find the output of the daemon with:
<syntaxhighlight lang=bash>
$ sudo journalctl -lf --namespace=pdns-recursor
</syntaxhighlight>
</syntaxhighlight>
2. Tell syslog-ng to take the dev-log-socket from journald as input:


Change the part in <i>/etc/syslog-ng/syslog-ng.conf</i> from
Change the part in <i>/etc/syslog-ng/syslog-ng.conf</i> from
Line 67: Line 78:
to
to
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
source s_journal_pdns_recursor
{
  systemd-journal(namespace("pdns-recursor"));
};
source s_journal_pdns
{
  systemd-journal(namespace("pdns"));
};
source s_src {
source s_src {
       system();
       # Because system() catches systemd-journal() you will have to comment it out or you will get this error:
      #  The configuration must not contain more than one systemd-journal() source;
      #system();
       internal();
       internal();
      unix-dgram ("/run/systemd/journal/dev-log");
};
};
</syntaxhighlight>
</syntaxhighlight>
Then you can take this dedicated source to put it in your favorite destinations like this:
<syntaxhighlight lang=bash>
destination d_graylog {
  network(
    "172.16.1.210"
    port("514")
    transport(udp)
  );
};
log {
  source(s_journal_pdns_recursor);
  destination(d_graylog);
  flags(final);
};
</syntaxhighlight>
<syntaxhighlight lang=bash>
$ sudo systemctl restart syslog-ng.service
</syntaxhighlight>
:wq


==chroot with systemd==
==chroot with systemd==




Create the chroot-base. I would prefer to setup a zfs dataset for it, but you can also do:
<syntaxhighlight lang=bash>
# mkdir -p /var/chroot
</syntaxhighlight>
What we need to run pdns{,-recursor} in chroot is this:
<syntaxhighlight lang=bash>
/var/chroot/run/systemd/notify      <-- bind mount from /run/systemd/notify (socket)
/var/chroot/run/pdns-recursor        <-- bind mount from /run/pdns (dir)
/var/chroot/run/pdns                <-- bind mount from /run/pdns (dir)
/var/chroot/usr/share/dns/root.hints <-- bind mount from /usr/share/dns (dir with root.hints file)
</syntaxhighlight>


For that we have to create some systemd.mount files:
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
# mkdir -p /var/chroot/run/systemd
# systemctl list-units --all --type=mount,service var-chroot-* pdns*
# touch /var/chroot/run/systemd/notify
  UNIT                                  LOAD  ACTIVE SUB    DESCRIPTION                               
  var-chroot-run-pdns.mount            loaded active mounted Mount /run/pdns to chroot
  var-chroot-run-pdns\x2drecursor.mount loaded active mounted Mount /run/pdns-recursor to chroot
  var-chroot-run-systemd-notify.mount  loaded active mounted Mount /run/systemd/notify to chroot
  var-chroot-run.mount                  loaded active mounted Temporary Directory /var/chroot/run
  var-chroot-tmp.mount                  loaded active mounted Temporary Directory /var/chroot/tmp
  var-chroot-usr-share-dns.mount        loaded active mounted Mount /usr/share/dns (root.hints) to chroot
  pdns-recursor.service                loaded active running PowerDNS Recursor
  pdns.service                          loaded active running PowerDNS Authoritative Server
  var-chroot-create-dirs.service        loaded active exited  Create directories under /var/chroot
 
LOAD  = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
9 loaded units listed.
To show all installed unit files use 'systemctl list-unit-files'.
</syntaxhighlight>
</syntaxhighlight>


and a service to create the needed /var/chroot/run/systemd/notify file to bind mount the socket from systemd to it.


<syntaxhighlight lang=ini>
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-run-systemd-notify.mount
# /etc/systemd/system/var-chroot-run.mount
[Unit]
Description=Temporary Directory /var/chroot/run
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/run
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target
 
[Mount]
What=tmpfs
Where=/var/chroot/run
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m
 
[Install]
WantedBy=local-fs.target
</syntaxhighlight>
 
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-tmp.mount
[Unit]
Description=Temporary Directory /var/chroot/tmp
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target
 
[Mount]
What=tmpfs
Where=/var/chroot/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m
 
[Install]
WantedBy=local-fs.target
</syntaxhighlight>
 
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-create-dirs.service
[Unit]
Description=Create directories under /var/chroot
ConditionPathExists=/var/chroot/run
After=var-chroot-run.mount
 
[Service]
Type=oneshot
RemainAfterExit=yes
 
RuntimeDirectory=pdns pdns-recursor
RuntimeDirectoryMode=0750
RuntimeDirectoryPreserve=True
User=pdns
Group=pdns
 
ExecStart=-mkdir    /var/chroot/run/systemd
ExecStart=-touch    /var/chroot/run/systemd/notify
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
 
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-run-pdns.mount
[Unit]
Description=Mount /run/pdns to chroot
DefaultDependencies=no
ConditionPathExists=/run/pdns
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
After=pdns.service
 
