883852 – pdns with guardian=yes needs kill capabilities

Bug 883852 - pdns with guardian=yes needs kill capabilities

Summary: pdns with guardian=yes needs kill capabilities

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pdns
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Morten Stevens
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-05 12:40 UTC by Sander Hoentjen
Modified:	2013-01-16 19:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-01-16 19:49:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sander Hoentjen 2012-12-05 12:40:06 UTC

Description of problem:
I am writing an selinux policy for pdns, and I need to set self:capability kill, because the guardian needs to signal the instance to exit. Because we have systemd, we can actually start pdns without the guardian option, and let systemd do this work. This will make acceptance of the policy-changes easier. 

Here is a patch to the unit-file that solves this issue:

--- /usr/lib/systemd/system/pdns.service.old	2012-12-05 12:26:09.612569831 +0100
+++ /usr/lib/systemd/system/pdns.service	2012-12-05 12:38:18.932278710 +0100
@@ -4,9 +4,12 @@
 
 [Service]
 Type=forking
-ExecStart=/usr/sbin/pdns_server --daemon --guardian=yes
+ExecStart=/usr/sbin/pdns_server --daemon
 ExecReload=/usr/bin/pdns_control cycle
 ExecStop=/usr/bin/pdns_control quit
+PIDFile=/var/run/pdns.pid
+Restart=on-failure
+RestartSec=2
 
 [Install]
 WantedBy=multi-user.target

Comment 1 Morten Stevens 2012-12-06 16:38:19 UTC

(In reply to comment #0)
> Description of problem:
> I am writing an selinux policy for pdns, and I need to set self:capability
> kill, because the guardian needs to signal the instance to exit. Because we
> have systemd, we can actually start pdns without the guardian option, and
> let systemd do this work. This will make acceptance of the policy-changes
> easier.

Hi,

That would be a consideration. 

> +PIDFile=/var/run/pdns.pid

Is this line necessary?

After systemctl restart pdns.service I get:

Dec  6 17:23:35 fc18 systemd[1]: PID 802 read from file /var/run/pdns.pid does not exist.
Dec  6 17:30:59 fc18 systemd[1]: PID 880 read from file /var/run/pdns.pid does not exist.

Comment 2 Sander Hoentjen 2012-12-24 11:53:08 UTC

(In reply to comment #1)
> That would be a consideration.
Cool
> 
> > +PIDFile=/var/run/pdns.pid
> 
> Is this line necessary?
Not really, it is just that man 5 systemd.service says:
-----------
PIDFile=
    Takes an absolute file name pointing to the PID file of this daemon. Use of this option is recommended for services where Type= is set to forking. systemd will read the PID of the main process of the daemon after start-up of the service. systemd will not write to the file configured here.
-----------
> 
> After systemctl restart pdns.service I get:
> 
> Dec  6 17:23:35 fc18 systemd[1]: PID 802 read from file /var/run/pdns.pid
> does not exist.
> Dec  6 17:30:59 fc18 systemd[1]: PID 880 read from file /var/run/pdns.pid
> does not exist.
I didn't see the error you did on my f17 system. Are you sure pdns started okay for you?

Comment 3 Morten Stevens 2012-12-24 15:10:54 UTC

(In reply to comment #2)
> (In reply to comment #1)
> > That would be a consideration.
> Cool

Okay, here is my patch: (without PIDFile=/var/run/pdns.pid as we do not need it)

diff --git a/pdns.service b/pdns.service
index 1b826d9..e7ada83 100644
--- a/pdns.service
+++ b/pdns.service
@@ -4,9 +4,11 @@ After=network.target

 [Service]
 Type=forking
-ExecStart=/usr/sbin/pdns_server --daemon --guardian=yes
-ExecReload=/usr/bin/pdns_control cycle
+ExecStart=/usr/sbin/pdns_server --daemon
+ExecReload=/usr/bin/pdns_control reload
 ExecStop=/usr/bin/pdns_control quit
+Restart=on-failure
+RestartSec=2

 [Install]
 WantedBy=multi-user.target


> > After systemctl restart pdns.service I get:
> > 
> > Dec  6 17:23:35 fc18 systemd[1]: PID 802 read from file /var/run/pdns.pid
> > does not exist.
> > Dec  6 17:30:59 fc18 systemd[1]: PID 880 read from file /var/run/pdns.pid
> > does not exist.
> I didn't see the error you did on my f17 system. Are you sure pdns started
> okay for you?

