From: Alexei_Roudnev (Alexei_Roudnev_at_exigengroup.com)
Date: Tue Mar 14 2006 - 04:51:59 CET
Message-ID: <001201c6471a$a59c6610$6f31a8c0@sjc.exigengroup.com> From: "Alexei_Roudnev" <Alexei_Roudnev@exigengroup.com> Date: Mon, 13 Mar 2006 19:51:59 -0800 Subject: Re: [suse-sles-e] A better framework for named configuration
What's the use of having named files in /etc? These are not SYSTEM FILES, so
they SHOULD NOT be in /etc which 9again) can be writen by root only!
named is APPLICATION, so it in many cases should be configured in ity's own
directory. Else (putting everything into /etc)
you end up wityh the system where youy cannot segregate admin and user's
roles.
Generally speaking, part of named.conf which describe 'pid file, control
keys, log policy etc' can be in /etc because it is system concern; but zone
lists and so on are, in many cases, application concern and have nothing
common with /etc.
Anyway, YaST BIND module is for the simple cases. For cases when you want
the whole enterprize DNS system to be controlled, install something like
ProBIND2 and do not use yast, or use WEBMIN (which have great role
segregation). It is obvious that, in simple case, config must be in SINGLE
place (and if you want to make a copy, it is just a COPY, not a working
directory). If you are building DNS service, you (moryt likely) will
customize it yourself.
Don't make things complicated. It all looks as the right place for named
configs is in /etc/named.d, which can be symlinked if you use chroot. If we
want to have a shadow copies of config files, it shoulkd be done by some
_generic_ script, but not by named - specific one.
----- Original Message -----
From: "Michael James" <Michael.James@csiro.au>
To: <suse-sles-e@suse.com>
Sent: Monday, March 13, 2006 7:00 PM
Subject: Re: [suse-sles-e] A better framework for named configuration
On Mon, 13 Mar 2006 06:20 pm, Lars Müller wrote:
> On Mon, Mar 13, 2006 at 02:35:17PM +1100, Michael James wrote:
> > While many of the YaST modules are excellent,
> > the SuSE approach to configuring named
> > has 3 big problems:
> >
> > 1) YaST hides the ONLY copy of the master zone files
> > way down in /var/lib/named/ !!!
> > WHAT is important information doing stashed there?
> > Shouldn't ALL configuration info be in /etc ? (Debian style)
>
> That is wrong.
> a) The files are in /etc
I just ran through the yast DNS Server module
and accepted the "example.com" zone proposed.
A zone file was put in /var/lib/named/master,
nothing was put in /etc/named.d
The files I want under /etc are not being put there.
> b) It is not YaST which requires the copies in /var/lib/named/.
> It's the chroot feature of BIND.
Understood, for chroot to work, there needs to be
a (possibly duplicate) working copy inside the jail.
> It's possible to you to disable chroot at all.
> But then blame yourself if you run into trouble.
Agreed, however just for testing, I would like to be able to
turn chroot off and have it work out of /etc/named.d
> > 2) If the sysadmin sensibly puts zone info into /etc/named.d/master
> > they then have to list that file explicitly in
> > /etc/sysconfig/named:NAMED_CONF_INCLUDE_FILES
>
> How should the init script know which files have to be copied?
As soon as you DON'T copy all,
you have to remember what to copy; instant complication.
> If we copy _all_ files or the whole content of /etc/named.d/
> then we got blamed for being 150% stupid
> cause it tooks 10 mili seconds longer to establish the chroot.
You can't please everybody, so you have to choose
between being un-justifiably criticised or justifiably.
> But more important: Check what you got by magic in
> /etc/named.conf.include with a meta information in the header.
Hmmm, magic eh? Don't like magic,
I like it simple and stupid. (Like you)
OK, here is the heart of our disagreement.
> And /etc/named.d/ is _not_ intended for zone files.
> The zone files had been with and without chroot
> in /var/lib/named/ for ages.
Doesn't make it right, makes it a PITA to backup.
Allowing packages to stash unique info deep in the filesystem!
A zone file is a unique, reasonably small, text configuration file,
directly edited by the sysadmin so /var/lib is out. (See FHS)
In fact /etc/ is the perfect place for it.
(With an eye for the day all /etc/ is under version control)
> > 3) The directory setup in /var/lib/named
> > is different to that in /etc/named.d
> Again wrong.
It's the same argument again, I want /etc/named.d/
to be the "master copy" and duplicate it into the jail,
you spread the files out on the floor of the jail
/var/lib/named/master, /var/lib/named/dynamic ...
> > This means /etc/named.conf needs to be changed
> > if you ever want to run non-chrooted.
> Again wrong.
OK, you win this on a technicality.
You set the named "directory" to be /var/lib/named and symlink
so that /var/lib/named/var/lib/named --> /var/lib/named
I set the directory to be /etc/named.d
and use rsync to make /var/lib/named/etc/named.d/
a copy of /etc/named.d/
Both systems allow the same named.conf and zone files
to run either chrooted and non-chrooted,
but mine allows me to actually run out of /etc/named.d
Hey, if we aren't running chrooted why not?
(I'm not saying it's a good idea on a production server)
> > I'd like to propose 2 1/2 rules and a script:
> >
> > Rule 1) The master copies of all named configuration files
> > and zones are kept in in /etc/named.d/
>
> /etc/named.conf is the default and will not be changed.
Agreed, I'm not arguing against this, just for completeness
I boost the actual file into "/etc/named.d/" and symlink it.
Switching the symlink to point to master and slave versions
of named.conf is just a nice side benefit.
The important thing is, the contents of /etc/named.d/
completely define the DNS service.
You can back it up, or copy it to another server.
Just create the named.conf symlink and away you go again.
> The zone files are inside the chroot.
> And your problem to keep the zone files from the chroot
> and from outside in sync will not appear as soon
> as you have the zone files at the right place.
Always start named using /etc/init.d/named (or symbolic its link).
The script knows what info needs to be in the jail and copies it in.
I don't see a problem,
(until you start bring magic includes into the picture).
> Keep it simple and stupid.
Too right.
> If you need it create a sym linc from
> /etc/named.d/zones to /var/lib/named/whateverdir
> This will not work as soon as you <snip>
loose the info hidden down in the jail.
You'll be left looking at a backup of a symlink. Damn.
-- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166 I should put a PS: the SuSE modularisation of /etc/apache2/httpd.conf is brilliant. Keep it whole and add the real servers as vhosts. --------------------------------------------------------------------- To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com For additional commands, e-mail: suse-sles-e-help@suse.com --------------------------------------------------------------------- To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com For additional commands, e-mail: suse-sles-e-help@suse.com
This archive was generated by hypermail 2.1.7 : Tue Mar 14 2006 - 04:50:20 CET