From 8c8d29d2441584403b7e6d79bdc6b2638e112a3a Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 17:06:45 +0200 Subject: [PATCH 01/16] ssh: Add default initscript configuration. --- etc/default/ssh | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/default/ssh diff --git a/etc/default/ssh b/etc/default/ssh new file mode 100644 index 0000000..9680d34 --- /dev/null +++ b/etc/default/ssh @@ -0,0 +1,11 @@ +# Default settings for openssh-server. This file is sourced by /bin/sh from +# /etc/init.d/ssh. + +# Options to pass to sshd +SSHD_OPTS= + +# OOM-killer adjustment for sshd (see +# linux/Documentation/filesystems/proc.txt; lower values reduce likelihood +# of being killed, while -17 means the OOM-killer will ignore sshd; set to +# the empty string to skip adjustment) +SSHD_OOM_ADJUST=-17 -- 2.30.2 From 5e14935679f15c54c8be47c88d36632ec1cc9ade Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 17:07:10 +0200 Subject: [PATCH 02/16] ssh: Disable changing of the oom_adj value. This value is meant for making sure ssh is never killed by the oom killer, but that is not allowed inside vservers. --- etc/default/ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/default/ssh b/etc/default/ssh index 9680d34..afbc23b 100644 --- a/etc/default/ssh +++ b/etc/default/ssh @@ -8,4 +8,5 @@ SSHD_OPTS= # linux/Documentation/filesystems/proc.txt; lower values reduce likelihood # of being killed, while -17 means the OOM-killer will ignore sshd; set to # the empty string to skip adjustment) -SSHD_OOM_ADJUST=-17 +# Disabled since oom_adj is not available inside vservers +SSHD_OOM_ADJUST= -- 2.30.2 From 3efd2f3ff6b490e947d45ec28925f35888ec6896 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 18:09:52 +0200 Subject: [PATCH 03/16] rsyslog: Use another format for forwarding messages. The syslog protocol 23 format seems to be broken in rsyslog for messages that were originally generated by legacy applications (i.e., do not have a structured-data field). See http://bugzilla.adiscon.com/show_bug.cgi?id=125 --- etc/rsyslog.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index c6e706b..ab6876b 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -100,4 +100,4 @@ $ActionQueueFileName remote $ActionResumeRetryCount -1 # save in-memory data if rsyslog shuts down $ActionQueueSaveOnShutdown on -*.* @@log;RSYSLOG_SyslogProtocol23Format +*.* @@log;RSYSLOG_ForwardFormat -- 2.30.2 From 3a3d5b6747ecc1005af25fa8c9681321161e12b5 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 20:43:40 +0200 Subject: [PATCH 04/16] system: Update comments in hosts file. --- etc/hosts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/hosts b/etc/hosts index df87caa..533112a 100644 --- a/etc/hosts +++ b/etc/hosts @@ -12,8 +12,9 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts -# These entries are meant to be resolved through dnsmasq (which will also add a -# default domain suffix). +# All vservers. These entries are meant to be resolved through dnsmasq (which +# will also add a default domain suffix). This list is duplicated in +# /etc/hosts of drsnuggles. 