Spacerats little techwiki

User Tools

Site Tools

Trace:
jessie_bind_chroot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
jessie_bind_chroot [2015/12/18 16:16] – created adminjessie_bind_chroot [2016/01/25 08:33] (current) – [Long story short:] admin
Line 1: Line 1:
 +=====Chrooted bind9 on Jessie=====
 +
 credits to: https://wiki.debian.org/Bind9 credits to: https://wiki.debian.org/Bind9
  
 For Jessie, edit /etc/systemd/system/multi-user.target.wants/bind9.service to add options "-t /var/bind9/chroot": For Jessie, edit /etc/systemd/system/multi-user.target.wants/bind9.service to add options "-t /var/bind9/chroot":
  
 +
 +<code>
 [Unit] [Unit]
 Description=BIND Domain Name Server Description=BIND Domain Name Server
Line 15: Line 19:
 [Install] [Install]
 WantedBy=multi-user.target WantedBy=multi-user.target
 +</code>
  
 For Jessie, after changing the above unit file, reload it with: For Jessie, after changing the above unit file, reload it with:
  
 +<code>
 systemctl daemon-reload systemctl daemon-reload
 +</code>
  
 Now create the chroot directory structure: Now create the chroot directory structure:
  
-mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named}+<code> 
 +mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named,var/log} 
 +</code>
  
 Create the required device special files and set the correct permissions: Create the required device special files and set the correct permissions:
 +<code>
 mknod /var/bind9/chroot/dev/null c 1 3 mknod /var/bind9/chroot/dev/null c 1 3
 mknod /var/bind9/chroot/dev/random c 1 8 mknod /var/bind9/chroot/dev/random c 1 8
 chmod 660 /var/bind9/chroot/dev/{null,random} chmod 660 /var/bind9/chroot/dev/{null,random}
 +chown bind /var/bind9/chroot/dev/random 
 +</code>
 Move the current config directory into the new chroot directory: Move the current config directory into the new chroot directory:
 +<code>
 mv /etc/bind /var/bind9/chroot/etc mv /etc/bind /var/bind9/chroot/etc
 +</code>
 Now create a symbolic link in /etc for compatibility: Now create a symbolic link in /etc for compatibility:
 +<code>
 ln -s /var/bind9/chroot/etc/bind /etc/bind  ln -s /var/bind9/chroot/etc/bind /etc/bind 
 +</code>
 If you want to use the local timezone in the chroot (e.g. for syslog): If you want to use the local timezone in the chroot (e.g. for syslog):
 +<code>
 cp /etc/localtime /var/bind9/chroot/etc/ cp /etc/localtime /var/bind9/chroot/etc/
 +</code>
 Change the ownership on the files you've just moved over and the rest of the newly created chroot directory structure: Change the ownership on the files you've just moved over and the rest of the newly created chroot directory structure:
 +<code>
 chown -R bind:bind /etc/bind/* chown -R bind:bind /etc/bind/*
 chmod 775 /var/bind9/chroot/var/{cache/bind,run/named} chmod 775 /var/bind9/chroot/var/{cache/bind,run/named}
 chgrp bind /var/bind9/chroot/var/{cache/bind,run/named} chgrp bind /var/bind9/chroot/var/{cache/bind,run/named}
 +</code>
 +Edit the PIDFILE variable to the correct path:
 +<code>
 +PIDFILE=/var/bind9/chroot/var/run/named/named.pid
 +</code>
 +Finally tell rsyslog to listen to the bind logs in the correct place:
 +<code>
 +echo "\$AddUnixListenSocket /var/bind9/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf
 +</code>
 +Restart rsyslog and start bind:
 +<code>
 +/etc/init.d/rsyslog restart; /etc/init.d/bind9 start
 +</code>
  
-Edit the PIDFILE variable in vi  to the correct path:+====Logging====
  
-PIDFILE=/var/bind9/chroot/var/run/named/named.pid+/etc/logrotate.d/named 
 +<code> 
 +/var/bind9/chroot/var/log/bind.log { 
 +        daily 
 +        compress 
 +        delaycompress 
 +        rotate 5 
 +        missingok 
 +        postrotate 
 +                [ -e /etc/init.d/bind9 ] && /etc/init.d/bind9 reload > /dev/null 2>&1 || true 
 +        endscript 
 +}
  
-Finally tell rsyslog to listen to the bind logs in the correct place:+/var/bind9/chroot/var/log/security_info.log { 
 +        daily 
 +        compress 
 +        delaycompress 
 +        rotate 5 
 +        missingok 
 +        postrotate 
 +                [ -e /etc/init.d/bind9 ] && /etc/init.d/bind9 reload > /dev/null 2>&1 || true 
 +        endscript 
 +}
  
-echo "\$AddUnixListenSocket /var/bind9/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf+/var/bind9/chroot/var/log/update_debug.log { 
 +        daily 
 +        compress 
 +        delaycompress 
 +        rotate 5 
 +        missingok 
 +        postrotate 
 +                [ -e /etc/init.d/bind9 ] && /etc/init.d/bind9 reload > /dev/null 2>&1 || true 
 +        endscript 
 +}
  
-Restart rsyslog and start bind:+</code>
  
 +====Long story short:====
 +<code>
 +apt-get install bind9 bind9-doc
 +service bind9 stop
 +vi /etc/systemd/system/multi-user.target.wants/bind9.service
 +
 +change ExecStart line to: ExecStart=/usr/sbin/named -f -u bind -t /var/bind9/chroot
 +
 +systemctl daemon-reload
 +mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named,var/log}
 +mknod /var/bind9/chroot/dev/null c 1 3
 +mknod /var/bind9/chroot/dev/random c 1 8
 +chmod 660 /var/bind9/chroot/dev/{null,random}
 +chown bind /var/bind9/chroot/dev/random
 +mv /etc/bind /var/bind9/chroot/etc
 +ln -s /var/bind9/chroot/etc/bind /etc/bind 
 +dpkg-reconfigure tzdata
 +cp /etc/localtime /var/bind9/chroot/etc/
 +chown -R bind:bind /etc/bind/*
 +chmod 775 /var/bind9/chroot/var/{cache/bind,run/named}
 +chgrp bind /var/bind9/chroot/var/{cache/bind,run/named}
 +chown bind /var/bind9/chroot/dev/random
 +touch /var/bind9/chroot/var/log/{bind.log,update_debug.log,security_info.log}
 +ln -s /var/bind9/chroot/var/log/ /var/log/bind
 +chgrp bind /var/bind9/chroot/var/log/*.log
 +vi /etc/init.d/bind9
 +
 +change PID line to: PIDFILE=/var/bind9/chroot/var/run/named/named.pid
 +
 +echo "\$AddUnixListenSocket /var/bind9/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf
 /etc/init.d/rsyslog restart; /etc/init.d/bind9 start /etc/init.d/rsyslog restart; /etc/init.d/bind9 start
 +</code>
 +
 +  * Add the logrotate script from above
jessie_bind_chroot.1450455419.txt.gz · Last modified: (external edit)