#include <stdlib.h>
#include <stdio.h>
int main()
{
long count=2;
char * mem;
while(1)
{
printf("allocated %ld bytes\n", count);
if((mem=(char *) malloc(count))== NULL) exit(1);
/*free(*mem); */
count*=2;
}
}
Play with Solaris project
In this short article I will demonstrate few options of project subsystem in Solaris.
1. Create sample project
# projadd -p 101 -c "my first project" -K "process.max-data-size=(priv,32m,deny)" test1
where 101 is the ID (numeric) of the project
"my first project" is just a comment
test1 is the name of the project
and "process.max-data-size=(priv,32m,deny)" describe attributes. In this example i limit memory data segment to 32 megabytes. The string "priv" is definition who can modify the value and string "deny" define the action when the value is reached.For more info see manual page of resource_controls(5)
2. Check the project
# projects -l
system
projid : 0
comment: ""
users : (none)
groups : (none)
attribs:
...
test1
projid : 101
comment: "my first project"
users : (none)
groups : (none)
attribs: process.max-data-size=(priv,33554432,deny)
3. Test if its work
For this purpose I will use one sample C program to allocate memory and exec it
# newtask -p test1 ./a.out
allocated 2 bytes
allocated 4 bytes
allocated 8 bytes
allocated 16 bytes
allocated 32 bytes
allocated 64 bytes
...
allocated 4194304 bytes
allocated 8388608 bytes
allocated 16777216 bytes
and just in case check exit code :)
# echo $?
1
4. Modify the project to give more memory
projmod -p 101 -K "process.max-data-size=(priv,64m,deny)" test1
5. and check again
# newtask -p test1 ./a.out
allocated 2 bytes
allocated 4 bytes
allocated 8 bytes
allocated 16 bytes
allocated 32 bytes
allocated 64 bytes
...
allocated 4194304 bytes
allocated 8388608 bytes
allocated 16777216 bytes
allocated 33554432 bytes
As you can see all work perfect and we can start using projects in our daily work
1. Create sample project
# projadd -p 101 -c "my first project" -K "process.max-data-size=(priv,32m,deny)" test1
where 101 is the ID (numeric) of the project
"my first project" is just a comment
test1 is the name of the project
and "process.max-data-size=(priv,32m,deny)" describe attributes. In this example i limit memory data segment to 32 megabytes. The string "priv" is definition who can modify the value and string "deny" define the action when the value is reached.For more info see manual page of resource_controls(5)
2. Check the project
# projects -l
system
projid : 0
comment: ""
users : (none)
groups : (none)
attribs:
...
test1
projid : 101
comment: "my first project"
users : (none)
groups : (none)
attribs: process.max-data-size=(priv,33554432,deny)
3. Test if its work
For this purpose I will use one sample C program to allocate memory and exec it
# newtask -p test1 ./a.out
allocated 2 bytes
allocated 4 bytes
allocated 8 bytes
allocated 16 bytes
allocated 32 bytes
allocated 64 bytes
...
allocated 4194304 bytes
allocated 8388608 bytes
allocated 16777216 bytes
and just in case check exit code :)
# echo $?
1
4. Modify the project to give more memory
projmod -p 101 -K "process.max-data-size=(priv,64m,deny)" test1
5. and check again
# newtask -p test1 ./a.out
allocated 2 bytes
allocated 4 bytes
allocated 8 bytes
allocated 16 bytes
allocated 32 bytes
allocated 64 bytes
...
allocated 4194304 bytes
allocated 8388608 bytes
allocated 16777216 bytes
allocated 33554432 bytes
As you can see all work perfect and we can start using projects in our daily work
DNS - make it sample and fast, part 5 - split server
Split DNS or sometime named dual home DNS is a DNS server, connected to two or more networks and serve different information, depend of the network from where request is initiated. This is very helpful when you want to have different view, different IP addreses for the same server. For example your mail server will have one address when you access it from internal network and totally different when you access it from internet.