10.42.0.2 test 10.42.0.3 build 10.42.0.4 ldap -- 2.30.2 From 7c84880ff75b3e62dfeb84ccd8d3a706b5fc227b Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 20:44:09 +0200 Subject: [PATCH 05/16] system: Remove old entries from hosts file. --- etc/hosts | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/hosts b/etc/hosts index 533112a..b51be19 100644 --- a/etc/hosts +++ b/etc/hosts @@ -15,14 +15,12 @@ ff02::3 ip6-allhosts # All vservers. These entries are meant to be resolved through dnsmasq (which # will also add a default domain suffix). This list is duplicated in # /etc/hosts of drsnuggles. -10.42.0.2 test 10.42.0.3 build 10.42.0.4 ldap 10.42.0.5 dns 10.42.0.254 template 10.42.0.6 mysql 10.42.0.7 www -10.42.0.8 backup 10.42.0.9 login kiiraa git.stderr.nl hg.stderr.nl svn.stderr.nl 10.42.0.10 mail 10.42.0.2 log -- 2.30.2 From e6cf90085e92c79afc15d92e7b376c637a1ef2b2 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 20:44:34 +0200 Subject: [PATCH 06/16] system: Reorder hosts file. --- etc/hosts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/hosts b/etc/hosts index b51be19..bf41610 100644 --- a/etc/hosts +++ b/etc/hosts @@ -15,12 +15,12 @@ ff02::3 ip6-allhosts # All vservers. These entries are meant to be resolved through dnsmasq (which # will also add a default domain suffix). This list is duplicated in # /etc/hosts of drsnuggles. +10.42.0.254 template +10.42.0.2 log 10.42.0.3 build 10.42.0.4 ldap 10.42.0.5 dns -10.42.0.254 template 10.42.0.6 mysql 10.42.0.7 www 10.42.0.9 login kiiraa git.stderr.nl hg.stderr.nl svn.stderr.nl 10.42.0.10 mail -10.42.0.2 log -- 2.30.2 From b59ea9646830cf67ba5cf8d0d588af1ea1bbc733 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 28 May 2009 12:16:14 +0200 Subject: [PATCH 07/16] dnsmasq: Update IP address of Coloclue's resolver. --- etc/dnsmasq.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/dnsmasq.conf b/etc/dnsmasq.conf index 933f2d5..ecbad1f 100644 --- a/etc/dnsmasq.conf +++ b/etc/dnsmasq.conf @@ -14,7 +14,7 @@ local=/.drsnuggles.stderr.nl/ # Don't get upstream servers from resolv.conf, but use the ones listed here no-resolv -server=193.202.115.202 +server=94.142.247.17 server=195.85.225.170 server=195.3.164.19 server=193.202.115.142 -- 2.30.2 From 19ce379dff8741a45ad1cb4b13ea394b0ea37b93 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 18 Nov 2009 21:27:30 +0100 Subject: [PATCH 08/16] maradns: Add hekjelarp.nl domain. --- etc/maradns/mararc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/maradns/mararc b/etc/maradns/mararc index 8714892..3600eb4 100644 --- a/etc/maradns/mararc +++ b/etc/maradns/mararc @@ -12,6 +12,7 @@ csv2["stderr.nl."] = "db.stderr.nl" csv2["stdin.nl."] = "db.stdin.nl" csv2["stdout.nl."] = "db.stdout.nl" csv2["foresightsecurity.nl."] = "db.foresightsecurity.nl" +csv2["hekjelarp.nl."] = "db.hekjelarp.nl" # The address this DNS server runs on. If you want to bind # to all addresses a given machine has, use "0.0.0.0". -- 2.30.2 From 744143c024fbd630de6f1df437267969cafc0743 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 25 Jan 2010 20:48:36 +0100 Subject: [PATCH 09/16] maradns: Add plotornot.nl domain. --- etc/maradns/mararc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/maradns/mararc b/etc/maradns/mararc index 3600eb4..916bba1 100644 --- a/etc/maradns/mararc +++ b/etc/maradns/mararc @@ -13,6 +13,7 @@ csv2["stdin.nl."] = "db.stdin.nl" csv2["stdout.nl."] = "db.stdout.nl" csv2["foresightsecurity.nl."] = "db.foresightsecurity.nl" csv2["hekjelarp.nl."] = "db.hekjelarp.nl" +csv2["plotornot.nl."] = "db.plotornot.nl" # The address this DNS server runs on. If you want to bind # to all addresses a given machine has, use "0.0.0.0". -- 2.30.2 From 94063426f36b90b391ed37c28a83980ae22a14c9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:26:53 +0200 Subject: [PATCH 10/16] oidentd: Add default configuration. --- etc/default/oidentd | 17 +++++++++++++++++ etc/oidentd.conf | 22 ++++++++++++++++++++++ etc/oidentd_masq.conf | 11 +++++++++++ 3 files changed, 50 insertions(+) create mode 100644 etc/default/oidentd create mode 100644 etc/oidentd.conf create mode 100644 etc/oidentd_masq.conf diff --git a/etc/default/oidentd b/etc/default/oidentd new file mode 100644 index 0000000..14bec1e --- /dev/null +++ b/etc/default/oidentd @@ -0,0 +1,17 @@ +# options to use when starting oidentd as daemon: +# -m lookup masquaraded connections in /etc/oidentd_masq.users +# -f forward requests for masquaraded connections to real host +# -q don't log connections to oidentd +# see oidentd(8) for detailed list +OIDENT_OPTIONS="-mf" + +# user / group +OIDENT_USER=oident +OIDENT_GROUP=oident + +# Allow the default router to act as an oidentd proxy? (yes/no) +# this is needed behind a masquarading router that runs oidentd -f +# if your identd proxy is not the default router, you have to +# manually specify it via -P +OIDENT_BEHIND_PROXY=yes + diff --git a/etc/oidentd.conf b/etc/oidentd.conf new file mode 100644 index 0000000..03b28d8 --- /dev/null +++ b/etc/oidentd.conf @@ -0,0 +1,22 @@ +# Configuration for oidentd +# see oidentd.conf(5) +# +default { + default { + deny spoof + deny spoof_all + deny spoof_privport + allow random + allow random_numeric + allow numeric + deny hide + } +} + +# you may want to hide root connections +#user "root" { +# default { +# force reply "UNKNOWN" +# } +#} + diff --git a/etc/oidentd_masq.conf b/etc/oidentd_masq.conf new file mode 100644 index 0000000..8fb03f1 --- /dev/null +++ b/etc/oidentd_masq.conf @@ -0,0 +1,11 @@ +# oident masquarded connections configuration + +# use this file if your host is masquarading connections for several +# hosts and you want to return a reply based on the hostname of +# the originating machine +# by default, such requests are forwarded to the real host. +# you can disable forwarding by removing "-f" from OIDENT_OPTIONS +# in /etc/default/oidentd + +# add hosts in the following format, see oidentd_masq.conf(5) for details: +# [/mask] -- 2.30.2 From a799b50b1d46b49b57ce3212c2fcf60317e7a6f9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:29:31 +0200 Subject: [PATCH 11/16] oidentd: Allow the vserver host to forward connections. --- etc/default/oidentd | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/etc/default/oidentd b/etc/default/oidentd index 14bec1e..f807bd5 100644 --- a/etc/default/oidentd +++ b/etc/default/oidentd @@ -2,16 +2,19 @@ # -m lookup masquaraded connections in /etc/oidentd_masq.users # -f forward requests for masquaraded connections to real host # -q don't log connections to oidentd +# -P allow forwarded connectsions from this host. We use our own +# hostname here, since connections will be forwarded from oidentd +# on the vserver host. Those connections will appear to originate +# from our own (and only) IP address. # see oidentd(8) for detailed list -OIDENT_OPTIONS="-mf" +OIDENT_OPTIONS="-mf -P `hostname`" # user / group OIDENT_USER=oident OIDENT_GROUP=oident # Allow the default router to act as an oidentd proxy? (yes/no) -# this is needed behind a masquarading router that runs oidentd -f -# if your identd proxy is not the default router, you have to -# manually specify it via -P -OIDENT_BEHIND_PROXY=yes +# Since the vserver stuff messes up this autodetection, we pass in -P +# above instead. +OIDENT_BEHIND_PROXY=no -- 2.30.2 From 82df18d0a80869ea9671b625209bb07cc6bbca68 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sat, 29 Jan 2011 20:11:08 +0100 Subject: [PATCH 12/16] nsd: Add default