keeping dns server up-and-running with “runit

© Men & Mice http://menandmice.com

runitKeeping DNS server up-and-running

1


Agenda

• The problem - system startup on Unix/Linux

• a solution: runit

• alternative solutions

• Example: BIND 9 configuration

• Example: Unbound configuration

• Example: Men & Mice Central configuration

• Demo

2


Service Process startup on Unix

• traditionally, Unix/Linux service processes (such as DNS server) are started by shell scripts

• so called "startscripts"

• available in "BSD rc" and "System V" variants

• Startscripts quit their duty after starting the process

• they do not monitor the process

• they do not automatically restart a service

3


"one off" solutions

• the BIND 9 source tree contains "nanny.pl" (in contrib/nanny/nanny.pl)

• a simple perl script that restarts BIND once it terminates

• offers little control / manageability

4


runit

• "runit" is a simple and lean, but powerful process supervisor

• available for many Unix/Linux systems

• Red Hat, Debian, Ubuntu, Suse, FreeBSD, OpenBSD …

• Homepage: http://smarden.org/runit

5


Alternatives

• "runit" is not the only available process supervisor

• other tools might also fit your needs

• supervisord

• monit

• daemontools

• SMF (Solaris)

• launchd (Apple MacOS X)

6


Systemd?• what about "systemd"?

• "systemd", the new Linux start-system (PID 1), is also a process supervisor

• might be too complex for simple dedicated DNS server

• many dependencies (D-Bus etc)

• does much more than just process supervision

• replaces the init (PID 1) process

• limited portability (Linux only, heterogenous datacenter)

7


"runit" installation on Debian 8$ sudo -s# apt install runit# mkdir /etc/service.available# systemctl enable runit# systemctl start runit# ps -ef | grep runsvdirroot 437 1 0 22:33 ? 00:00:00 runsvdir -P /etc/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................

8


BIND 9 configuration (1)

Installation: $ sudo -s# apt install bind9# systemctl disable bind9Synchronizing state for bind9.service with sysvinit using update-rc.d...Executing /usr/sbin/update-rc.d bind9 defaultsExecuting /usr/sbin/update-rc.d bind9 disableinsserv: warning: current start runlevel(s) (empty) of script `bind9' overrides LSB defaults (2 3 4 5).insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `bind9' overrides LSB defaults (0 1 6).# systemctl stop bind9

9



"runit" startscript: $ sudo -s# mkdir /etc/service.available/bind9# $EDITOR /etc/service/available/bind9/run———#!/bin/sh/usr/sbin/named -f -u bind

# chmod +x /etc/service/available/bind9/run

10



"runit" stopscript: $ sudo -s# $EDITOR /etc/service/available/bind9/finish———#!/bin/sh/usr/sbin/rndc stopsleep 2pkill named

# chmod +x /etc/service/available/bind9/finish

11



"enable" the service: $ sudo -s# ln -s /etc/service.available/bind9 /etc/service/# rndc statusversion: 9.9.5-9+deb8u3-Debian <id:f9b8a50e>CPUs found: 1worker threads: 1UDP listeners per interface: 1number of zones: 100debug level: 0xfers running: 0xfers deferred: 0soa queries in progress: 0query logging is OFFrecursive clients: 0/0/1000tcp clients: 0/100server is up and running

12


Controlling services with "runit"

the "sv" command: $ sudo -s# sv status bind9run: bind9: (pid 1820) 123s

# sv stop bind9ok: down: bind9: 0s, normally up

# sv start bind9ok: run: bind9: (pid 1849) 0s

# sv check bind9ok: run: bind9: (pid 1849) 85s

13


"sv" as an init-script surrogate

the "sv" can be linked into /etc/init.d to act as an init-script surrogate: $ sudo -s# mv /etc/init.d/bind9 /etc/init.d/bind9.debian

# ln -s /usr/bin/sv /etc/init.d/bind9

# /etc/init.d/bind9 statusrun: bind9: (pid 1946) 222s

# /etc/init.d/bind9 stopok: down: bind9: 0s, normally up

# /etc/init.d/bind9 startok: run: bind9: (pid 2004) 0s

14


disable a "runit" service

just remove the symlink from the /etc/service directory: $ sudo -s# sv status bind9run: bind9: (pid 2004) 121s

# rm /etc/service/bind9

# sv status bind9fail: bind9: unable to change to service directory: file does not exist

# rndc statusrndc: connect failed: 127.0.0.1#953: connection refused

15


"unbound" as a runit service (1)

Installation: $ sudo -s# apt install unbound# systemctl stop unbound

# systemctl disable unbound

Synchronizing state for unbound.service with sysvinit using update-rc.d...

