PowerDNS

From Lolly's Wiki
Jump to navigationJump to search


PowerDNS Server (pdns_server)

Newer version in Ubuntu

If you are living in Ubunbtu xenial and need a newer PowerDNS from Ubuntu zesty, do this:

/etc/apt/apt.conf.d/01pinning

APT::Default-Release "xenial";

/etc/apt/preferences.d/pdns

Package: pdns-*
Pin: release a=zesty, l=Ubuntu
Pin-Priority: 1000

Package: pdns-*
Pin: release a=zesty-updates, l=Ubuntu
Pin-Priority: 1000

Package: pdns-*
Pin: release a=zesty-security, l=Ubuntu
Pin-Priority: 1000

/etc/apt/sources.list

add zesty sources. for example:

deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial          main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ xenial-updates  main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    xenial-security main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty           main restricted universe
deb [arch=amd64] http://de.archive.ubuntu.com/ubuntu/ zesty-updates   main restricted universe
deb [arch=amd64] http://security.ubuntu.com/ubuntu    zesty-security  main restricted universe

Do the upgrade

# apt update
# apt install pdns-recursor/zesty pdns-tools/zesty libstdc++6/zesty gcc-6-base/zesty

Logging with systemd and syslog-ng

1. Tell the journald of systemd to forward messages to syslog: In /etc/systemd/journald.conf set it from

#ForwardToSyslog=yes

to

ForwardToSyslog=yes

Then restart the journald

# systemctl restart systemd-journald.service

2. Tell syslog-ng to take the dev-log-socket from journald as input:

Change the part in /etc/syslog-ng/syslog-ng.conf from

source s_src {
       system();
       internal();
};

to

source s_src {
       system();
       internal();
       unix-dgram ("/run/systemd/journal/dev-log"); 
};

chroot with systemd

Create the chroot-base. I would prefer to setup a zfs dataset for it, but you can also do:

# mkdir -p /var/chroot

What we need to run pdns{,-recursor} in chroot is this:

/var/chroot/run/systemd/notify       <-- bind mount from /run/systemd/notify (socket)
/var/chroot/run/pdns-recursor        <-- bind mount from /run/pdns (dir)
/var/chroot/run/pdns                 <-- bind mount from /run/pdns (dir)
/var/chroot/usr/share/dns/root.hints <-- bind mount from /usr/share/dns (dir with root.hints file)

For that we have to create some systemd.mount files:

# systemctl list-units --type=mount | grep chroot-
  var-chroot-run-pdns.mount                         loaded active mounted Mount /run/pdns to chroot
  var-chroot-run-pdns\x2drecursor.mount             loaded active mounted Mount /run/pdns-recursor to chroot
  var-chroot-run-systemd-notify.mount               loaded active mounted Mount /run/systemd/notify to chroot
  var-chroot-run.mount                              loaded active mounted Temporary Directory /var/chroot/run
  var-chroot-tmp.mount                              loaded active mounted Temporary Directory /var/chroot/tmp
  var-chroot-usr-share-dns.mount                    loaded active mounted Mount /usr/share/dns (root.hints) to chroot

and a service to create the needed /var/chroot/run/systemd/notify file to bind mount the socket from systemd to it.

# /etc/systemd/system/var-chroot-run.mount
[Unit]
Description=Temporary Directory /var/chroot/run
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/run
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/var/chroot/run
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m

[Install]
WantedBy=local-fs.target
# /etc/systemd/system/var-chroot-tmp.mount
[Unit]
Description=Temporary Directory /var/chroot/tmp
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/var/chroot/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/var/chroot/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m

[Install]
WantedBy=local-fs.target
# /etc/systemd/system/var-chroot-create-dirs.service
[Unit]
Description=Create directories under /var/chroot
ConditionPathExists=/var/chroot/run
After=var-chroot-run.mount

[Service]
Type=oneshot
RemainAfterExit=yes

RuntimeDirectory=pdns pdns-recursor
RuntimeDirectoryMode=0750
RuntimeDirectoryPreserve=True
User=pdns
Group=pdns

ExecStart=-mkdir    /var/chroot/run/systemd
ExecStart=-touch    /var/chroot/run/systemd/notify
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/var-chroot-run-pdns.mount
[Unit]
Description=Mount /run/pdns to chroot
DefaultDependencies=no
ConditionPathExists=/run/pdns
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
After=pdns.service

[Mount]
What=/run/pdns
Where=/var/chroot/run/pdns
Type=none
Options=bind

[Install]
WantedBy=multi-user.target
No files found for var-chroot-run-pdnsx2drecursor.mount.
# /etc/systemd/system/var-chroot-run-systemd-notify.mount
[Unit]
Description=Mount /run/systemd/notify to chroot
DefaultDependencies=no
ConditionPathExists=/run/systemd/notify
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service

[Mount]
What=/run/systemd/notify
Where=/var/chroot/run/systemd/notify
Type=none
Options=rbind

[Install]
WantedBy=multi-user.target
# /etc/systemd/system/var-chroot-usr-share-dns.mount
[Unit]
Description=Mount /usr/share/dns (root.hints) to chroot
DefaultDependencies=no
ConditionPathExists=/var/chroot/usr/share/dns
ConditionCapability=CAP_SYS_ADMIN
After=zfs-mount.service
After=var-chroot-create-dirs.service
Before=pdns-recursor.service

[Mount]
What=/usr/share/dns
Where=/var/chroot/usr/share/dns
Type=none
Options=rbind,ro

[Install]
WantedBy=multi-user.target

Now we are ready for modifying pdns.service and pdns-recursor.service like this:

# /etc/systemd/system/pdns.service.d/override.conf
[Service]
Type=simple
ExecStart=
ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
SystemCallFilter=@mount

[Unit]
Wants=local-fs.target
# /etc/systemd/system/pdns-recursor.service.d/override.conf
[Service]
Type=simple
ExecStart=
ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --include-dir=/etc/powerdns/recursor.d
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
SystemCallFilter=@mount


[Unit]
Wants=local-fs.target