Installing unxsBind with yum for CentOS 5

This document will focus on a very quick yum unxsBind install.

For the very impatient, an example yum install with pages of output and CLI post install testing.

What's new in 3.0

  1. vdnsOrg interface (like idnsOrg but with view support) with support for LDAP login.
  2. Support for AAAA and NAPTR resource records.
  3. Old root crontab is deprecated now using /etc/cron.d/unxsbind tied to /etc/init.d/unxsbind.
  4. New upgrade system for both schema changes and fixed tables.
  5. Interface template system has finally been finished to support types and sets.
  6. Very fast non blocking MySQL connect code for multi-master replication cluster failover code added to backend and all interfaces including tHit collection agent.
  7. Numerous bug fixes.

Contents

  1. Install
  2. Quick access instructions
  3. Known issues with current version
  4. Known issues with previous versions
  5. Update/upgrade issues
  6. Other quick fix issues
  7. Manual operations that may be needed depending on the initial state of your server
  8. Access to the iDNS web interface
  9. Post Install
  10. MySQL Multi-master replication
  11. Things that can go wrong

Install

  1. It is best to start/practice with a fresh install of CentOS 5.2 (or later) on your server (or virtual server e.g. vmplayer.)
  2. We asume you have wget, rpm and yum installed on your server. If you don't please install them first.
  3. Prepare your yum configuration for using our repository 
    # wget http://unixservice.com/rpm/i386/unxsyum-1.0-1.i386.rpm
# rpm -i unxsyum-1.0-1.i386.rpm
  4. Also, prepare your yum repo for rpmforge. It will be used for installing rrdtool. 
    # wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
(Alternative1 # wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm)
(Alternative2 # wget http://unixservice.com/rpm/i386/rpmforge-release-0.5.1-1.el5.rf.i386.rpm)
# rpm -i rpmforge-release-0.3.6-1.el5.rf.i386.rpm
  5. Install unxsBind, it will also install all the required dependencies if they are not present in your system. If you can't get the latest update run yum clean all. Then repeat this step again. 
    # yum -y install unxsbind

The latest yum/rpm packages should install and then start and configure everything for you. Including the boot system. If your server did not have MySQL installed, you are ready to connect to the unxsBind interfaces (you may need to flush or update your iptables firewall.) If the installer provided info on possible manual operations, below more information and solutions are provided. If everything was done for you, then you can proceed directly to the Access... section further below.

Quick Access Instructions

(Change the IP 192.168.22.131 to match your setup)

https://192.168.22.131:9333/cgi-bin/vdnsOrg.cgi Login=Carol Meyers Passwd=wsxedc

https://192.168.22.131:9333/cgi-bin/idnsOrg.cgi Login=John Doe Passwd=wsxedc

https://192.168.22.131:9333/cgi-bin/idnsAdmin.cgi Login=Root Passwd=wsxedc

https://192.168.22.131:9333/cgi-bin/iDNS.cgi Login=Root Passwd=wsxedc

Known issues with latest version (unxsbind-3.0-16)

  1. idnsOrg interface allows root user to login but then is kicked back to login screen (should not allow login at all, like vdnsOrg, minor issue will fix for 3.1.)

Known issues with previous versions

unxsbind-2.1-1.i386 CentOS 5.2 with MySQL 5.0.77

Linux CLI operations, login via ssh or console become root.

Fix logo: 

[root@node3vm ~]# cd /var/www/unxs/html/images/
[root@node3vm images]# mv -i unxslogo.jpg unxsbind.jpg

Fix named.conf: Un-comment and correct the main IP on line 8 of named.conf then restart. In this example you would end up with:

listen-on { 192.168.22.131; 127.0.0.1; };

in the options section. 

[root@node3vm ~]# vi /usr/local/idns/named.conf
[root@node3vm ~]# rndc -c /etc/unxsbind-rndc.conf reload

Fix named-idns.log: 

[root@node3vm images]# touch /var/log/named-idns.log
[root@node3vm images]# chown named:named /var/log/named-idns.log
[root@node3vm images]# service unxsbind restart

unxsbind-1.28-1.i386 CentOS 5.2 with MySQL 5.0.77

  1. Critical db access and security issue: MySQL mysql.user and mysql.db had % in Host field. Solution: Update these tables with Host='localhost'. 
    [root@node3vm ~]# mysql -pultrasecret mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 185
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> delete from user where password='';
Query OK, 4 rows affected (0.01 sec)

mysql> delete from db where db like 'test%';
Query OK, 2 rows affected (0.00 sec)

mysql> update user set host='localhost';
Query OK, 1 row affected (0.00 sec)
Rows matched: 2  Changed: 1  Warnings: 0

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> quit;
Bye
  1. Install does not create correct /usr/local/idns/named.d/master.zones and db files therein. Solution: 
    [root@node3vm ~]# /var/www/unxs/cgi-bin/iDNS.cgi allfiles master ns1.yourdomain.com 1.2.3.4
[root@node3vm ~]# service unxsbind restart
Stoping unxsBind controlled named
Starting unxsBind controlled named

(Sorry about these QA issues, we have a new tester now.)