Yes, I'm seeing this on my f17 and f18 installation. (minimal install)

Comment 4 Sander Hoentjen 2012-12-24 16:10:42 UTC

(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > That would be a consideration.
> > Cool
> 
> Okay, here is my patch: (without PIDFile=/var/run/pdns.pid as we do not need
> it)
> 
> diff --git a/pdns.service b/pdns.service
> index 1b826d9..e7ada83 100644
> --- a/pdns.service
> +++ b/pdns.service
> @@ -4,9 +4,11 @@ After=network.target
> 
>  [Service]
>  Type=forking
> -ExecStart=/usr/sbin/pdns_server --daemon --guardian=yes
> -ExecReload=/usr/bin/pdns_control cycle
> +ExecStart=/usr/sbin/pdns_server --daemon
> +ExecReload=/usr/bin/pdns_control reload
>  ExecStop=/usr/bin/pdns_control quit
> +Restart=on-failure
> +RestartSec=2
> 
>  [Install]
>  WantedBy=multi-user.target
> 
Good catch about the cycle command.
Not sure reload is the best substitute though. That command is backend-specific. Might be better to just do a quit, and let itself start again, that is more in line what happens with guardian enabled. Or omit the reload command entirely, because I don't think pdns actually implements a consistent reload across all backends.
> 
> > > After systemctl restart pdns.service I get:
> > > 
> > > Dec  6 17:23:35 fc18 systemd[1]: PID 802 read from file /var/run/pdns.pid
> > > does not exist.
> > > Dec  6 17:30:59 fc18 systemd[1]: PID 880 read from file /var/run/pdns.pid
> > > does not exist.
> > I didn't see the error you did on my f17 system. Are you sure pdns started
> > okay for you?
> 
> Yes, I'm seeing this on my f17 and f18 installation. (minimal install)

Ok, better omit it then, even though I don't see it.

Comment 5 Morten Stevens 2012-12-25 13:57:41 UTC

(In reply to comment #4)
> >  [Service]
> >  Type=forking
> > -ExecStart=/usr/sbin/pdns_server --daemon --guardian=yes
> > -ExecReload=/usr/bin/pdns_control cycle
> > +ExecStart=/usr/sbin/pdns_server --daemon
> > +ExecReload=/usr/bin/pdns_control reload
> >  ExecStop=/usr/bin/pdns_control quit
> > +Restart=on-failure
> > +RestartSec=2
> > 
> >  [Install]
> >  WantedBy=multi-user.target
> > 
> Good catch about the cycle command.
> Not sure reload is the best substitute though. That command is
> backend-specific. Might be better to just do a quit, and let itself start
> again, that is more in line what happens with guardian enabled. Or omit the
> reload command entirely, because I don't think pdns actually implements a
> consistent reload across all backends.

Yes, I think the reload command isn't the best solution.

Should we remove ExecReload? (restart does the same, so we do not need it)
 
> > Yes, I'm seeing this on my f17 and f18 installation. (minimal install)
> 
> Ok, better omit it then, even though I don't see it.

Okay, this is strange. I can reproduce it on a clean f17/f18 minimal install.

Comment 6 Sander Hoentjen 2012-12-27 09:41:19 UTC

(In reply to comment #5)

> > > 
> > Good catch about the cycle command.
> > Not sure reload is the best substitute though. That command is
> > backend-specific. Might be better to just do a quit, and let itself start
> > again, that is more in line what happens with guardian enabled. Or omit the
> > reload command entirely, because I don't think pdns actually implements a
> > consistent reload across all backends.
> 
> Yes, I think the reload command isn't the best solution.
> 
> Should we remove ExecReload? (restart does the same, so we do not need it)

I think removing it is fine.
>  
> > > Yes, I'm seeing this on my f17 and f18 installation. (minimal install)
> > 
> > Ok, better omit it then, even though I don't see it.
> 
> Okay, this is strange. I can reproduce it on a clean f17/f18 minimal install.