In this article I will use 10.1.0 and 10.0.1 networks as example
23. Define access control lists in bind configuration
Add in named.conf the lines
acl net1 { 10.1.0.0/24;};
acl net2 { 10.0.1.0/24;};
24. Redefine example.net zone to ne int.example.net
this
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {11.1.0.10;};
};
become
zone "int.example.net" in{
type master;
file "master.example.net";
allow-transfer {11.1.0.10;};
allow-query { net1; };
};
This should be done because is not possible to set one domain to be defined twice
25. And the same for IP network
this
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
become
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
allow-query { net1; };
};
26. Lets add new sections for external view of domain and IP addresses
zone "example.net.ext" in{
type master;
file "master.example.net.ext";
allow-query { net1; net2; };
};
zone "1.0.10.IN-ADDR.ARPA" in{
type master;
file "10.0.1.rev";
allow-query { net1;net2; };
};
27. And create the appropriate files
[root@nsd named]# cat master.example.net.ext
@ IN SOA ns.example.net. root@ns.example.net. (
2010081501 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS ns.example.net.
ns IN A 10.0.1.5
[root@nsd named]# cat 10.0.1.rev
@ IN SOA ns.example.net. root@ns.example.net. (
2010008151 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS ns.example.net
5 IN PTR ns.example.net.
Of course on my old files I replace records *.example.net with *.int.example.net
28. And tell name server to reload configuration
[root@nsd named]# rndc reload
server reload successful
29. And of course make some tests
29.1. First from network 10.1.0
[root@nsd named]# nslookup
> nsd
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: nsd.int.example.net
Address: 10.1.0.5
> set q=ns
> int.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net nameserver = nsd.int.example.net.
example.net nameserver = centos.int.example.net.
> ns.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: ns.example.net
Address: 10.0.1.5
> 10.0.1.5
Server: 10.1.0.5
Address: 10.1.0.5#53
5.1.0.10.in-addr.arpa name = ns.example.net.
29.2. And from network 10.1.0
[root@c01-n1 ~]# ifconfig|grep -E "Ethernet|inet addr"
eth0 Link encap:Ethernet HWaddr 00:0C:29:E1:57:32
inet addr:10.0.1.101 Bcast:10.0.1.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
[root@c01-n1 ~]# nslookup
> ns
Server: 10.0.1.5
Address: 10.0.1.5#53
Name: ns.example.net
Address: 10.0.1.5
> 10.0.1.5
Server: 10.0.1.5
Address: 10.0.1.5#53
5.1.0.10.in-addr.arpa name = ns.example.net.
> nsd
Server: 10.0.1.5
Address: 10.0.1.5#53
** server can't find nsd: NXDOMAIN
> nsd.int.example.net
Server: 10.0.1.5
Address: 10.0.1.5#53
** server can't find nsd.int.example.net: NXDOMAIN
So if I name my mail server just mail and add in search domains int.example.net and example.net I will have access to the same server independently of the network I am attached. And I will give no access to the people outside to information about my internal network
In this article I will use 10.1.0 and 10.0.1 networks as example
23. Define access control lists in bind configuration
Add in named.conf the lines
acl net1 { 10.1.0.0/24;};
acl net2 { 10.0.1.0/24;};
24. Redefine example.net zone to ne int.example.net
this
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {11.1.0.10;};
};
become
zone "int.example.net" in{
type master;
file "master.example.net";
allow-transfer {11.1.0.10;};
allow-query { net1; };
};
This should be done because is not possible to set one domain to be defined twice
25. And the same for IP network
this
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
become
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
allow-query { net1; };
};
26. Lets add new sections for external view of domain and IP addresses
zone "example.net.ext" in{
type master;
file "master.example.net.ext";
allow-query { net1; net2; };
};
zone "1.0.10.IN-ADDR.ARPA" in{
type master;
file "10.0.1.rev";
allow-query { net1;net2; };
};
27. And create the appropriate files
[root@nsd named]# cat master.example.net.ext
@ IN SOA ns.example.net. root@ns.example.net. (
2010081501 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS ns.example.net.
ns IN A 10.0.1.5
[root@nsd named]# cat 10.0.1.rev
@ IN SOA ns.example.net. root@ns.example.net. (
2010008151 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS ns.example.net
5 IN PTR ns.example.net.
Of course on my old files I replace records *.example.net with *.int.example.net
28. And tell name server to reload configuration
[root@nsd named]# rndc reload
server reload successful
29. And of course make some tests
29.1. First from network 10.1.0
[root@nsd named]# nslookup
> nsd
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: nsd.int.example.net
Address: 10.1.0.5
> set q=ns
> int.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net nameserver = nsd.int.example.net.
example.net nameserver = centos.int.example.net.