Update/upgrade issues (tested from 1.28-1)

unxsBind 3.0-6 issues being resolved for 3.0-7

  1. /usr/local/idns/named.conf and possibly other named configuration files will be overwritten. Your named server will be restarted with new configuration. Solution: Pre update, backup your named.conf and master.zones files (at least.) And then restore after update and restart unxsbind service.

unxsBind 3.0-5 issues being resolved for 3.0-6

  1. Missing replication cluster status gif.

unxsBind 3.0-4 issues being resolved for 3.0-5

  1. 3.0-4 almost works now...take note of the the "placing" and "warning" lines. Solution provided: 
    ...
  Updating  : unxsbind                     ######################### [3/4]
allfiles update ok
unxsbind update restart ok
unxsBind progams have been updated, your MySQL schema and fixed table contents
 have also been upgraded. Existing templates have been saved.
Placing unxsBind cron entries in the root crontab has been deprecated!
Please remove them all with 'crontab -e' and restart unxsbind via 'service unxsbind restart'.
  Cleanup   : unxsbind                     ######################### [4/4]
warning: /usr/local/idns/named.d/master.zones saved as /usr/local/idns/named.d/master.zones.rpmsave

Dependency Installed: unxscidrlib.i386 0:1.0-1 unxstemplatelib.i386 0:1.0-2
Updated: unxsbind.i386 0:3.0-4
Complete!

#fix for the above warning and crontab advisory, like so:

#remove all iDNS related lines from deprecated root crontab.
[root@node3vm ~]# crontab -e
crontab: installing new crontab

#quick check:
[root@node3vm ~]# service unxsbind restart
Stoping unxsBind controlled named
Starting unxsBind controlled named
Failed to start named configuration problem
[root@node3vm ~]# service unxsbind status
unxsBind is stopped.

#fix missing master.zones file:
[root@node3vm ~]# /var/www/unxs/cgi-bin/iDNS.cgi allfiles master ns1.yourdomain.com 1.2.3.4
[root@node3vm ~]# service unxsbind start
Starting unxsBind controlled named
[root@node3vm ~]# service unxsbind status
unxsBind is running...
  2. idnsOrg/vdsnOrg and idnsAdmin interface css/images and or templates have some minor problem. Being fixed. This is only on update.

unxsBind 3.0-3 issues being resolved for 3.0-4

  1. New /usr/local/idns/named.conf becomes /usr/local/idns/named.conf.rpmsave and then of course service unxsbind restart will fail.
  2. Old /usr/local/idns/named.d/master.zones becomes /usr/local/idns/named.d/master.zones.rpmsave. This would be ok if allfiles CLI is issued.
  3. Old root crontab contents do not block new /etc/cron.d/unxsbind from being added by yum upgrade (a unxsbind restart fixes this.)
  4. master/127.0.0 and master/localhost files not installed.
  5. Incorrect path to /usr/local/share/iDNS/data/*.sql files.
  6. The interface template .sql files have primary key values, that make them useless.
  7. Minor issue with tZone.uClient checking in iDNS CLI UpdateSchema command. 
    #solution to get backend and named running
#not strictly required but...create your own /usr/local/idns/named.d/master/127.0.0 
#    and localhost zone files or copy from our svn repo.
[root@node3vm ~]# /var/www/unxs/cgi-bin/iDNS.cgi allfiles master ns1.yourdomain.com 1.2.3.4
[root@node3vm ~]# cp -i /usr/local/idns/named.conf.rpmsave /usr/local/idns/named.conf
[root@node3vm ~]# service unxsbind restart

Several reports of yum update unxsbind breaking things have been reported on our unxsBind mailing list we are currently checking this out and will provide information in this section.

Update from unxsbind-1.28-1 to unxsbind-2.1-1 problem fix (and probably an issue in many previous versions and upgrade paths):

Create a file called "delme" with the following content: 

ALTER TABLE tDeletedResource ADD cParam3 VARCHAR(255) NOT NULL DEFAULT '';
ALTER TABLE tDeletedResource ADD cParam4 VARCHAR(255) NOT NULL DEFAULT '';

Then run the SQL: 

[root@node3vm unxsbind-2.1]# mysql -pultrasecret idns < delme

This has been fixed in current svn trunk.