What backend do you use?

Comment 7 Morten Stevens 2012-12-28 15:17:16 UTC

(In reply to comment #6)

> > Yes, I think the reload command isn't the best solution.
> > 
> > Should we remove ExecReload? (restart does the same, so we do not need it)
> 
> I think removing it is fine.

Okay, we have two options:

1) pdns unit file without reload option

[Unit]
Description=PowerDNS Authoritative Server
After=network.target

[Service]
Type=forking
ExecStart=/usr/sbin/pdns_server --daemon
ExecStop=/usr/bin/pdns_control quit
Restart=on-failure
RestartSec=2

[Install]
WantedBy=multi-user.target

2) pdns unit file with reload option "reload" instead of "cycle", because pdns without guardian doesn't support pdns_control cycle

[Unit]
Description=PowerDNS Authoritative Server
After=network.target

[Service]
Type=forking
ExecStart=/usr/sbin/pdns_server --daemon
ExecReload=/usr/bin/pdns_control reload
ExecStop=/usr/bin/pdns_control quit
Restart=on-failure
RestartSec=2

[Install]
WantedBy=multi-user.target

> What backend do you use?

I've tested it with bind and mysql as backend.

Comment 8 Sander Hoentjen 2012-12-28 15:55:17 UTC

(In reply to comment #7)
> (In reply to comment #6)
> 
> > > Yes, I think the reload command isn't the best solution.
> > > 
> > > Should we remove ExecReload? (restart does the same, so we do not need it)
> > 
> > I think removing it is fine.
> 
> Okay, we have two options:
> 
> 1) pdns unit file without reload option
> 
> [Unit]
> Description=PowerDNS Authoritative Server
> After=network.target
> 
> [Service]
> Type=forking
> ExecStart=/usr/sbin/pdns_server --daemon
> ExecStop=/usr/bin/pdns_control quit
> Restart=on-failure
> RestartSec=2
> 
> [Install]
> WantedBy=multi-user.target
> 
> 2) pdns unit file with reload option "reload" instead of "cycle", because
> pdns without guardian doesn't support pdns_control cycle
> 
> [Unit]
> Description=PowerDNS Authoritative Server
> After=network.target
> 
> [Service]
> Type=forking
> ExecStart=/usr/sbin/pdns_server --daemon
> ExecReload=/usr/bin/pdns_control reload
> ExecStop=/usr/bin/pdns_control quit
> Restart=on-failure
> RestartSec=2
> 
> [Install]
> WantedBy=multi-user.target
> 

I am leaning towards option 1, but I am interested in what Peter has to say about it.

Comment 9 Peter van Dijk (PowerDNS) 2013-01-07 07:46:51 UTC

Reload is not a good way - indeed it does not actually reload pdns.conf and in fact it does very little.

I agree that with systemd, the guardian is not necessary. Getting rid of --daemon might be even cleaner, but if I recall correctly, we don't syslog in that case.

In short: option 1!

Comment 10 Fedora Update System 2013-01-07 16:03:21 UTC

pdns-3.1-7.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/pdns-3.1-7.fc18

Comment 11 Morten Stevens 2013-01-07 16:27:06 UTC

(In reply to comment #9)
> Reload is not a good way - indeed it does not actually reload pdns.conf and
> in fact it does very little.
> 
> I agree that with systemd, the guardian is not necessary. Getting rid of
> --daemon might be even cleaner, but if I recall correctly, we don't syslog
> in that case.
> 
> In short: option 1!

Thanks for your feedback.

