User Tools

Site Tools


howtos:bind-dhcpd-apparmor

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:bind-dhcpd-apparmor [d/m/Y H:i] (current)
Line 1: Line 1:
 +This is an addition to [[bind-apparmor]] and will automatically update bind when dhcp leases has been given out.
  
 +First check apparmor, mine looks like this:
 +
 +<​file>​
 +# Last Modified: Mon Oct  6 20:46:31 2008
 +#include <​tunables/​global>​
 +/​usr/​sbin/​named {
 +  #include <​abstractions/​base>​
 +  #include <​abstractions/​nameservice>​
 +  #include <​abstractions/​nis>​
 +
 +  capability net_bind_service,​
 +  capability setgid,
 +  capability setuid,
 +  capability sys_chroot,
 +
 +  /​usr/​sbin/​named mr,
 +  /​var/​lib/​named/​dev/​random r,
 +  /​var/​lib/​named/​etc/​127.0.0 r,
 +  /​var/​lib/​named/​etc/​bind/​named.conf r,
 +  /​var/​lib/​named/​etc/​bind/​named.conf.local r,
 +  /​var/​lib/​named/​etc/​bind/​rndc.key r,
 +  /​var/​lib/​named/​etc/​localhost r,
 +  /​var/​lib/​named/​etc/​localtime r,
 +  /​var/​lib/​named/​etc/​named.run a,
 +  /​var/​lib/​named/​etc/​root.hints r,
 +  /​var/​lib/​named/​etc/​sites/​domingo.dk/​** rw,
 +  /​var/​lib/​named/​etc/​named.run rw,
 +  /​var/​lib/​named/​var/​run/​named.pid w,
 +}
 +</​file>​
 +It can be a really pain in the b*d but every time you make changes to your bind configuration (adding files and such), apparmor will block read/write access and prevent bind from working. Fortunately apparmor tells you what it has blocked so you can update your definition file and reload it.
 +
 +Next is to generate a shared secret for intercommunication between dhcpd and bind:
 +<​code>​
 +sudo dnssec-keygen -r /​dev/​urandom -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
 +</​code>​
 +
 +Grab the key from the file:
 +<​code>​
 +sudo cat Kdhcp_updater.*.private|grep Key
 +</​code>​
 +
 +The output will be something like this:
 +<​code>​
 +Key: 9B7OkWhzwA+QZMenKqChVw==
 +</​code>​
 +
 +Now do some changes to /​etc/​bind/​named.conf.local and insert our key and allow dhcp updating:
 +
 +<​file>​
 +key DHCP_UPDATER {
 +    algorithm HMAC-MD5.SIG-ALG.REG.INT;​
 +    ​
 +        # Important: Replace this key with your generated key.
 + # Also note that the key should be surrounded by quotes.
 + secret "​9B7OkWhzwA+QZMenKqChVw==";​
 +};
 +
 +zone "​domingo.dk"​ IN {
 + type master;
 + file "​sites/​domingo.dk/​forward.zone";​
 + allow-transfer { 127.0.0.1; };
 + allow-update { key DHCP_UPDATER;​ };    # This gives dhcp the update capabilities on the zone
 + allow-query { any; };
 + zone-statistics yes;
 + notify no;
 + also-notify {  };
 +};
 +
 +zone "​1.16.172.in-addr.arpa"​ {
 + type master;
 + file "​sites/​domingo.dk/​reverse.zone";​
 + allow-transfer { 127.0.0.1; };
 + allow-update { key DHCP_UPDATER;​ };    # This gives dhcp the update capabilities on the reverse zone
 + allow-query { any; };
 + zone-statistics yes;
 + notify no;
 + also-notify {  };
 +};
 +
 +</​file>​
 +
 +Go into the dhcp server config file:
 +<​code>​
 +sudo nano  /​etc/​dhcp3/​dhcpd.conf
 +</​code>​
 +
 +<​file>​
 +ddns-update-style interim;
 +ignore client-updates; ​     # Overwrite client configured FQHNs
 +ddns-domainname "​domingo.dk.";​
 +ddns-rev-domainname "​in-addr.arpa.";​
 +
 +one-lease-per-client false;
 +allow bootp;
 +option T150 code 150 = string;
 +
 +default-lease-time 600;
 +max-lease-time 7200;
 +
 +log-facility local7;
 +
 +key DHCP_UPDATER {
 +    algorithm HMAC-MD5.SIG-ALG.REG.INT;​
 +
 +    # Important: Replace this key with your generated key.
 +    # Also note that the key should be surrounded by quotes.
 +    secret "​9B7OkWhzwA+QZMenKqChVw==";​
 +};
 +
 +zone domingo.dk. {
 +  primary 127.0.0.1;
 +  key DHCP_UPDATER;​
 +}
 +
 +zone 1.16.172.in-addr.arpa. {
 +  primary 127.0.0.1;
 +  key DHCP_UPDATER;​
 +}
 +
 +
 +subnet 172.16.1.0 netmask 255.255.255.0 {
 +    interface eth0;
 +    range 172.16.1.100 172.16.1.200;​
 +    default-lease-time 6000;
 +    max-lease-time 7200;
 +    option domain-name "​domingo.dk";​
 +    option subnet-mask 255.255.255.0;​
 +    option routers 172.16.1.1;
 +    option domain-name-servers 172.16.1.1 , 193.162.153.164 , 194.239.134.83;​
 +    option time-offset -3600;
 +    option ntp-servers dk.pool.ntp.org;​
 +</​file>​
 +
 +Now bounce the bind and dhcp services:
 +<​code>​
 +sudo /​etc/​init.d/​bind9 restart
 +sudo /​etc/​init.d/​dhcp3-server restart
 +</​code>​
 +
 +Now whenever a new lease is dealt out the DNS records should be updated accordingly.
 +
 +If you grain to a halt somewhere in the process a good place to look is in the syslog:
 +<​code>​
 +tail -f /​var/​log/​syslog
 +</​code>​
 +I don't know why but I constantly end up being blocked by apparmor. So start looking for apparmor errors in the syslog when you head into trouble. ​
 +
 +//Source: http://​lani78.wordpress.com/​2008/​08/​12/​dhcp-server-update-dns-records///​
howtos/bind-dhcpd-apparmor.txt · Last modified: d/m/Y H:i (external edit)