Upgrading BIND & Running Name Server with "named"

火星人 @ 2014-03-04 , reply:0


Upgrading BIND & Running Name Server with "named"

Summary:
Upgrade BIND in Solaris 10.
Run "named" with another user instead of "root".
Configure "named" in SMF.

Environment:
1. gcc 3.4.6 & libiconv 1.11 installed, required for compiling BIND source code. downloaded from sunfreeware.com.
2. "SUNWbindr"  installed from O.S. CD so that no need to create the service "svc:/network/dns/server:default" in SMF from scratch.
3. Current named binary installed at /opt/bind-9.6.1-P1, and /opt/bind points to it: /opt/bind -> /opt/bind-9.6.1-P1.
4. Current named could be managed by "svcadm", and "/usr/sbin/named"  is replaced by "/opt/bind/sbin/named" in the script "/lib/svc/method/dns-server".
5.  Logs defined in /etc/named.conf are under  /mine/bind-logs.
6.  "/opt/bind/bin:/opt/bind/sbin" is added to the environment variable PATH as the first 2 paths to be searched.


==== Preoutage Steps ====

1. Download the lastest produciton release of BIND9 from www.isc.org and unpack it.
# cd /var/tmp
# gzcat bind-9.6.1-P2.tar.gz  | tar xf -

2. Compile the source codes and install the package.
# cd bind-9.6.1-P2
# ./configure  -sysconfdir=/etc  -prefix=/opt/bind-9.6.1-P2 -disable-ipv6  -enable-threads -with-openssl=no
# make
# make install

3. Customise the enviroment to run name server with the user "named"

3.1 Create a user "named"
# groupadd -g 1688 named
# useradd -u 1688 -g named -m -d /var/named -s /sbin/noshell -c "Named" named
# rm /var/named/local.cshrc    /var/named/local.login    /var/named/local.profile

3.2 Modify "extended userattibutes database" by appending the following lines to /etc/user_attr:
named::::type=normal;defaultpriv=basic,!proc_session,!proc_info,!file_link_any,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot;auths=solaris.smf.manage.bind

3.3 Change ownership of the directory "run" to be owned by "named".
# chown named:named /opt/bind-9.6.1-P2/var/run/


==== Outage Steps ====

4. Bring down name server & start it with the new release

4.1 Bring down name server.
# tail -f /mine/bind-logs/bind-misc.log
# svcadm disable dns/server
# ps -ef | grep named

4.2 Correct ownership of the directories for name server's logs and zone files.
# chown -R named:named /mine/bind-logs /var/named

4.3 Bring up the new-released name server:
# unlink /opt/bind
# ln -s /opt/bind-9.6.1-P2 /opt/bind
# /opt/bind/sbin/named -u named
# ps -ef | grep named
    root 18882  6247   0 19:20:07 pts/1       0:00 grep named
   named 18437     1   0 19:18:54 ?           0:57 /opt/bind/sbin/named -u named

4.4 Verify name server is working properly
# rndc status
# nslookup sun.example.com localhost

4.5 Remove the BIND package introduced by O.S. installation(Don't remove SUNWbindr!).
# pkgrm SUNWbind


5. Configure DNS server in SMF and restart DNS server

5.1 Verify DNS server is configured in SMF
# svcs -a | grep dns/server
disabled       Dec_02   svc:/network/dns/server:default

5.2 On the script(/lib/svc/method/dns-server) for dns/server, replace
server="/usr/sbin/named"
with
server="/opt/bind/sbin/named"

5.3 Modify SMF configuration for starting the daemon "named" with the user "named"
# svccfg -s svc:/network/dns/server:default
svc:/network/dns/server:default> setprop start/group = astring: "named"
svc:/network/dns/server:default> setprop start/user = astring: "named"
svc:/network/dns/server:default> quit

# svccfg -s dns/server
svc:/network/dns/server> setprop tm_common_name/C = ustring:  "DNS Server"
svc:/network/dns/server> setprop tm_man_named/manpath = astring: /opt/bind/share/man
svc:/network/dns/server> setprop tm_man_named/section = astring: 8
svc:/network/dns/server> quit

# svcadm refresh dns/server

5.4 Shutdown named and start it by SMF
# rndc stop
# ps -ef | grep named
# svcadm enable dns/server

5.5 Verify SMF status
# svcs -l dns/server
# svcs -xv dns/server

5.6 Verify name server status
# rndc status
# nslookup sun.example.com localhost

[ 本帖最後由 chinaux 於 2010-1-12 10:26 編輯 ]
《解決方案》

我替LZ編輯了一下,無怪啊
《解決方案》

原帖由 llzqq 於 2010-1-6 14:12 發表 http://bbs.chinaunix.net/images/common/back.gif
我替LZ編輯了一下,無怪啊


我又改了一下.  算不算一稿多投啊? 可惜沒稿費. :emn10: :emn10: :emn10:




[火星人 via ] Upgrading BIND & Running Name Server with "named"已經有143次圍觀

http://www.coctec.com/docs/service/show-post-19185.html