PowerDNS: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
No edit summary
Line 2: Line 2:


=PowerDNS Server (pdns_server)=
=PowerDNS Server (pdns_server)=
If you are living in Ubunbtu xenial and need a newer PowerDNS from Ubuntu zesty, do this:
1. /etc/apt/apt.conf.d/01pinning
<source lang=apt>
APT::Default-Release "xenial";
</source>
2. /etc/apt/preferences.d/pdns
<source lang=apt>
Package: pdns-*
Pin: release a=zesty, l=Ubuntu
Pin-Priority: 1000
Package: pdns-*
Pin: release a=zesty-updates, l=Ubuntu
Pin-Priority: 1000
Package: pdns-*
Pin: release a=zesty-security, l=Ubuntu
Pin-Priority: 1000
</source>
3. /etc/apt/sources.list
add zesty sources. for example:
<source lang=apt>
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial          main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial-updates  main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    xenial-security main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty          main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty-updates  main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    zesty-security  main restricted universe
</source>


==Logging with systemd and syslog-ng==
==Logging with systemd and syslog-ng==

Revision as of 14:36, 24 November 2017

Kategorie: DNS

PowerDNS Server (pdns_server)

If you are living in Ubunbtu xenial and need a newer PowerDNS from Ubuntu zesty, do this:

1. /etc/apt/apt.conf.d/01pinning

APT::Default-Release "xenial";

2. /etc/apt/preferences.d/pdns

Package: pdns-*
Pin: release a=zesty, l=Ubuntu
Pin-Priority: 1000

Package: pdns-*
Pin: release a=zesty-updates, l=Ubuntu
Pin-Priority: 1000

Package: pdns-*
Pin: release a=zesty-security, l=Ubuntu
Pin-Priority: 1000

3. /etc/apt/sources.list add zesty sources. for example:

deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial          main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial-updates  main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    xenial-security main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty           main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty-updates   main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    zesty-security  main restricted universe

Logging with systemd and syslog-ng

1. Tell the journald of systemd to forward messages to syslog: In /etc/systemd/journald.conf set it from

#ForwardToSyslog=yes

to

ForwardToSyslog=yes

Then restart the journald

# systemctl restart systemd-journald.service

2. Tell syslog-ng to take the dev-log-socket from journald as input:

Change the part in /etc/syslog-ng/syslog-ng.conf from

source s_src {
       system();
       internal();
};

to

source s_src {
       system();
       internal();
       unix-dgram ("/run/systemd/journal/dev-log"); 
};

chroot with systemd

# mkdir -p /var/chroot/run/systemd
# touch /var/chroot/run/systemd/notify


# /lib/systemd/system/var-chroot-run-systemd-notify.mount
[Unit]
After=zfs-mount.service
Requires=var-chroot.mount

[Mount]
What=/run/systemd/notify
Where=/var/chroot/run/systemd/notify
Type=none
Options=bind

or

# /lib/systemd/system/var-chroot-run-systemd-notify.mount
[Unit]
Description=Mount /run/systemd/notify to chroot
DefaultDependencies=no
ConditionPathExists=/var/chroot/run/systemd/notify
ConditionCapability=CAP_SYS_ADMIN
After=systemd-modules-load.service
Before=pdns-recursor.service

[Mount]
What=/run/systemd/notify
Where=/var/chroot/run/systemd/notify
Type=none
Options=bind

[Install]
WantedBy=multi-user.target
# /lib/systemd/system/pdns.service
[Unit]
Description=PowerDNS Authoritative Server
Documentation=man:pdns_server(1) man:pdns_control(1)
Documentation=https://doc.powerdns.com
Wants=network-online.target
After=network-online.target mysqld.service postgresql.service slapd.service mariadb.service
After=var-chroot-run-systemd-notify.mount

[Service]
Type=notify
ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --write-pid=no
Restart=on-failure
RestartSec=1
StartLimitInterval=0
PrivateTmp=true
PrivateDevices=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
NoNewPrivileges=true
# ProtectSystem=full will disallow write access to /etc and /usr, possibly
# not being able to write slaved-zones into sqlite3 or zonefiles.
ProtectSystem=full
ProtectHome=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

[Install]
WantedBy=multi-user.target
# /lib/systemd/system/pdns-recursor.service
[Unit]
Description=PowerDNS Recursor
Documentation=man:pdns_recursor(1) man:rec_control(1)
Documentation=https://doc.powerdns.com
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target
After=network-online.target
After=var-chroot-run-systemd-notify.mount

[Service]
Type=notify
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog
Restart=on-failure
StartLimitInterval=0
PrivateTmp=true
PrivateDevices=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
NoNewPrivileges=true
ProtectSystem=full
ProtectHome=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LimitNOFILE=4200

[Install]
WantedBy=multi-user.target