- 论坛徽章:
- 0
|
Summary:
Upgrade BIND in Solaris 10.
Run "named" with another user instead of "root".
Configure "named" in SMF.
Environment:
1. gcc 3.4.6 & libiconv 1.11 installed, required for compiling BIND source code. downloaded from sunfreeware.com.
2. "SUNWbindr" installed from O.S. CD so that no need to create the service "svc:/network/dns/server:default" in SMF from scratch.
3. Current named binary installed at /opt/bind-9.6.1-P1, and /opt/bind points to it: /opt/bind -> /opt/bind-9.6.1-P1.
4. Current named could be managed by "svcadm", and "/usr/sbin/named" is replaced by "/opt/bind/sbin/named" in the script "/lib/svc/method/dns-server".
5. Logs defined in /etc/named.conf are under /mine/bind-logs.
6. "/opt/bind/bin:/opt/bind/sbin" is added to the environment variable PATH as the first 2 paths to be searched.
==== Preoutage Steps ====
1. Download the lastest produciton release of BIND9 from www.isc.org and unpack it.
# cd /var/tmp
# gzcat bind-9.6.1-P2.tar.gz | tar xf -
2. Compile the source codes and install the package.
# cd bind-9.6.1-P2
# ./configure -sysconfdir=/etc -prefix=/opt/bind-9.6.1-P2 -disable-ipv6 -enable-threads -with-openssl=no
# make
# make install
3. Customise the enviroment to run name server with the user "named"
3.1 Create a user "named"
# groupadd -g 1688 named
# useradd -u 1688 -g named -m -d /var/named -s /sbin/noshell -c "Named" named
# rm /var/named/local.cshrc /var/named/local.login /var/named/local.profile
3.2 Modify "extended userattibutes database" by appending the following lines to /etc/user_attr:
named::::type=normal;defaultpriv=basic,!proc_session,!proc_info,!file_link_any,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot;auths=solaris.smf.manage.bind
3.3 Change ownership of the directory "run" to be owned by "named".
# chown named:named /opt/bind-9.6.1-P2/var/run/
==== Outage Steps ====
4. Bring down name server & start it with the new release
4.1 Bring down name server.
# tail -f /mine/bind-logs/bind-misc.log
# svcadm disable dns/server
# ps -ef | grep named
4.2 Correct ownership of the directories for name server's logs and zone files.
# chown -R named:named /mine/bind-logs /var/named
4.3 Bring up the new-released name server:
# unlink /opt/bind
# ln -s /opt/bind-9.6.1-P2 /opt/bind
# /opt/bind/sbin/named -u named
# ps -ef | grep named
root 18882 6247 0 19:20:07 pts/1 0:00 grep named
named 18437 1 0 19:18:54 ? 0:57 /opt/bind/sbin/named -u named
4.4 Verify name server is working properly
# rndc status
# nslookup sun.example.com localhost
4.5 Remove the BIND package introduced by O.S. installation(Don't remove SUNWbindr!).
# pkgrm SUNWbind
5. Configure DNS server in SMF and restart DNS server
5.1 Verify DNS server is configured in SMF
# svcs -a | grep dns/server
disabled Dec_02 svc:/network/dns/server:default
5.2 On the script(/lib/svc/method/dns-server) for dns/server, replace
server="/usr/sbin/named"
with
server="/opt/bind/sbin/named"
5.3 Modify SMF configuration for starting the daemon "named" with the user "named"
# svccfg -s svc:/network/dns/server:default
svc:/network/dns/server:default> setprop start/group = astring: "named"
svc:/network/dns/server:default> setprop start/user = astring: "named"
svc:/network/dns/server:default> quit
# svccfg -s dns/server
svc:/network/dns/server> setprop tm_common_name/C = ustring: "DNS Server"
svc:/network/dns/server> setprop tm_man_named/manpath = astring: /opt/bind/share/man
svc:/network/dns/server> setprop tm_man_named/section = astring: 8
svc:/network/dns/server> quit
# svcadm refresh dns/server
5.4 Shutdown named and start it by SMF
# rndc stop
# ps -ef | grep named
# svcadm enable dns/server
5.5 Verify SMF status
# svcs -l dns/server
# svcs -xv dns/server
5.6 Verify name server status
# rndc status
# nslookup sun.example.com localhost
[ 本帖最后由 chinaux 于 2010-1-12 10:26 编辑 ] |
|
免费注册
发表于 2010-01-06 11:52
发表于 2010-01-06 14:12