Executing /usr/sbin/update-rc.d unbound defaultsExecuting /usr/sbin/update-rc.d unbound disableinsserv: warning: current start runlevel(s) (empty) of script `unbound' overrides LSB defaults (2 3 4 5).insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `unbound' overrides LSB defaults (0 1 6).

16


"unbound" as a runit service (2)Scripte: $ sudo -s# mkdir /etc/service.available/unbound

# echo "server: do-daemonize: no" > /etc/unbound/unbound.conf.d/daemonize.conf

# $EDITOR /etc/service.available/unbound/run

—————#!/bin/sh/usr/sbin/unbound

# $EDITOR /etc/service.available/unbound/finish

————

#!/bin/sh/usr/sbin/unbound-control stop

# chmod +x /etc/service.available/unbound/run

# chmod +x /etc/service.available/unbound/finish

17


"unbound" as a runit service (2)enable the "unbound" service: $ sudo -s# ln -s /etc/service.available/unbound /etc/service/unbound

# unbound-control status

version: 1.4.22verbosity: 1threads: 1modules: 2 [ validator iterator ]uptime: 60 secondsunbound (pid 2680) is running…

# dig @localhost menandmice.training soa +m

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> @localhost menandmice.training soa +m; (2 servers found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46669;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;menandmice.training. IN SOA

;; ANSWER SECTION:menandmice.training. 3600 IN SOA ns2.myinfrastructure.org. hostmaster.menandmice.training. ( 21 ; serial 86400 ; refresh (1 day) 7200 ; retry (2 hours) 3542400 ; expire (5 weeks 6 days) 3600 ; minimum (1 hour) )

18


"mmcentral" with runit (1)Installation: $ sudo -s# wget ftp://ftp.menandmice.com/pub/mmsuite/Linux/6.9.0/mmsuite-central-6.9.0.linux.tgz

# tar xfz mmsuite-central-6.9.0.linux.tgz # mv mmsuite-central-6.9.0.linux/linux/mmcentrald /usr/local/sbin/# mkdir -p /var/mmsuite/mmcentral# mv mmsuite-central-6.9.0.linux/update /var/mmsuite/mmcentral/# mv mmsuite-central-6.9.0.linux/mmcentral.conf /var/mmsuite/mmcentral/

# adduser --system --no-create-home --disabled-password --disabled-login mmcentral

Adding system user `mmcentral' (UID 110) ...Adding new user `mmcentral' (UID 110) with group `nogroup' ...Not creating home directory `/home/mmcentral'.

# chown -R mmcentral /var/mmsuite/mmcentral

19


"mmcentral" with runit (2)"runit" scripte: $ sudo -s# mkdir /etc/service.available/mmcentral

# $EDITOR /etc/service.available/mmcentral/run

————#!/bin/sh/usr/local/sbin/mmcentrald -ummcentral -debug

# chmod +x /etc/service.available/mmcentral/run

# $EDITOR /etc/service.available/mmcentral/finish

————#!/bin/shpkill mmcentrald

# chmod +x /etc/service.available/mmcentral/finish

# ln -s /usr/bin/sv /etc/init.d/mmcentral

# /etc/init.d/mmcentral statusrun: mmcentral: (pid 5063) 24s

# lsof -i | grep mmmmcentral 5064 mmcentral 77u IPv4 22844 0t0 TCP *:1231 (LISTEN)

20


Upcoming Webinars•19.11.2015 – RIPE 71 & IETF 94 reports

•16.12.2015 – DNSTAP – have a deep look into DNS server operations

•January 2016 – the DNS server in Windows 2016 Server – a big leap forward (views, response rate limiting, ACLs and more

•2016 – an Update on DNSSEC and DANE: new implementations, adoption in the market, new Internet Standards

21


Upcoming Trainings•November 16 – 17, 2015 Introduction to DNS & BIND Hands on, Redwood City (CA), USA (confirmed)

•November 16 – 20, 2015 Introduction & Advanced DNS and BIND Hands on, Redwood City (CA), USA (confirmed)

•November 30 – December 1, 2015 Introduction to DNS & BIND Hands on, Amsterdam, The Netherlands

•November 30 – December 4, 2015 Introduction & Advanced DNS and BIND Hands on, Amsterdam, The Netherlands

•November 30 – December 1, 2015 IPv6 Fundamentals Hands-On Workshop, Amsterdam, The Netherlands

•December 2 – 4, 2015 DNSSEC Technical Workshop – Implementation and Deployment, Amsterdam, The Netherlands

22


Questions

23

?

keeping dns server up-and-running with “runit

Technology