[Mount]
What=/run/pdns
Where=/var/chroot/run/pdns
Type=none
Options=bind
 
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
 
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-run-pdns\x2drecursor.mount
[Unit]
[Unit]
Description=Mount /run/pdns-recursor to chroot
DefaultDependencies=no
ConditionPathExists=/run/pdns-recursor
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=zfs-mount.service
Requires=var-chroot.mount
After=var-chroot-create-dirs.service
Before=pdns-recursor.service


[Mount]
[Mount]
What=/run/systemd/notify
What=/run/pdns-recursor
Where=/var/chroot/run/systemd/notify
Where=/var/chroot/run/pdns-recursor
Type=none
Type=none
Options=bind
Options=bind
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
</syntaxhighlight>
or
 
<syntaxhighlight lang=ini>
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-run-systemd-notify.mount
# /etc/systemd/system/var-chroot-run-systemd-notify.mount
Line 102: Line 272:
Description=Mount /run/systemd/notify to chroot
Description=Mount /run/systemd/notify to chroot
DefaultDependencies=no
DefaultDependencies=no
ConditionPathExists=/var/chroot/run/systemd/notify
ConditionPathExists=/run/systemd/notify
ConditionCapability=CAP_SYS_ADMIN
ConditionCapability=CAP_SYS_ADMIN
After=systemd-modules-load.service
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service
Before=pdns-recursor.service


Line 111: Line 282:
Where=/var/chroot/run/systemd/notify
Where=/var/chroot/run/systemd/notify
Type=none
Type=none
Options=bind
Options=rbind
 
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
 
<syntaxhighlight lang=ini>
# /etc/systemd/system/var-chroot-usr-share-dns.mount
[Unit]
Description=Mount /usr/share/dns (root.hints) to chroot
DefaultDependencies=no
ConditionPathExists=/var/chroot/usr/share/dns
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service
 
[Mount]
What=/usr/share/dns
Where=/var/chroot/usr/share/dns
Type=none
Options=rbind,ro


[Install]
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target
</syntaxhighlight>
</syntaxhighlight>
Now we are ready for modifying pdns.service and pdns-recursor.service like this:


<syntaxhighlight lang=ini>
<syntaxhighlight lang=ini>
Line 121: Line 315:
[Service]
[Service]
Type=simple
Type=simple
RuntimeDirectoryPreserve=True
ExecStart=
ExecStart=
ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
Line 135: Line 330:
[Service]
[Service]
Type=simple
Type=simple
RuntimeDirectoryPreserve=True
ExecStart=
ExecStart=
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --include-dir=/etc/powerdns/recursor.d
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --include-dir=/etc/powerdns/recursor.d
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
# Add the possibility to change user id and group id and to chroot
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
AmbientCapabilities=CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
SystemCallFilter=@mount
SystemCallFilter=@mount


Latest revision as of 07:02, 22 June 2023


PowerDNS Server (pdns_server)

Newer version in Ubuntu

If you are living in Ubunbtu xenial and need a newer PowerDNS from Ubuntu zesty, do this:

/etc/apt/apt.conf.d/01pinning

APT::Default-Release "xenial";

/etc/apt/preferences.d/pdns

Package: pdns-*
Pin: release a=zesty, l=Ubuntu
Pin-Priority: 1000

Package: pdns-*
Pin: release a=zesty-updates, l=Ubuntu
Pin-Priority: 1000

Package: pdns-*
Pin: release a=zesty-security, l=Ubuntu
Pin-Priority: 1000

/etc/apt/sources.list

add zesty sources. for example: 

deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial          main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial-updates  main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    xenial-security main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty           main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty-updates   main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    zesty-security  main restricted universe

Do the upgrade

# apt update
# apt install pdns-recursor/zesty pdns-tools/zesty libstdc++6/zesty gcc-6-base/zesty

Logging with systemd and syslog-ng

I had problems with multiply the log lines over syslog and polluting the disks with redundant log entries.
So I found a way to bind the daemon output to a dedicated systemd namespace and catch them later in syslog-ng. 

$ sudo systemctl edit pdns-recursor.service

[Service]
ExecStart=
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no
LogNamespace=pdns-recursor

/etc/powerdns/recursor.d/syslog.conf 

log-timestamp=no
quiet=no
disable-syslog=no



$ sudo systemctl restart pdns-recursor.service

after that you will find the output of the daemon with: 

$ sudo journalctl -lf --namespace=pdns-recursor

Change the part in /etc/syslog-ng/syslog-ng.conf from 

source s_src {
       system();
       internal();
};

to 

source s_journal_pdns_recursor
{
  systemd-journal(namespace("pdns-recursor"));
};

source s_journal_pdns
{
  systemd-journal(namespace("pdns"));
};

source s_src {
       # Because system() catches systemd-journal() you will have to comment it out or you will get this error:
       #  The configuration must not contain more than one systemd-journal() source;
       #system();
       internal();
};

Then you can take this dedicated source to put it in your favorite destinations like this: 

destination d_graylog {
  network(
    "172.16.1.210"
    port("514")
    transport(udp)
  );
};
log {
  source(s_journal_pdns_recursor);
  destination(d_graylog);
  flags(final);
};

