Last active
January 2, 2021 17:50
-
-
Save mattrude/748529bd489f76a7a6b6dbc5332936a7 to your computer and use it in GitHub Desktop.
Bind 9.11+ Update script for Ubuntu 16.04 LTS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| BINDVER=`curl -slL ftp://ftp.isc.org/isc/bind9/cur/9.11/ |grep ".tar.gz$" |sed 's/bind-//g' |sed 's/.tar.gz//g'` | |
| if [ -f /usr/local/sbin/named ]; then | |
| CURRENTVER=`/usr/local/sbin/named -v |awk '{ print $2 }'` | |
| elif [ -f /usr/sbin/named ]; then | |
| CURRENTVER=`/usr/sbin/named -v |awk '{ print $2 }'` | |
| else | |
| CURRENTVER=0 | |
| fi | |
| if [ $BINDVER != $CURRENTVER ]; then | |
| # Update the System before we start | |
| dpkg --get-selections |awk '{print $1}' |sed 's/:amd64//g' > /tmp/installed-packages.txt | |
| UPDATE="" # Start out with UPDATE being NULL | |
| for a in build-essential checkinstall libssl-dev libxml2 libxml2-dev libjson-c-dev haveged gnupg wget | |
| do | |
| if [ `egrep "^$a$" /tmp/installed-packages.txt |wc -l` != "1" ]; then | |
| echo "$a is not installed" | |
| UPDATE="$a $UPDATE" | |
| fi | |
| done | |
| rm -f /tmp/installed-packages.txt | |
| if [ ! -d /var/cache/bind ]; then | |
| mkdir -p /var/cache/bind | |
| chown -R bind:bind /var/cache/bind | |
| fi | |
| if [ ! -d /var/run/named ]; then | |
| mkdir -p /var/run/named | |
| chown -R bind:bind /var/run/named | |
| chmod 775 /var/run/named | |
| fi | |
| # Adding/updating /etc/passwd | |
| if [ `grep "^bind" /etc/passwd` ]; then | |
| if [ ! `grep "^bind:x:88:88::/var/lib/bind:/sbin/nologin" /etc/passwd` ]; then | |
| sed -i '/^bind:x:/c\bind:x:88:88::/var/lib/bind:/sbin/nologin' /etc/passwd | |
| echo "Updating bind user in /etc/passwd" | |
| fi | |
| else | |
| echo "bind:x:88:88::/var/lib/bind:/sbin/nologin" >> /etc/passwd | |
| echo "Adding User bind to /etc/passwd" | |
| fi | |
| # Adding/updating /etc/group | |
| if [ `grep "^bind" /etc/group` ]; then | |
| if [ ! `grep "^bind:x:88:" /etc/group` ]; then | |
| sed -i '/^bind/c\bind:x:88:' /etc/group | |
| echo "Updating bind group in /etc/group" | |
| fi | |
| else | |
| echo "bind:x:88:" >> /etc/group | |
| echo "Adding group bind to /etc/group" | |
| fi | |
| if [ "$UPDATE" != "" ]; then | |
| echo "Installing needed file(s): ${UPDATE}" | |
| apt update | |
| apt install -y $UPDATE | |
| fi | |
| # Build the GnuPG database if it hasn't yet. | |
| if [ ! -d ~/.gnupg ]; then | |
| echo -n "GnuPG is not inited yet, building the database: " | |
| gpg --update-trustdb -qq | |
| echo "Done!" | |
| fi | |
| # Download the needed OpenPGP keys | |
| for KEY in 6FA6EBC9911A4C02 F1B11BF05CF02E57 | |
| do | |
| if [ `gpg --list-key |grep "${KEY}" |wc -w` == "0" ]; then | |
| echo "Downloading needed OpenPGP Key 0x${KEY}" | |
| gpg --recv-keys ${KEY} | |
| fi | |
| done | |
| # Move into the source directory | |
| mkdir -p /var/src && cd /var/src/ && rm -rf bind-${BINDVER} | |
| # If the bind9 default file is missing, donwload and install it. | |
| if [ ! -f /etc/default/bind9 ]; then | |
| echo -n "Downloading the bind9 default file:" | |
| wget https://gist.githubusercontent.com/mattrude/449c31d93b1544735a52/raw/bind9.default | |
| echo -n "." | |
| mv bind9.default /etc/default/bind9 | |
| echo "Done!" | |
| fi | |
| # If the bind9 init file is missing, donwload and install it. | |
| if [ ! -f /etc/init.d/bind9 ]; then | |
| echo -n "Downloading the bind9 init file" | |
| wget https://gist.githubusercontent.com/mattrude/449c31d93b1544735a52/raw/bind9.init | |
| echo -n "." | |
| mv bind9.init /etc/init.d/bind9 | |
| echo -n "." | |
| chmod 755 /etc/init.d/bind9 | |
| echo -n "." | |
| update-rc.d bind9 defaults | |
| echo "Done!" | |
| fi | |
| # Once everything is setup, we can run the Bind9 build | |
| wget -c ftp://ftp.isc.org/isc/bind9/${BINDVER}/bind-${BINDVER}.tar.gz && \ | |
| wget -c ftp://ftp.isc.org/isc/bind9/${BINDVER}/bind-${BINDVER}.tar.gz.asc && \ | |
| gpg --verify bind-${BINDVER}.tar.gz.asc && tar -xzf bind-${BINDVER}.tar.gz && cd bind-${BINDVER} && \ | |
| ./configure --prefix=/usr --with-openssl --enable-threads --with-libxml2 --with-json --sysconfdir /etc/bind && \ | |
| make && make install && service bind9 restart | |
| fi |
I used these options on my 14.04 box...
./configure --sysconfdir=/etc/bind \ --localstatedir=/var \ --prefix=/usr \ --with-openssl \ --enable-threads \ --with-libxml2 \ --with-libtool \ --disable-static
... and that fixed the issue described by @dsmarty.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This script doesn't seem to run fine on Ubuntu 16.04 Server, after updating Bind, I get the following errors in syslog:
Jun 17 14:50:34 apns01 named[21914]: couldn't mkdir '/usr/var/run/named': Permission denied Jun 17 14:50:34 apns01 named[21914]: generating session key for dynamic DNS Jun 17 14:50:34 apns01 named[21914]: couldn't mkdir '/usr/var/run/named': Permission denied Jun 17 14:50:34 apns01 named[21914]: could not create /usr/var/run/named/session.key Jun 17 14:50:34 apns01 named[21914]: failed to generate session key for dynamic DNS: permission denied Jun 17 14:50:34 apns01 named[21914]: sizing zone task pool based on 53 zones Jun 17 14:50:34 apns01 kernel: [ 231.022983] audit: type=1400 audit(1497703834.296:18): apparmor="DENIED" operation="mkdir" profile="/usr/sbin/named" name="/usr/var/run/named/" pid=21917 comm="named" requested_mask="c" denied_mask="c" fsuid=88 ouid=88 Jun 17 14:50:34 apns01 kernel: [ 231.023579] audit: type=1400 audit(1497703834.296:19): apparmor="DENIED" operation="mkdir" profile="/usr/sbin/named" name="/usr/var/run/named/" pid=21917 comm="named" requested_mask="c" denied_mask="c" fsuid=88 ouid=88It seems it uses different paths than standard in ubuntu 16.04 (/usr/var/run vs /var/run). Think if you fix this, you won't need to change the behaviour of apparmor for bind.
Good work btw!