Re: [suse-sles-e] A better framework for named configuration

From: Michael James (Michael.James_at_csiro.au)
Date: Tue Mar 14 2006 - 04:00:23 CET 

From: Michael James <Michael.James@csiro.au>
Date: Tue, 14 Mar 2006 14:00:23 +1100
Message-Id: <200603141400.23621.Michael.James@csiro.au>
Subject: Re: [suse-sles-e] A better framework for named configuration

On Mon, 13 Mar 2006 06:20 pm, Lars Müller wrote:
> On Mon, Mar 13, 2006 at 02:35:17PM +1100, Michael James wrote:
> > While many of the YaST modules are excellent,
> > the SuSE approach to configuring named
> > has 3 big problems:
> >
> > 1) YaST hides the ONLY copy of the master zone files
> > way down in /var/lib/named/ !!!
> > WHAT is important information doing stashed there?
> > Shouldn't ALL configuration info be in /etc ? (Debian style)
>
> That is wrong.
> a) The files are in /etc

I just ran through the yast DNS Server module
 and accepted the "example.com" zone proposed.
A zone file was put in /var/lib/named/master,
 nothing was put in /etc/named.d
The files I want under /etc are not being put there.

> b) It is not YaST which requires the copies in /var/lib/named/.
> It's the chroot feature of BIND.
Understood, for chroot to work, there needs to be
 a (possibly duplicate) working copy inside the jail.

> It's possible to you to disable chroot at all.
> But then blame yourself if you run into trouble.

Agreed, however just for testing, I would like to be able to
 turn chroot off and have it work out of /etc/named.d

> > 2) If the sysadmin sensibly puts zone info into /etc/named.d/master
> > they then have to list that file explicitly in
> > /etc/sysconfig/named:NAMED_CONF_INCLUDE_FILES
>
> How should the init script know which files have to be copied?
As soon as you DON'T copy all,
 you have to remember what to copy; instant complication.

> If we copy _all_ files or the whole content of /etc/named.d/
> then we got blamed for being 150% stupid
> cause it tooks 10 mili seconds longer to establish the chroot.

You can't please everybody, so you have to choose
 between being un-justifiably criticised or justifiably.

> But more important: Check what you got by magic in
> /etc/named.conf.include with a meta information in the header.

Hmmm, magic eh? Don't like magic,
 I like it simple and stupid. (Like you)

OK, here is the heart of our disagreement.
> And /etc/named.d/ is _not_ intended for zone files.
> The zone files had been with and without chroot
> in /var/lib/named/ for ages.

Doesn't make it right, makes it a PITA to backup.
Allowing packages to stash unique info deep in the filesystem!
A zone file is a unique, reasonably small, text configuration file,
 directly edited by the sysadmin so /var/lib is out. (See FHS)
In fact /etc/ is the perfect place for it.
(With an eye for the day all /etc/ is under version control)

> > 3) The directory setup in /var/lib/named
> > is different to that in /etc/named.d
> Again wrong.
It's the same argument again, I want /etc/named.d/
 to be the "master copy" and duplicate it into the jail,
 you spread the files out on the floor of the jail
 /var/lib/named/master, /var/lib/named/dynamic ...

> > This means /etc/named.conf needs to be changed
> > if you ever want to run non-chrooted.
> Again wrong.
OK, you win this on a technicality.

You set the named "directory" to be /var/lib/named and symlink
 so that /var/lib/named/var/lib/named --> /var/lib/named

I set the directory to be /etc/named.d
 and use rsync to make /var/lib/named/etc/named.d/
 a copy of /etc/named.d/

Both systems allow the same named.conf and zone files
 to run either chrooted and non-chrooted,
  but mine allows me to actually run out of /etc/named.d
Hey, if we aren't running chrooted why not?
(I'm not saying it's a good idea on a production server)

> > I'd like to propose 2 1/2 rules and a script:
> >
> > Rule 1) The master copies of all named configuration files
> > and zones are kept in in /etc/named.d/
>
> /etc/named.conf is the default and will not be changed.
Agreed, I'm not arguing against this, just for completeness
 I boost the actual file into "/etc/named.d/" and symlink it.
Switching the symlink to point to master and slave versions
 of named.conf is just a nice side benefit.

The important thing is, the contents of /etc/named.d/
 completely define the DNS service.
You can back it up, or copy it to another server.
Just create the named.conf symlink and away you go again.

> The zone files are inside the chroot.
> And your problem to keep the zone files from the chroot
> and from outside in sync will not appear as soon
> as you have the zone files at the right place.

Always start named using /etc/init.d/named (or symbolic its link).
The script knows what info needs to be in the jail and copies it in.
I don't see a problem,
 (until you start bring magic includes into the picture).

> Keep it simple and stupid.
Too right.

> If you need it create a sym linc from
> /etc/named.d/zones to /var/lib/named/whateverdir

> This will not work as soon as you <snip>
 loose the info hidden down in the jail.
You'll be left looking at a backup of a symlink. Damn. 

-- 
Michael James                         michael.james@csiro.au
System Administrator                    voice:  02 6246 5040
CSIRO Bioinformatics Facility             fax:  02 6246 5166
I should put a PS: the SuSE modularisation of /etc/apache2/httpd.conf
 is brilliant.  Keep it whole and add the real servers as vhosts.
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
For additional commands, e-mail: suse-sles-e-help@suse.com

This archive was generated by hypermail 2.1.7 : Tue Mar 14 2006 - 04:00:38 CET