howtos:bind-dhcpd-apparmor
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
Last revision | |||
— | howtos:bind-dhcpd-apparmor [02/12/2018 21:34] – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | This is an addition to [[bind-apparmor]] and will automatically update bind when dhcp leases has been given out. | ||
+ | First check apparmor, mine looks like this: | ||
+ | |||
+ | < | ||
+ | # Last Modified: Mon Oct 6 20:46:31 2008 | ||
+ | #include < | ||
+ | / | ||
+ | #include < | ||
+ | #include < | ||
+ | #include < | ||
+ | |||
+ | capability net_bind_service, | ||
+ | capability setgid, | ||
+ | capability setuid, | ||
+ | capability sys_chroot, | ||
+ | |||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | } | ||
+ | </ | ||
+ | It can be a really pain in the b*d but every time you make changes to your bind configuration (adding files and such), apparmor will block read/write access and prevent bind from working. Fortunately apparmor tells you what it has blocked so you can update your definition file and reload it. | ||
+ | |||
+ | Next is to generate a shared secret for intercommunication between dhcpd and bind: | ||
+ | < | ||
+ | sudo dnssec-keygen -r / | ||
+ | </ | ||
+ | |||
+ | Grab the key from the file: | ||
+ | < | ||
+ | sudo cat Kdhcp_updater.*.private|grep Key | ||
+ | </ | ||
+ | |||
+ | The output will be something like this: | ||
+ | < | ||
+ | Key: 9B7OkWhzwA+QZMenKqChVw== | ||
+ | </ | ||
+ | |||
+ | Now do some changes to / | ||
+ | |||
+ | < | ||
+ | key DHCP_UPDATER { | ||
+ | algorithm HMAC-MD5.SIG-ALG.REG.INT; | ||
+ | | ||
+ | # Important: Replace this key with your generated key. | ||
+ | # Also note that the key should be surrounded by quotes. | ||
+ | secret " | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-transfer { 127.0.0.1; }; | ||
+ | allow-update { key DHCP_UPDATER; | ||
+ | allow-query { any; }; | ||
+ | zone-statistics yes; | ||
+ | notify no; | ||
+ | also-notify { }; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-transfer { 127.0.0.1; }; | ||
+ | allow-update { key DHCP_UPDATER; | ||
+ | allow-query { any; }; | ||
+ | zone-statistics yes; | ||
+ | notify no; | ||
+ | also-notify { }; | ||
+ | }; | ||
+ | |||
+ | </ | ||
+ | |||
+ | Go into the dhcp server config file: | ||
+ | < | ||
+ | sudo nano / | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | ddns-update-style interim; | ||
+ | ignore client-updates; | ||
+ | ddns-domainname " | ||
+ | ddns-rev-domainname " | ||
+ | |||
+ | one-lease-per-client false; | ||
+ | allow bootp; | ||
+ | option T150 code 150 = string; | ||
+ | |||
+ | default-lease-time 600; | ||
+ | max-lease-time 7200; | ||
+ | |||
+ | log-facility local7; | ||
+ | |||
+ | key DHCP_UPDATER { | ||
+ | algorithm HMAC-MD5.SIG-ALG.REG.INT; | ||
+ | |||
+ | # Important: Replace this key with your generated key. | ||
+ | # Also note that the key should be surrounded by quotes. | ||
+ | secret " | ||
+ | }; | ||
+ | |||
+ | zone domingo.dk. { | ||
+ | primary 127.0.0.1; | ||
+ | key DHCP_UPDATER; | ||
+ | } | ||
+ | |||
+ | zone 1.16.172.in-addr.arpa. { | ||
+ | primary 127.0.0.1; | ||
+ | key DHCP_UPDATER; | ||
+ | } | ||
+ | |||
+ | |||
+ | subnet 172.16.1.0 netmask 255.255.255.0 { | ||
+ | interface eth0; | ||
+ | range 172.16.1.100 172.16.1.200; | ||
+ | default-lease-time 6000; | ||
+ | max-lease-time 7200; | ||
+ | option domain-name " | ||
+ | option subnet-mask 255.255.255.0; | ||
+ | option routers 172.16.1.1; | ||
+ | option domain-name-servers 172.16.1.1 , 193.162.153.164 , 194.239.134.83; | ||
+ | option time-offset -3600; | ||
+ | option ntp-servers dk.pool.ntp.org; | ||
+ | </ | ||
+ | |||
+ | Now bounce the bind and dhcp services: | ||
+ | < | ||
+ | sudo / | ||
+ | sudo / | ||
+ | </ | ||
+ | |||
+ | Now whenever a new lease is dealt out the DNS records should be updated accordingly. | ||
+ | |||
+ | If you grain to a halt somewhere in the process a good place to look is in the syslog: | ||
+ | < | ||
+ | tail -f / | ||
+ | </ | ||
+ | I don't know why but I constantly end up being blocked by apparmor. So start looking for apparmor errors in the syslog when you head into trouble. | ||
+ | |||
+ | //Source: http:// |
howtos/bind-dhcpd-apparmor.txt · Last modified: 16/02/2023 07:04 by domingo