Re: Installing dnscache with runit, without other djb utils

Re: Installing dnscache with runit, without other djb utils

[lanek]

> there's an error here worth highlighting given the "recently discovered"
> issues with DNS query port randomisation.

Detail the error please.

From my [modified] rc.S:

1)

# -- ** initialize /dev/urandom:
_POOLSIZE=/proc/sys/kernel/random/poolsize
_SEED=/etc/random-seed
_URANDOM=/dev/urandom

if [ -f $_SEED ]; then # -- carry an entropy pool (improve randomness).
    yellow "using $_SEED to initialize $_URANDOM ..."
    cat $_SEED > $_URANDOM
fi

if [ ! -r $_POOLSIZE ]; then
    _BYTES=512
else
    _BYTES=`cat $_POOLSIZE`
fi
dd if=$_URANDOM of=$_SEED count=1 bs=$_BYTES 2> /dev/null
chmod 600 $_SEED


(And similarly/complementarily, ditto within rc.6.)

Then from rc.M:

2)

yellow 'starting runit ...' ;   # -- runit "stage 2."
csh -cf 'runsvdir-start &'


Cheers,

/Roy

--
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS   berat sama dipikul, ringan sama dijinjing
SSSSS . s l a c k w a r e  SSSSSS       heavy we shoulder together, light
SSSSS +------------ linux  SSSSSS            we hand-carry together
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Re: Installing dnscache with runit, without other djb utils

[lanek]

> What more detail are you looking for?
>
> The seed file is only useful if it is attached to standard input of the
> dnscache process, which will read up to 128 bytes to seed its RNG.

    [d]nscache reads a seed, up to 128 bytes, from standard input, and passes
    the seed to dns_random_init^1

Yes, dnscache reading the seed from _standard input_ details better the
situation:

    exec<seed or dnscache <seed

become more intelligible. ("If it's a cow don't call it a bovine," says
Ledgard.)

Thank you _very much_ for the vital correction, I don't know how I have
missed
that ... eventually it has been, if I remember correctly, a mere mapping
operation--from daemontools to runit ... And was thinking you were hinting at
some synchronization problems.

/Roy Lanek

     1. Configuration, http://cr.yp.to/djbdns/dnscache.html

--
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS   malu bertanya, sesat di jalan
SSSSS . s l a c k w a r e  SSSSSS   embarrassed to ask will result in
SSSSS +------------ linux  SSSSSS   getting lost
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Re: Installing dnscache with runit, without other djb utils

[Charlie Brady]

On Fri, 18 Jul 2008, lanek@novenine.com wrote:

>> there's an error here worth highlighting given the "recently discovered"
>> issues with DNS query port randomisation.
>
> Detail the error please.

I did. I said:

  There's something important missing here. You need to do:

  exec<seed

  or

  exec chpst -U yyy -e ./env -o 250 -d "$DATALIMIT" \
         /usr/bin/dnscache <seed

What more detail are you looking for?

The seed file is only useful if it is attached to standard input of the 
dnscache process, which will read up to 128 bytes to seed its RNG.

Re: Installing dnscache with runit, without other djb utils

[Roy Lanek]

** Sorry for answering late

> I'd like to install djb's dnscache to run under my
> existing runit-based system.

** you can (it's working perfectly for me).

> In order to do so, it seems to require me to install
> a number of other djb utilities which have the same
> name as some of the runit-based symlinks: setuidgid,
> pgrphack, etc.

** no. My case:

/etc/dnscache
    with the usual inner structure (log, supervise, run) +

        /etc/dnscache/env
        /etc/dnscache/root
        /etc/dnscache/seed

    extra

env, root, seed like with the original dnscache
log and supervise like usual

drwxr-sr-x 2 root root   8 Jun 19 02:34 env
drwxr-x--- 3 root xxx    5 Jun 19 02:27 log
drwxr-sr-x 4 root root   4 Jun 19 02:21 root
-rwx------ 1 root root 395 Jun 19 14:51 run
-rw------- 1 root root 128 Sep 28 02:39 seed
drwx------ 2 root root   8 Sep 28 02:39 supervise

xxx is your groupid of choice from the runit family

run is:

#!/bin/sh
exec 2>&1
cd '/etc/dnscache' || exit 1

# -- seed:
umask 077
/bin/rm -f seed
/bin/dd if=/dev/urandom bs=128 count=1 > seed 2> /dev/null
    # -- "Linux has a good source of random data, use 128
    # -- bytes of it to pass it to 'dns_random_init' (via
    # -- 'seed')."^1

exec chpst -U yyy -e ./env -o 250 -d "$DATALIMIT" \
        /usr/bin/dnscache


# -- 1. The dnscache-conf program, djbdns' doc.



with yyy = your userid for dnscache (from the passwd)


run in supervise is:

#!/bin/sh
exec chpst -uxxx svlogd -tt main/dnscache

with xxx the same as above
and main as known. 


symbolic link to /etc/dnscache as usual


Hope I have given you enough info.