Other quick fix issues

Can't connect to backend via browser?, then try: 

[root@node3vm ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:53:1B:69
          inet addr:192.168.22.131  Bcast:192.168.22.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe53:1b69/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32719 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30834 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:33505616 (31.9 MiB)  TX bytes:3324398 (3.1 MiB)
          Interrupt:185 Base address:0x1400

[root@node3vm ~]# iptables -F

Take note of the eth0 IP (in this example 192.168.22.131) the backend would be here https://192.168.22.131:9333/cgi-bin/iDNS.cgi.

Quick CLI test of your new name server: 

[root@node3vm ~]# named-checkconf /usr/local/idns/named.conf
[root@node3vm ~]#

[root@node3vm ~]# rndc -c /etc/unxsbind-rndc.conf status
number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running

[root@node3vm ~]# dig @localhost localhost +short
127.0.0.1

[root@node3vm ~]# dig @localhost -x 127.0.0.1 +short
localhost.

[root@node3vm ~]# dig @localhost ns1.yourdomain.com +short
192.168.0.1

[root@node3vm ~]# dig @localhost ns2.yourdomain.com +short
192.168.0.2

If any of the above fail something did not go right with your install, then continue reading below.

Manual operations that may be needed depending on the initial state of your server

  1. Start/restart Apache server issues: 
    # /etc/init.d/httpd restart
  2. If everything went out OK, you should see that the port 9333 is open and listening, that port will be used for accessing the unxsBind backend and interfaces via HTTPs: 
    # netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 :::80                       :::*                        LISTEN
tcp        0      0 :::9333                     :::*                        LISTEN
tcp        0      0 :::22                       :::*                        LISTEN
tcp        0      0 :::443                      :::*                        LISTEN
  3. If you have a firewall don't forget to open 9333 and 53 ports in your firewall. If applicable, edit /etc/sysconfig/iptables and add the following lines before the last lines in the file: 
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9333 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
  4. The bottom of your /etc/sysconfig/iptables file should look like this: 
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9333 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
  5. Then restart iptables: 
    # /etc/init.d/iptables restart
  6. Start your MySQL server 1. (If you already know your MySQL root password. Skip to 10): 
    # /etc/init.d/mysqld start
  7. MySQL root user password issues: 
    # /usr/bin/mysqladmin -u root password 'ultrasecret'
  8. Optionally, You may want to clean up your mysql database via mysql CLI mysql -pultrasecret by dropping any test databases and deleting user entries with no passwords.
  9. Optionally, you may want to edit /etc/my.cnf and restart mysqld. For example to disable networking for security via skip-networking config line.
  10. Initialize the database: 
    # export ISMROOT=/usr/local/share
# /var/www/unxs/cgi-bin/iDNS.cgi Initialize ultrasecret
  11. Start your BIND named daemon. 
    # /etc/init.d/unxsbind start
# rndc -c /etc/unxsbind-rndc.conf status

Access to the unxsBind backend interface iDNS

  1. After the yum install (and maybe some manual operations) you should be able to access the backend at (use preconfigured pwd/login Root/wsxedc then CHANGE ASAP!): 
    https://<yourhost-or-ip-here>:9333/cgi-bin/iDNS.cgi
  2. You probably will need to force your browser to accept the self signed certificate and maybe the URL.

Post install (no longer needed)

This should provide information on the install. And help debug any problems you may encounter.

  1. Don't forget to initialize RRDTool db for all zones hit counter: 
    # /usr/sbin/tHitCollector Initialize --cZone allzone.stats
  2. Preview your root crontab, then open it for editing: 
    # crontab -l
# crontab -e
  3. Place this in your crontab (note that you will have to change it later for your real NS): 
    #
#iDNS job queue processing
#
#Dual master configuration
* * * * * /var/www/unxs/cgi-bin/iDNS.cgi ProcessJobQueue ns1.yourdomain.com >> /var/log/idns-cron.log 2>&1

#iDNS tHit subsystem
*/5 * * * * /usr/sbin/bind9-genstats.sh >> /var/log/idns-cron.log 2>&1
#
#iDNS graphs
#default cZone allzone.stats
*/5 * * * * sleep 5; /usr/sbin/tHitCollector AddData > /tmp/delme 2>&1; /usr/sbin/tHitCollector Graph > /tmp/delme 2>&1;
  4. To view the graph replace the provided sample with a symbolic link: 
    # rm /var/www/unxs/html/images/allzone.stats.png
# ln -s /var/log/named/allzone.stats.png /var/www/unxs/html/images/allzone.stats.png
  5. You can add graphs for any zone using /usr/sbin/tHitCollector with the Initialize option and then adding a crontab line as illustrated above. Here is an example: 
    # /usr/sbin/tHitCollector Initialize --cZone smart.com

