darx at sent.com
2013-Mar-07 02:35 UTC
[nsd-users] systemd unit files for NSD launch in chroot?
Hi, I'm starting to migrate a number of authoritative nameservers on small VMs from bind9 to NSD. At the same time, I'm switching all inits from sysvinit to systemd. Cribbing systemd unit files from Fedora for NSD (http://pkgs.fedoraproject.org/cgit/nsd.git/tree/), they're straightforward enough -- but seem to ignore proper chroot setup/startup. I've poked in current NSD 3x source, as well as 4x from trunk, and so far see no example/doc of systemd init for NSD. Are there any docs/examples of nsd.service files to be had -- that specifically correctly setup/tear-down the NSD chroot? In any case, is v4x slated to ship with such service files in the src tree? -darx
Paul Wouters
2013-Mar-07 02:50 UTC
[nsd-users] systemd unit files for NSD launch in chroot?
On Wed, 6 Mar 2013, darx at sent.com wrote:> I'm starting to migrate a number of authoritative nameservers on small > VMs from bind9 to NSD. > > At the same time, I'm switching all inits from sysvinit to systemd. > > Cribbing systemd unit files from Fedora for NSD > (http://pkgs.fedoraproject.org/cgit/nsd.git/tree/), they're > straightforward enough -- but seem to ignore proper chroot > setup/startup. > > I've poked in current NSD 3x source, as well as 4x from trunk, and so > far see no example/doc of systemd init for NSD.We ship them in Fedora, but they're pretty straightforward. We do not use chroot() as it offers nothing over SElinux, and does not come with the chroot maintenance nightmare hackery. IMHO, chroot() for security is pretty much dead. Even without SElinux, the cost of putting up a VM with only your single daemon makes chroot basically obsolete. In Fedora you can even use "linux containers", which uses CGROUPS to run your daemon in isolation. Paul