The only exception I know in which I had to really compile
daemontools--just to extract tai64n and tai64nlocal--is
uschedule, which I also use with great satisfaction under
runit. (You need also to set a bit up an environment, a
trivial task).

Cheers,

/Roy

P.S.

After a second thought, maybe it interests others too (I
have answered to the sender directly already).
-- 
########################     anjing menggonggong, kafilah tetap berlalu  
##### . slackware ######     the dogs are barking, the caravan moves on  
##### +-----linux ######  [illustrates useless protest, critic, or sarcasm] 
########################

Re: Installing dnscache with runit, without other djb utils

[Charlie Brady]

On Thu, 28 Sep 2006, Roy Lanek wrote:

> ** Sorry for answering late

And sorry for following up very late - but there's an error here worth 
highlighting given the "recently discovered" issues with DNS query port 
randomisation.

> #!/bin/sh
> exec 2>&1
> cd '/etc/dnscache' || exit 1
>
> # -- seed:
> umask 077
> /bin/rm -f seed
> /bin/dd if=/dev/urandom bs=128 count=1 > seed 2> /dev/null
>    # -- "Linux has a good source of random data, use 128
>    # -- bytes of it to pass it to 'dns_random_init' (via
>    # -- 'seed')."^1
>
> exec chpst -U yyy -e ./env -o 250 -d "$DATALIMIT" \
>        /usr/bin/dnscache

There's something important missing here. You need to do:

exec<seed

or

exec chpst -U yyy -e ./env -o 250 -d "$DATALIMIT" \
         /usr/bin/dnscache <seed

Installing dnscache with runit, without other djb utils

[Lloyd Zusman]

I'd like to install djb's dnscache to run under my existing runit-based
system.  In order to do so, it seems to require me to install a number
of other djb utilities which have the same name as some of the
runit-based symlinks: setuidgid, pgrphack, etc.

This will cause a conflict or worse (overwriting?) with the
corresponding runit-based symlinks, and I want to avoid this.  Does
anyone know how to install dnscache to run under runit _without_ having
djb's utilities mess up my runit-based symlinks?

Thanks in advance.

-- 
 Lloyd Zusman
 ljz@asfast.com
 God bless you.

Re: Installing dnscache with runit, without other djb utils

[Wayne Marshall]

On Wed, 20 Sep 2006 18:30:33 -0400
Lloyd Zusman <ljz@asfast.com> wrote:

> I'd like to install djb's dnscache to run under my existing
> runit-based system.  In order to do so, it seems to require me to
> install a number of other djb utilities which have the same name as
> some of the runit-based symlinks: setuidgid, pgrphack, etc.
> 
> This will cause a conflict or worse (overwriting?) with the
> corresponding runit-based symlinks, and I want to avoid this.  Does
> anyone know how to install dnscache to run under runit _without_
> having djb's utilities mess up my runit-based symlinks?
>

These run scripts may help:

 http://www.slackmatic.org/site.cgi?repoview=guinix&port=runit-djbdns


Wayne

Re: Installing dnscache with runit, without other djb utils

[Vincent Danen]

[-- Attachment #1: Type: text/plain, Size: 1047 bytes --]

* Lloyd Zusman <ljz@asfast.com> [2006-09-20 18:30:33 -0400]:

> I'd like to install djb's dnscache to run under my existing runit-based
> system.  In order to do so, it seems to require me to install a number
> of other djb utilities which have the same name as some of the
> runit-based symlinks: setuidgid, pgrphack, etc.
> 
> This will cause a conflict or worse (overwriting?) with the
> corresponding runit-based symlinks, and I want to avoid this.  Does
> anyone know how to install dnscache to run under runit _without_ having
> djb's utilities mess up my runit-based symlinks?
> 
> Thanks in advance.

Take a peek here:

http://svn.annvix.org/cgi-bin/viewvc.cgi/djbdns/?root=ports

I've been running djbdns (tinydns, dnscache, etc.) since I moved to
runit years ago and they work great without needing daemontools.