config file. --- etc/nsd3/nsd.conf | 77 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 etc/nsd3/nsd.conf diff --git a/etc/nsd3/nsd.conf b/etc/nsd3/nsd.conf new file mode 100644 index 0000000..692421d --- /dev/null +++ b/etc/nsd3/nsd.conf @@ -0,0 +1,77 @@ +# +# nsd.conf -- the NSD(8) configuration file, nsd.conf(5). +# +# Copyright (c) 2001-2006, NLnet Labs. All rights reserved. +# +# See LICENSE for the license. +# + +# This is a comment. +# Sample configuration file + +# options for the nsd server +server: + # uncomment to specify specific interfaces to bind (default all). + # ip-address: 1.2.3.4 + # ip-address: 12fe::8ef0 + + # enable debug mode for nsd, does not fork daemon process. + # (debug mode disables slave zone functionalities) + # debug-mode: no + + # listen only on IPv4 connections + # ip4-only: no + + # listen only on IPv6 connections + # ip6-only: no + + # the database to use + # database: "/var/lib/nsd3/nsd.db" + + # identify the server (CH TXT ID.SERVER entry). + # identity: "unidentified server" + + # log messages to file. Default to stderr and syslog. + # logfile: "/var/log/nsd.log" + + # Number of NSD servers to fork. + # server-count: 1 + + # Maximum number of concurrent TCP connections per server. + # tcp-count: 10 + + # File to store pid for nsd in. + # pidfile: "/var/run/nsd3/nsd.pid" + + # port to answer queries on. default is 53. + # port: 53 + + # statistics are produced every number of seconds. + # statistics: 3600 + + # Run NSD in a chroot-jail. + # make sure to have pidfile and database reachable from there. + # chroot: "/etc/nsd3" + + # After binding socket, drop user privileges. + # can be a username, id or id.gid. + # username: nsd + + # The directory for zonefile: files. + # zonesdir: "/etc/nsd3" + + # The file where incoming zone transfers are stored. + # run nsd-patch to update zone files, then you can safely delete it. + # difffile: "/etc/nsd3/ixfr.db" + + # The file where secondary zone refresh and expire timeouts are kept. + # If you delete this file, all secondary zones are forced to be + # 'refreshing' (as if nsd got a notify). + # xfrdfile: "/var/lib/nsd3/xfrd.state" + + # Number of seconds between reloads triggered by xfrd. + # xfrd-reload-timeout: 10 + + # Verbosity level. + # verbosity: 0 + -- 2.30.2 From 6a8cce5274fcbd4c726909e61d4403eb0133cf09 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 30 Jan 2011 12:01:50 +0100 Subject: [PATCH 13/16] nsd: Run in a chroot. --- etc/nsd3/nsd.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/nsd3/nsd.conf b/etc/nsd3/nsd.conf index 692421d..b54b847 100644 --- a/etc/nsd3/nsd.conf +++ b/etc/nsd3/nsd.conf @@ -26,7 +26,7 @@ server: # ip6-only: no # the database to use - # database: "/var/lib/nsd3/nsd.db" + database: "/var/lib/nsd3/nsd.db" # identify the server (CH TXT ID.SERVER entry). # identity: "unidentified server" @@ -41,7 +41,7 @@ server: # tcp-count: 10 # File to store pid for nsd in. - # pidfile: "/var/run/nsd3/nsd.pid" + pidfile: "/var/lib/nsd3/nsd.pid" # port to answer queries on. default is 53. # port: 53 @@ -51,7 +51,7 @@ server: # Run NSD in a chroot-jail. # make sure to have pidfile and database reachable from there. - # chroot: "/etc/nsd3" + chroot: "/var/lib/nsd3/" # After binding socket, drop user privileges. # can be a username, id or id.gid. @@ -62,7 +62,7 @@ server: # The file where incoming zone transfers are stored. # run nsd-patch to update zone files, then you can safely delete it. - # difffile: "/etc/nsd3/ixfr.db" + difffile: "/var/lib/nsd3/ixfr.db" # The file where secondary zone refresh and expire timeouts are kept. # If you delete this file, all secondary zones are forced to be -- 2.30.2 From fd11aeaf07f02f8b906ec5af0e44017f773c7a5e Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 30 Jan 2011 12:02:19 +0100 Subject: [PATCH 14/16] nsd: Run on port 54. This leaves port 53 free for dnsmasq as our local resolver. Port forwarding will ensure the outside world will see port 53 anyway. --- etc/nsd3/nsd.