##Create the symbolic link
# ln -s /var/log/named/smart.com.png /var/www/unxs/html/images/smart.com.png

## Then you would add the following to your root crontab:
#default cZone allzone.stats
*/5 * * * * sleep 5; /usr/sbin/tHitCollector AddData --cZone smart.com > /tmp/delme 2>&1; /usr/sbin/tHitCollector Graph --cZone smart.com > /tmp/delme 2>&1;

MySQL Replication or How to setup a multiple DNS server system with the RPM release

Since the binary RPM release uses the local server socket only. Some way of allowing the different NSs can communicate with the MySQL database. The solution is simple and provides backup and HA via replication on each NS server an instance of the same MySQL db.

In the example we wil describe below we will use two MySQL servers running with private IP addresses, ns1 and ns2 (172.16.5.164 and 172.16.5.165 are their IP addresses.)

Setting Up MySQL configuration

  1. Important: Make sure that you have completed the above install steps before starting this section!
  2. Edit the ns1 /etc/my.cnf file, and place the following content: 
    [mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql

old_passwords=1
expire_logs_days=5
log-bin=/var/lib/mysql/binary/mysql_binary_log
relay-log=/var/lib/mysql/mysqld-relay-bin
binlog-do-db=idns
server-id=10
auto_increment_increment=10
auto_increment_offset=1
log-slave-updates
report-host=172.16.5.164
replicate-same-server-id=0

master-host=172.16.5.165
master-user=idns
master-password=wsxedc
master-connect-retry=60 # num of seconds, default is 60
  3. Then, access you MySQL command line and run: 
    mysql> GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO idns@172.16.5.165 IDENTIFIED BY 'wsxedc';
  4. Open your MySQL port at your firewall by adding the following line at the bottom of your /etc/sysconfig/iptables file 
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
  5. The bottom of your /etc/sysconfig/iptables file should look like this: 
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9333 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
  6. Edit ns2 /etc/my.cnf file, and place the following content: 
    [mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql

old_passwords=1
expire_logs_days=5
log-bin=/var/lib/mysql/binary/mysql_binary_log
relay-log=/var/lib/mysql/mysqld-relay-bin
binlog-do-db=idns
server-id=20
auto_increment_increment=10
auto_increment_offset=2
log-slave-updates
report-host=172.16.5.165
replicate-same-server-id=0

master-host=172.16.5.164
master-user=idns
master-password=wsxedc
master-connect-retry=60 # num of seconds, default is 60
  7. Then, access you MySQL command line and run: 
    mysql> GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO idns@172.16.5.164 IDENTIFIED BY 'wsxedc';
  8. Repeat the iptables configuration update described above at ns2.
  9. Run the following commands at both servers: 
    # mkdir /var/lib/mysql/binary/
# chown -R mysql.mysql /var/lib/mysql/binary/
# /etc/init.d/mysqld restart
  10. Then, check MySQL logfiles; last lines should read something similar to this: 
    090526  9:51:09 [Note] Slave SQL thread initialized, starting replication in log 'FIRST' at position 0, relay log '/var/lib/mysql/mysqld-relay-bin.000002' position: 98
090526  9:51:09 [Note] Slave I/O thread: connected to master 'idns@172.16.5.165:3306',  replication started in log 'FIRST' at position 4
  11. If not, go through all the above steps again, you are missing something.
  12. Read MySQL online docs.
  13. See included in source simplistic but educational boot-slave.sh script (unxsVZ/tools/mysql-server/boot-cluster/boot-slave.sh).

Things that can go wrong ("...so they will..." Murphy's Law)

My Apache server won't start/restart after I installed the software

If you are seeing something like this: 

# /etc/init.d/httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:9333
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:9333
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

Most likely scenario is that you are running SELINUX. If you need it, then configure it correctly. Faster or a temporary solution: Try disabling it, all you have to do is edit the /etc/selinux/config file with your favorite text editor.
Look for the line that reads: 

SELINUX=enforcing

You have to change that to: 

SELINUX=disabled

Save your changes and reboot your server. You'll have SELINUX disabled and that will let Apache bind the 9333 port.

Can't create or modify records with idnsOrg and/or idnsAdmin

If you press the [Confirm New] or [Confirm Modify] buttons and the record is not created even though it should be, probably you have an old bind package installed. This has the explanation in the fact that previous CentOS 5 bind packages doesn't allow a normal user but only root to run /usr/sbin/named-checkzone. Solution: Update, you only have to run the following command: 

# yum -y update bind-utils

Back