At that url, look at the *.run files (those are the runscripts).

-- 
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
mysql> SELECT * FROM users WHERE clue > 0;
Empty set (0.00sec)

[-- Attachment #2: Type: application/pgp-signature, Size: 186 bytes --]

Re: Installing dnscache with runit, without other djb utils

[Charlie Brady]

On Wed, 20 Sep 2006, Lloyd Zusman wrote:

> I'd like to install djb's dnscache to run under my existing runit-based
> system.  In order to do so, it seems to require me to install a number
> of other djb utilities which have the same name as some of the
> runit-based symlinks: setuidgid, pgrphack, etc.
>
> This will cause a conflict or worse (overwriting?) with the
> corresponding runit-based symlinks, and I want to avoid this.

What makes you think that you need to install the djb utilities? What 
happens if you just use the runit-based symlinks?

> Does anyone know how to install dnscache to run under runit _without_ 
> having djb's utilities mess up my runit-based symlinks?

You shouldn't need setuidgid or pgrphack to run dnscache.

Re: Installing dnscache with runit, without other djb utils

[Lloyd Zusman]

Charlie Brady <charlieb-supervision@budge.apana.org.au> writes:

> On Wed, 20 Sep 2006, Lloyd Zusman wrote:
>
>> I'd like to install djb's dnscache to run under my existing runit-based
>> system.  In order to do so, it seems to require me to install a number
>> of other djb utilities which have the same name as some of the
>> runit-based symlinks: setuidgid, pgrphack, etc.
>>
>> This will cause a conflict or worse (overwriting?) with the
>> corresponding runit-based symlinks, and I want to avoid this.
>
> What makes you think that you need to install the djb utilities? What
> happens if you just use the runit-based symlinks?

Thank you.

Those runit symlinks work just fine at run time.  That's not where my
problem lies.

Rather, I'm talking about the initial installation of djbdns.  According
to djb's docs, I have to first install his daemontools and ucspi-tcp
packages in order to get the djbdns stuff installed, and I don't want to
do either of those installations.

I tried to do install djbdns a while ago with only the runit utils in
place, and it failed (sadly, I don't have the error log any more).

But now, after having typed the preceding part of this reply, I decided
to try installing djbdns a second time, just in case (again, without any
other djb utils in place ... only runit).  And this time, it worked.

Therefore, I must have done something wrong with that earlier install,
which means that my question here is moot.

Thanks to you and also to Vincent Danet and Wayne Marshall for your kind
help.


>> Does anyone know how to install dnscache to run under runit _without_
>> having djb's utilities mess up my runit-based symlinks?
>
> You shouldn't need setuidgid or pgrphack to run dnscache.
>

-- 
 Lloyd Zusman
 ljz@asfast.com
 God bless you.

Re: Installing dnscache with runit, without other djb utils

[Charlie Brady]

On Wed, 20 Sep 2006, Lloyd Zusman wrote:

> Rather, I'm talking about the initial installation of djbdns.  According
> to djb's docs, I have to first install his daemontools and ucspi-tcp
> packages in order to get the djbdns stuff installed, and I don't want to
> do either of those installations.

You don't need to. djb's docs were written before runit existed. You can 
ignore (as you have discovered) the suggestion that daemontools and 
ucspi-tcp are required.

> I tried to do install djbdns a while ago with only the runit utils in
> place, and it failed (sadly, I don't have the error log any more).

Without the error log, nobody will be able to tell you what went wrong.

Re: Installing dnscache with runit, without other djb utils

[Lloyd Zusman]

Charlie Brady <charlieb-supervision@budge.apana.org.au> writes:

> On Wed, 20 Sep 2006, Lloyd Zusman wrote:
>
>> Rather, I'm talking about the initial installation of djbdns.  According
>> to djb's docs, I have to first install his daemontools and ucspi-tcp
>> packages in order to get the djbdns stuff installed, and I don't want to
>> do either of those installations.
>
> You don't need to. djb's docs were written before runit existed. You can
> ignore (as you have discovered) the suggestion that daemontools and
> ucspi-tcp are required.
>
>> I tried to do install djbdns a while ago with only the runit utils in
>> place, and it failed (sadly, I don't have the error log any more).
>
> Without the error log, nobody will be able to tell you what went wrong.

... but it's a moot point now.  Did you read the rest of my message?

-- 
 Lloyd Zusman
 ljz@asfast.com
 God bless you.