> ns.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: ns.example.net
Address: 10.0.1.5
> 10.0.1.5
Server: 10.1.0.5
Address: 10.1.0.5#53
5.1.0.10.in-addr.arpa name = ns.example.net.
29.2. And from network 10.1.0
[root@c01-n1 ~]# ifconfig|grep -E "Ethernet|inet addr"
eth0 Link encap:Ethernet HWaddr 00:0C:29:E1:57:32
inet addr:10.0.1.101 Bcast:10.0.1.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
[root@c01-n1 ~]# nslookup
> ns
Server: 10.0.1.5
Address: 10.0.1.5#53
Name: ns.example.net
Address: 10.0.1.5
> 10.0.1.5
Server: 10.0.1.5
Address: 10.0.1.5#53
5.1.0.10.in-addr.arpa name = ns.example.net.
> nsd
Server: 10.0.1.5
Address: 10.0.1.5#53
** server can't find nsd: NXDOMAIN
> nsd.int.example.net
Server: 10.0.1.5
Address: 10.0.1.5#53
** server can't find nsd.int.example.net: NXDOMAIN
So if I name my mail server just mail and add in search domains int.example.net and example.net I will have access to the same server independently of the network I am attached. And I will give no access to the people outside to information about my internal network
DNS - make it sample and fast, part 4 - master/slave
12. Why is need master/slave architecture
There are many reasons why is need this architecture. First at all for redundancy, if you have only one DNS server what will happen in case of hardware failure? Or if DNS software or OS crash? Thats because it is wise to have more that one server. And to avoid synchronization efforts and mistakes will be good to do it automatically.
Next possible reason is spread the load of DNS requests. In case of big enterprise DNS requests can overload the server if there is only one. Of course you can replace it with new, more powerful server, but this will be (again) single point of failure.
Other reason can be security. If you expose to for public access only secondary server this will prevent (more or less) the possibility of harm on some way the resolv of hostnames/IP addreses. At the end this is only one server, so do not forget to implement all the security precautions you usually do
13. Configure to allow transfers to slave server(s)
In file /var/named/chroot/etc/named.conf the block
zone "example.net" in{
type master;
file "master.example.net";
};
will become
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {10.1.0.10;};
};
and
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
};
will become
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
14. Configure slave server
The base is the same so lets edit /var/named/chroot/etc/named.conf. I will use config file from master and just edit some sections like
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {10.1.0.10;};
};
become
zone "example.net" in{
type slave;
file "slave.example.net";
masters {10.1.0.5;};
};
and
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
become
zone "0.1.10.IN-ADDR.ARPA" in{
type slave;
file "10.1.0.rev.slave";
masters {10.1.0.5;};
};
14. Check the configuration
[root@centos named]# service named configtest
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
15. This look nice, but it is need to do few more steps
>/var/named/chroot/var/named/10.1.0.rev.slave
>/var/named/chroot/var/named/slave.example.net
chown named:named /var/named/chroot/var/named/10.1.0.rev.slave /var/named/chroot/var/named/slave.example.net
mkdir -p /var/named/chroot/tmp
chmod 1777 /var/named/chroot/tmp
last two lines are because of the chroot environment
16. Run the server
[root@centos named]# service named start
Starting named: [ OK ]
17. And of course make some tests
[root@centos named]# nslookup
> server 10.1.0.10
Default server: 10.1.0.10
Address: 10.1.0.10#53
> nsd
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: nsd.example.net
Address: 10.1.0.5
> nsd.example.net.
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: nsd.example.net
Address: 10.1.0.5
> centos
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: centos.example.net
Address: 10.1.0.10
> set q=mx
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net mail exchanger = 1 centos.example.net.