$ sudo systemctl restart syslog-ng.service
wq

chroot with systemd

Create the chroot-base. I would prefer to setup a zfs dataset for it, but you can also do: 

# mkdir -p /var/chroot

What we need to run pdns{,-recursor} in chroot is this: 

/var/chroot/run/systemd/notify       <-- bind mount from /run/systemd/notify (socket)
/var/chroot/run/pdns-recursor        <-- bind mount from /run/pdns (dir)
/var/chroot/run/pdns                 <-- bind mount from /run/pdns (dir)
/var/chroot/usr/share/dns/root.hints <-- bind mount from /usr/share/dns (dir with root.hints file)

For that we have to create some systemd.mount files: 

# systemctl list-units --all --type=mount,service var-chroot-* pdns*
  UNIT                                  LOAD   ACTIVE SUB     DESCRIPTION                                
  var-chroot-run-pdns.mount             loaded active mounted Mount /run/pdns to chroot
  var-chroot-run-pdns\x2drecursor.mount loaded active mounted Mount /run/pdns-recursor to chroot
  var-chroot-run-systemd-notify.mount   loaded active mounted Mount /run/systemd/notify to chroot
  var-chroot-run.mount                  loaded active mounted Temporary Directory /var/chroot/run
  var-chroot-tmp.mount                  loaded active mounted Temporary Directory /var/chroot/tmp
  var-chroot-usr-share-dns.mount        loaded active mounted Mount /usr/share/dns (root.hints) to chroot
  pdns-recursor.service                 loaded active running PowerDNS Recursor
  pdns.service                          loaded active running PowerDNS Authoritative Server
  var-chroot-create-dirs.service        loaded active exited  Create directories under /var/chroot

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
9 loaded units listed.
To show all installed unit files use 'systemctl list-unit-files'.

and a service to create the needed /var/chroot/run/systemd/notify file to bind mount the socket from systemd to it. 

# /etc/systemd/system/var-chroot-run.mount
[Unit]
Description=Temporary Directory /var/chroot/run
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/run
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/var/chroot/run
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m

[Install]
WantedBy=local-fs.target

# /etc/systemd/system/var-chroot-tmp.mount
[Unit]
Description=Temporary Directory /var/chroot/tmp
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/var/chroot/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m

[Install]
WantedBy=local-fs.target

# /etc/systemd/system/var-chroot-create-dirs.service
[Unit]
Description=Create directories under /var/chroot
ConditionPathExists=/var/chroot/run
After=var-chroot-run.mount

[Service]
Type=oneshot
RemainAfterExit=yes

RuntimeDirectory=pdns pdns-recursor
RuntimeDirectoryMode=0750
RuntimeDirectoryPreserve=True
User=pdns
Group=pdns

ExecStart=-mkdir    /var/chroot/run/systemd
ExecStart=-touch    /var/chroot/run/systemd/notify
[Install]
WantedBy=multi-user.target

# /etc/systemd/system/var-chroot-run-pdns.mount
[Unit]
Description=Mount /run/pdns to chroot
DefaultDependencies=no
ConditionPathExists=/run/pdns
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
After=pdns.service

[Mount]
What=/run/pdns
Where=/var/chroot/run/pdns
Type=none
Options=bind

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/var-chroot-run-pdns\x2drecursor.mount
[Unit]
Description=Mount /run/pdns-recursor to chroot
DefaultDependencies=no
ConditionPathExists=/run/pdns-recursor
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service

[Mount]
What=/run/pdns-recursor
Where=/var/chroot/run/pdns-recursor
Type=none
Options=bind

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/var-chroot-run-systemd-notify.mount
[Unit]
Description=Mount /run/systemd/notify to chroot
DefaultDependencies=no
ConditionPathExists=/run/systemd/notify
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service

[Mount]
What=/run/systemd/notify
Where=/var/chroot/run/systemd/notify
Type=none
Options=rbind

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/var-chroot-usr-share-dns.mount
[Unit]
Description=Mount /usr/share/dns (root.hints) to chroot
DefaultDependencies=no
ConditionPathExists=/var/chroot/usr/share/dns
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service

[Mount]
What=/usr/share/dns
Where=/var/chroot/usr/share/dns
Type=none
Options=rbind,ro

[Install]
WantedBy=multi-user.target

Now we are ready for modifying pdns.service and pdns-recursor.service like this: 

# /etc/systemd/system/pdns.service.d/override.conf
[Service]
Type=simple
RuntimeDirectoryPreserve=True
ExecStart=
ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
SystemCallFilter=@mount

[Unit]
Wants=local-fs.target

# /etc/systemd/system/pdns-recursor.service.d/override.conf
[Service]
Type=simple
RuntimeDirectoryPreserve=True
ExecStart=
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --include-dir=/etc/powerdns/recursor.d
# Add the possibility to change user id and group id and to chroot
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
AmbientCapabilities=CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
SystemCallFilter=@mount


[Unit]
Wants=local-fs.target
Retrieved from "https://lars.timmann.de/wiki/index.php?title=PowerDNS&oldid=2747"