Post on 09-Feb-2017
© Men & Mice http://menandmice.com
runitKeeping DNS server up-and-running
1
© Men & Mice http://menandmice.com
Agenda
• The problem - system startup on Unix/Linux
• a solution: runit
• alternative solutions
• Example: BIND 9 configuration
• Example: Unbound configuration
• Example: Men & Mice Central configuration
• Demo
2
© Men & Mice http://menandmice.com
Service Process startup on Unix
• traditionally, Unix/Linux service processes (such as DNS server) are started by shell scripts
• so called "startscripts"
• available in "BSD rc" and "System V" variants
• Startscripts quit their duty after starting the process
• they do not monitor the process
• they do not automatically restart a service
3
© Men & Mice http://menandmice.com
"one off" solutions
• the BIND 9 source tree contains "nanny.pl" (in contrib/nanny/nanny.pl)
• a simple perl script that restarts BIND once it terminates
• offers little control / manageability
4
© Men & Mice http://menandmice.com
runit
• "runit" is a simple and lean, but powerful process supervisor
• available for many Unix/Linux systems
• Red Hat, Debian, Ubuntu, Suse, FreeBSD, OpenBSD …
• Homepage: http://smarden.org/runit
5
© Men & Mice http://menandmice.com
Alternatives
• "runit" is not the only available process supervisor
• other tools might also fit your needs
• supervisord
• monit
• daemontools
• SMF (Solaris)
• launchd (Apple MacOS X)
6
© Men & Mice http://menandmice.com
Systemd?• what about "systemd"?
• "systemd", the new Linux start-system (PID 1), is also a process supervisor
• might be too complex for simple dedicated DNS server
• many dependencies (D-Bus etc)
• does much more than just process supervision
• replaces the init (PID 1) process
• limited portability (Linux only, heterogenous datacenter)
7
© Men & Mice http://menandmice.com
"runit" installation on Debian 8$ sudo -s# apt install runit# mkdir /etc/service.available# systemctl enable runit# systemctl start runit# ps -ef | grep runsvdirroot 437 1 0 22:33 ? 00:00:00 runsvdir -P /etc/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................
8
© Men & Mice http://menandmice.com
BIND 9 configuration (1)
Installation: $ sudo -s# apt install bind9# systemctl disable bind9Synchronizing state for bind9.service with sysvinit using update-rc.d...Executing /usr/sbin/update-rc.d bind9 defaultsExecuting /usr/sbin/update-rc.d bind9 disableinsserv: warning: current start runlevel(s) (empty) of script `bind9' overrides LSB defaults (2 3 4 5).insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `bind9' overrides LSB defaults (0 1 6).# systemctl stop bind9
9
© Men & Mice http://menandmice.com
BIND 9 configuration (2)
"runit" startscript: $ sudo -s# mkdir /etc/service.available/bind9# $EDITOR /etc/service/available/bind9/run———#!/bin/sh/usr/sbin/named -f -u bind
# chmod +x /etc/service/available/bind9/run
10
© Men & Mice http://menandmice.com
BIND 9 configuration (3)
"runit" stopscript: $ sudo -s# $EDITOR /etc/service/available/bind9/finish———#!/bin/sh/usr/sbin/rndc stopsleep 2pkill named
# chmod +x /etc/service/available/bind9/finish
11
© Men & Mice http://menandmice.com
BIND 9 configuration (4)
"enable" the service: $ sudo -s# ln -s /etc/service.available/bind9 /etc/service/# rndc statusversion: 9.9.5-9+deb8u3-Debian <id:f9b8a50e>CPUs found: 1worker threads: 1UDP listeners per interface: 1number of zones: 100debug level: 0xfers running: 0xfers deferred: 0soa queries in progress: 0query logging is OFFrecursive clients: 0/0/1000tcp clients: 0/100server is up and running
12
© Men & Mice http://menandmice.com
Controlling services with "runit"
the "sv" command: $ sudo -s# sv status bind9run: bind9: (pid 1820) 123s
# sv stop bind9ok: down: bind9: 0s, normally up
# sv start bind9ok: run: bind9: (pid 1849) 0s
# sv check bind9ok: run: bind9: (pid 1849) 85s
13
© Men & Mice http://menandmice.com
"sv" as an init-script surrogate
the "sv" can be linked into /etc/init.d to act as an init-script surrogate: $ sudo -s# mv /etc/init.d/bind9 /etc/init.d/bind9.debian
# ln -s /usr/bin/sv /etc/init.d/bind9
# /etc/init.d/bind9 statusrun: bind9: (pid 1946) 222s
# /etc/init.d/bind9 stopok: down: bind9: 0s, normally up
# /etc/init.d/bind9 startok: run: bind9: (pid 2004) 0s
14
© Men & Mice http://menandmice.com
disable a "runit" service
just remove the symlink from the /etc/service directory: $ sudo -s# sv status bind9run: bind9: (pid 2004) 121s
# rm /etc/service/bind9
# sv status bind9fail: bind9: unable to change to service directory: file does not exist
# rndc statusrndc: connect failed: 127.0.0.1#953: connection refused
15
© Men & Mice http://menandmice.com
"unbound" as a runit service (1)
Installation: $ sudo -s# apt install unbound# systemctl stop unbound
# systemctl disable unbound
Synchronizing state for unbound.service with sysvinit using update-rc.d...