Syslog works as expected:

Jan  7 17:16:57 fc18 yum[1417]: Installed: pdns-3.1-7.fc18.x86_64
Jan  7 17:17:10 fc18 systemd[1]: Reloading.
Jan  7 17:17:24 fc18 systemd[1]: Starting PowerDNS Authoritative Server...
Jan  7 17:17:25 fc18 pdns_server[1442]: Jan 07 17:17:25 Reading random entropy from '/dev/urandom'
Jan  7 17:17:25 fc18 pdns[1442]: Reading random entropy from '/dev/urandom'
Jan  7 17:17:25 fc18 systemd[1]: Started PowerDNS Authoritative Server.
Jan  7 17:17:25 fc18 pdns[1443]: This is a standalone pdns
Jan  7 17:17:25 fc18 pdns[1443]: Listening on controlsocket in '/var/run/pdns.controlsocket'
Jan  7 17:17:25 fc18 pdns[1443]: It is advised to bind to explicit addresses with the --local-address option
Jan  7 17:17:25 fc18 pdns[1443]: UDP server bound to 0.0.0.0:53
Jan  7 17:17:25 fc18 pdns[1443]: TCP server bound to 0.0.0.0:53
Jan  7 17:17:25 fc18 pdns[1443]: PowerDNS 3.1 (C) 2001-2012 PowerDNS.COM BV (Jan  7 2013, 15:54:17, gcc 4.7.2 20121109 (Red Hat 4.7.2-8)) starting up
Jan  7 17:17:25 fc18 pdns[1443]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Jan  7 17:17:25 fc18 pdns[1443]: Creating backend connection for TCP
Jan  7 17:17:25 fc18 pdns[1443]: About to create 3 backend threads for UDP
Jan  7 17:17:25 fc18 pdns[1443]: Done launching threads, ready to distribute questions
Jan  7 17:17:32 fc18 systemd[1]: Stopping PowerDNS Authoritative Server...
Jan  7 17:17:32 fc18 pdns_control[1453]: Exiting
Jan  7 17:17:32 fc18 systemd[1]: Stopped PowerDNS Authoritative Server.
Jan  7 17:17:45 fc18 systemd[1]: Starting PowerDNS Authoritative Server...
Jan  7 17:17:45 fc18 pdns_server[1460]: Jan 07 17:17:45 Reading random entropy from '/dev/urandom'
Jan  7 17:17:45 fc18 pdns[1460]: Reading random entropy from '/dev/urandom'
Jan  7 17:17:45 fc18 systemd[1]: Started PowerDNS Authoritative Server.
Jan  7 17:17:45 fc18 pdns[1461]: This is a standalone pdns
Jan  7 17:17:45 fc18 pdns[1461]: Listening on controlsocket in '/var/run/pdns.controlsocket'
Jan  7 17:17:45 fc18 pdns[1461]: It is advised to bind to explicit addresses with the --local-address option
Jan  7 17:17:45 fc18 pdns[1461]: UDP server bound to 0.0.0.0:53
Jan  7 17:17:45 fc18 pdns[1461]: TCP server bound to 0.0.0.0:53
Jan  7 17:17:45 fc18 pdns[1461]: PowerDNS 3.1 (C) 2001-2012 PowerDNS.COM BV (Jan  7 2013, 15:54:17, gcc 4.7.2 20121109 (Red Hat 4.7.2-8)) starting up
Jan  7 17:17:45 fc18 pdns[1461]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Jan  7 17:17:45 fc18 pdns[1461]: Creating backend connection for TCP
Jan  7 17:17:45 fc18 pdns[1461]: About to create 3 backend threads for UDP
Jan  7 17:17:45 fc18 pdns[1461]: Done launching threads, ready to distribute questions

[root@fc18 ~]# pdns_control version
3.1
[root@fc18 ~]# pdns_control uptime
8.2 minutes
[root@fc18 ~]# pdns_control show "*"
corrupt-packets=0,deferred-cache-inserts=0,deferred-cache-lookup=0,latency=0,packetcache-hit=0,packetcache-miss=0,packetcache-size=0,qsize-q=0,query-cache-hit=0,query-cache-miss=0,recursing-answers=0,recursing-questions=0,servfail-packets=0,tcp-answers=0,tcp-queries=0,timedout-packets=0,udp-answers=0,udp-queries=0,udp4-answers=0,udp4-queries=0,udp6-answers=0,udp6-queries=0,

Comment 12 Fedora Update System 2013-01-07 21:20:50 UTC

Package pdns-3.1-7.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pdns-3.1-7.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0368/pdns-3.1-7.fc18
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2013-01-16 19:49:34 UTC

pdns-3.1-7.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.