> set q=ns
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net nameserver = nsd.example.net.
> exit
18. All is fine except one minor mistake.
On the definitions for domain example,net is missing our new name server. Lets correct this
19. Go to master name server and edit /var/named/chroot/var/named/master.example.net
and line
2010072501 ; serial
will be changed to
2010080701 ; serial
and after line
@ IN NS nsd.example.net.
will be added
@ IN NS centos.example.net.
20. Make server reload the configuration
[root@nsd named]# service named reload
Reloading named: [ OK ]
21. And go back to slave server
[root@centos named]# nslookup
> server 10.1.0.10
Default server: 10.1.0.10
Address: 10.1.0.10#53
> set q=ns
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net nameserver = centos.example.net.
example.net nameserver = nsd.example.net.
22. E voila, we have already working master/slave DNS configuration
There are many reasons why is need this architecture. First at all for redundancy, if you have only one DNS server what will happen in case of hardware failure? Or if DNS software or OS crash? Thats because it is wise to have more that one server. And to avoid synchronization efforts and mistakes will be good to do it automatically.
Next possible reason is spread the load of DNS requests. In case of big enterprise DNS requests can overload the server if there is only one. Of course you can replace it with new, more powerful server, but this will be (again) single point of failure.
Other reason can be security. If you expose to for public access only secondary server this will prevent (more or less) the possibility of harm on some way the resolv of hostnames/IP addreses. At the end this is only one server, so do not forget to implement all the security precautions you usually do
13. Configure to allow transfers to slave server(s)
In file /var/named/chroot/etc/named.conf the block
zone "example.net" in{
type master;
file "master.example.net";
};
will become
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {10.1.0.10;};
};
and
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
};
will become
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
14. Configure slave server
The base is the same so lets edit /var/named/chroot/etc/named.conf. I will use config file from master and just edit some sections like
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {10.1.0.10;};
};
become
zone "example.net" in{
type slave;
file "slave.example.net";
masters {10.1.0.5;};
};
and
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
become
zone "0.1.10.IN-ADDR.ARPA" in{
type slave;
file "10.1.0.rev.slave";
masters {10.1.0.5;};
};
14. Check the configuration
[root@centos named]# service named configtest
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
15. This look nice, but it is need to do few more steps
>/var/named/chroot/var/named/10.1.0.rev.slave
>/var/named/chroot/var/named/slave.example.net
chown named:named /var/named/chroot/var/named/10.1.0.rev.slave /var/named/chroot/var/named/slave.example.net
mkdir -p /var/named/chroot/tmp
chmod 1777 /var/named/chroot/tmp
last two lines are because of the chroot environment
16. Run the server
[root@centos named]# service named start
Starting named: [ OK ]
17. And of course make some tests
[root@centos named]# nslookup
> server 10.1.0.10
Default server: 10.1.0.10
Address: 10.1.0.10#53
> nsd
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: nsd.example.net
Address: 10.1.0.5
> nsd.example.net.
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: nsd.example.net
Address: 10.1.0.5
> centos
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: centos.example.net
Address: 10.1.0.10
> set q=mx
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net mail exchanger = 1 centos.example.net.
> set q=ns
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net nameserver = nsd.example.net.
> exit
18. All is fine except one minor mistake.
On the definitions for domain example,net is missing our new name server. Lets correct this
19. Go to master name server and edit /var/named/chroot/var/named/master.example.net
and line
2010072501 ; serial
will be changed to
2010080701 ; serial
and after line
@ IN NS nsd.example.net.
will be added
@ IN NS centos.example.net.
20. Make server reload the configuration
[root@nsd named]# service named reload
Reloading named: [ OK ]
21. And go back to slave server
[root@centos named]# nslookup
> server 10.1.0.10
Default server: 10.1.0.10
Address: 10.1.0.10#53
> set q=ns
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net nameserver = centos.example.net.
example.net nameserver = nsd.example.net.
22. E voila, we have already working master/slave DNS configuration
Subscribe to:
Posts (Atom)