Executing /usr/sbin/update-rc.d unbound defaultsExecuting /usr/sbin/update-rc.d unbound disableinsserv: warning: current start runlevel(s) (empty) of script `unbound' overrides LSB defaults (2 3 4 5).insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `unbound' overrides LSB defaults (0 1 6).
16
© Men & Mice http://menandmice.com
"unbound" as a runit service (2)Scripte: $ sudo -s# mkdir /etc/service.available/unbound
# echo "server: do-daemonize: no" > /etc/unbound/unbound.conf.d/daemonize.conf
# $EDITOR /etc/service.available/unbound/run
—————#!/bin/sh/usr/sbin/unbound
# $EDITOR /etc/service.available/unbound/finish
————
#!/bin/sh/usr/sbin/unbound-control stop
# chmod +x /etc/service.available/unbound/run
# chmod +x /etc/service.available/unbound/finish
17
© Men & Mice http://menandmice.com
"unbound" as a runit service (2)enable the "unbound" service: $ sudo -s# ln -s /etc/service.available/unbound /etc/service/unbound
# unbound-control status
version: 1.4.22verbosity: 1threads: 1modules: 2 [ validator iterator ]uptime: 60 secondsunbound (pid 2680) is running…
# dig @localhost menandmice.training soa +m
; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> @localhost menandmice.training soa +m; (2 servers found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46669;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;menandmice.training. IN SOA
;; ANSWER SECTION:menandmice.training. 3600 IN SOA ns2.myinfrastructure.org. hostmaster.menandmice.training. ( 21 ; serial 86400 ; refresh (1 day) 7200 ; retry (2 hours) 3542400 ; expire (5 weeks 6 days) 3600 ; minimum (1 hour) )
18
© Men & Mice http://menandmice.com
"mmcentral" with runit (1)Installation: $ sudo -s# wget ftp://ftp.menandmice.com/pub/mmsuite/Linux/6.9.0/mmsuite-central-6.9.0.linux.tgz
# tar xfz mmsuite-central-6.9.0.linux.tgz # mv mmsuite-central-6.9.0.linux/linux/mmcentrald /usr/local/sbin/# mkdir -p /var/mmsuite/mmcentral# mv mmsuite-central-6.9.0.linux/update /var/mmsuite/mmcentral/# mv mmsuite-central-6.9.0.linux/mmcentral.conf /var/mmsuite/mmcentral/
# adduser --system --no-create-home --disabled-password --disabled-login mmcentral
Adding system user `mmcentral' (UID 110) ...Adding new user `mmcentral' (UID 110) with group `nogroup' ...Not creating home directory `/home/mmcentral'.
# chown -R mmcentral /var/mmsuite/mmcentral
19
© Men & Mice http://menandmice.com
"mmcentral" with runit (2)"runit" scripte: $ sudo -s# mkdir /etc/service.available/mmcentral
# $EDITOR /etc/service.available/mmcentral/run
————#!/bin/sh/usr/local/sbin/mmcentrald -ummcentral -debug
# chmod +x /etc/service.available/mmcentral/run
# $EDITOR /etc/service.available/mmcentral/finish
————#!/bin/shpkill mmcentrald
# chmod +x /etc/service.available/mmcentral/finish
# ln -s /usr/bin/sv /etc/init.d/mmcentral
# /etc/init.d/mmcentral statusrun: mmcentral: (pid 5063) 24s
# lsof -i | grep mmmmcentral 5064 mmcentral 77u IPv4 22844 0t0 TCP *:1231 (LISTEN)
20
© Men & Mice http://menandmice.com
Upcoming Webinars•19.11.2015 – RIPE 71 & IETF 94 reports
•16.12.2015 – DNSTAP – have a deep look into DNS server operations
•January 2016 – the DNS server in Windows 2016 Server – a big leap forward (views, response rate limiting, ACLs and more
•2016 – an Update on DNSSEC and DANE: new implementations, adoption in the market, new Internet Standards
21
© Men & Mice http://menandmice.com
Upcoming Trainings•November 16 – 17, 2015 Introduction to DNS & BIND Hands on, Redwood City (CA), USA (confirmed)
•November 16 – 20, 2015 Introduction & Advanced DNS and BIND Hands on, Redwood City (CA), USA (confirmed)
•November 30 – December 1, 2015 Introduction to DNS & BIND Hands on, Amsterdam, The Netherlands
•November 30 – December 4, 2015 Introduction & Advanced DNS and BIND Hands on, Amsterdam, The Netherlands
•November 30 – December 1, 2015 IPv6 Fundamentals Hands-On Workshop, Amsterdam, The Netherlands
•December 2 – 4, 2015 DNSSEC Technical Workshop – Implementation and Deployment, Amsterdam, The Netherlands
22
© Men & Mice http://menandmice.com
Questions
23
?