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/nsd3/nsd.conf b/etc/nsd3/nsd.conf index b54b847..f0224c7 100644 --- a/etc/nsd3/nsd.conf +++ b/etc/nsd3/nsd.conf @@ -43,8 +43,10 @@ server: # File to store pid for nsd in. pidfile: "/var/lib/nsd3/nsd.pid" - # port to answer queries on. default is 53. - # port: 53 + # Run on a non-standard port, so another recursive resolver can + # run on port 53. We will be portforwarded anyway, so this + # doesn't matter. + port: 54 # statistics are produced every number of seconds. # statistics: 3600 -- 2.30.2 From bb7bf205f1f2d363b94efa39fa7fa88cf29ad11c Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 30 Jan 2011 12:03:05 +0100 Subject: [PATCH 15/16] nsd: Point nsd to the right zonefiles. Note that these zonefiles have a slightly different format than the ones used by maradns, so we can't run both of them on the same zonefiles. --- etc/nsd3/nsd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/nsd3/nsd.conf b/etc/nsd3/nsd.conf index f0224c7..b89bddd 100644 --- a/etc/nsd3/nsd.conf +++ b/etc/nsd3/nsd.conf @@ -60,7 +60,7 @@ server: # username: nsd # The directory for zonefile: files. - # zonesdir: "/etc/nsd3" + zonesdir: "/data/db/dns/" # The file where incoming zone transfers are stored. # run nsd-patch to update zone files, then you can safely delete it. -- 2.30.2 From 4bcf0eb828fcf8a64063a1cdd57b42d7a6a8b505 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 30 Jan 2011 12:04:11 +0100 Subject: [PATCH 16/16] nsd: Add configuration for all of the zones. Relative to the previous maradns configuration, this adds the chimara-if.org zone. Also, it sets ns1.openprovider.nl as the slave for this zone. --- etc/nsd3/nsd.conf | 48 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/etc/nsd3/nsd.conf b/etc/nsd3/nsd.conf index b89bddd..8b4bb20 100644 --- a/etc/nsd3/nsd.conf +++ b/etc/nsd3/nsd.conf @@ -77,3 +77,51 @@ server: # Verbosity level. # verbosity: 0 +zone: + name: "chimara-if.org" + zonefile: "db.chimara-if.org" + # Transfer to ns1.openprovider.nl + notify: 89.255.7.30 NOKEY + provide-xfr: 89.255.7.30 NOKEY + +zone: + name: "stderr.nl" + zonefile: "db.stderr.nl" + # Transfer to ns1.openprovider.nl + notify: 89.255.7.30 NOKEY + provide-xfr: 89.255.7.30 NOKEY + +zone: + name: "stdin.nl" + zonefile: "db.stdin.nl" + # Transfer to ns1.openprovider.nl + notify: 89.255.7.30 NOKEY + provide-xfr: 89.255.7.30 NOKEY + +zone: + name: "stdout.nl" + zonefile: "db.stdout.nl" + # Transfer to ns1.openprovider.nl + notify: 89.255.7.30 NOKEY + provide-xfr: 89.255.7.30 NOKEY + +zone: + name: "foresightsecurity.nl" + zonefile: "db.foresightsecurity.nl" + # Transfer to ns1.openprovider.nl + notify: 89.255.7.30 NOKEY + provide-xfr: 89.255.7.30 NOKEY + +zone: + name: "hekjelarp.nl" + zonefile: "db.hekjelarp.nl" + # Transfer to ns1.openprovider.nl + notify: 89.255.7.30 NOKEY + provide-xfr: 89.255.7.30 NOKEY + +zone: + name: "plotornot.nl" + zonefile: "db.plotornot.nl" + # Transfer to ns1.openprovider.nl + notify: 89.255.7.30 NOKEY + provide-xfr: 89.255.7.30 NOKEY -- 2.30.2