Installing Micetro DNS Agents on Linux - Micetro - 25.2.0

Micetro Installation Guide
ft:locale
en-US
Product name
Micetro
Version
25.2.0

Micetro comes with two types of DNS Agents:

By default, the installer attempts to automatically detect the installed DNS service (such as BIND) and install the appropriate agent. In cases where automatic detection fails, the installer provides hints and additional information.

Note: If you're running BIND DNS, ensure that the DNS agents run as the same user as BIND (by default, named.)

If BIND runs as a different user or files are updated, ensure that the mmremote service runs as the same user and has sufficient access rights to files and directories.

For machines hosting multiple services (such as ISC DHCP and ISC BIND DNS), explicitly specify the desired agents during installation.

To view available agent options and parameters, run the installer script with the --help parameter:

cd archive-name
./install --help

Micetro server controller installer.
--help:  Print help.
--quiet:  Suppress output during install.
--auto:  Automatically determine what controllers to install. Default if no other option is given.
--bind-dns-controller:  Install a DNS server controller for BIND.
--bind-user:  User account that BIND runs under.
--bind-group:  Group that BIND user is member of.
--named-checkconf-path:  Path to named-checkconf. Only applies to a DNS server controller for BIND.
--named-config-file-path:  Path to named.conf. Only applies to a DNS server controller for BIND.
--named-directory-path:  Directory for BIND configuration files. Only applies to a DNS server controller for BIND.
--skip-arrange:  Will not arrange the configuration files for BIND.
--generic-dns-controller:  Install a Generic DNS server controller.
--isc-dhcp-controller:  Install a DHCP server controller for ISC dhcpd.
--kea-dhcp-controller:  Install a DHCP server controller for Kea-dhcp.
--kea-dhcp4-socket-name:  Socket name for kea-dhcp4 control channel.
--kea-dhcp6-socket-name:  Socket name for kea-dhcp6 control channel.
--kea-dhcp-agent-host:  Host name for kea-dhcp control agent.
--kea-dhcp-agent-port:  Port number for kea-dhcp control agent.
--standalone-dhcp-controller:  Install a Standalone DHCP server controller.
--update-controller:  Install update controller. Always installed, if another Micetro service is installed.

Preliminary checks

Before installing the Micetro DNS Agent on a Linux system, make sure you have thoroughly examined your system's configuration. Pay close attention to the following aspects:

  • Configuration file: Check whether there is a valid starting configuration file, typically located at /etc/named.conf. If one doesn't exist, you will need to create it.
  • Content of named.conf: Verify that your named.conf file contains all the necessary statements as detailed below.
  • Ownership of named data directory: Determine whether the named init script changes the ownership of the named data directory. This is crucial, especially for certain Red Hat Linux versions and derivatives that may modify the ownership (check for the ENABLE_ZONE_WRITE setting).
  • Chroot environment: Check whether named runs within a chroot environment. If it does, be aware of specific issues that may arise and consult the knowledge base for solutions. Pay attention to the following:
    • Determine whether the named init script copies any files into the chroot jail upon starting the service (relevant for SUSE Linux).
    • Consider potential problems that might occur when the installer rearranges the data directory listed in named.conf (relevant for SUSE Linux).
  • User account for named: Identify the user account that owns the named process. Typically, the Micetro DNS Agent runs under the same user account. However, it is sometimes possible to use group membership instead.

Running the installer

  • To install agents automatically (recommended when you have a single service like BIND):
    ./install --auto
  • For a specific set of agents, run the installer as follows, e.g., with ISC BIND and Generic DNS Agent:
    ./install --generic-dns-controller --bind-dns-controller --isc-dhcp-controller
  • For quiet/unattended installation with no output:
    ./install --generic-dns-controller --bind-dns-controller --quiet
Note: The Micetro Update Agent is automatically added when another Micetro service is installed.

If you intend to use the Generic DNS Agent, refer to the Generic DNS Agent for further information.

The installer will ask a series of questions. Be prepared to answer them, as described, for each component. Refer to Installer questions.

Installing the agents

  1. Extract the Micetro agent installation package (as root):
    tar -xzvf mmsuite-controllers-10.0.linux.x64.tgz
  2. In the newly created mmsuite-controllers-10.0.linux.x64 directory, run the installer script to install the Micetro agent (as root):
    cd mmsuite-controllers-10.1.linux.x64 && ./install

For instructions on installing other agents, refer to:

Installer questions

During the installation process, the installer will prompt you with questions related to the Micetro DNS Agent. Be prepared to answer the following:

  • Do you want to install the Micetro DNS Agent?
  • Are you running named in a chroot() environment?
  • What is the chroot() directory?
  • Where is the BIND configuration file?
  • Would you like the DNS Agent to run named-checkconf to verify changes when editing advanced server and zone options?
  • Where is named-checkconf located?
  • The installer needs to rearrange the files in <directory> and restart the name server. A backup will be created. Is this OK?
  • Enter the user and group names under which you want to run the Micetro DNS Agent. This must be the user which is running named.
  • Where would you like to install the Micetro external static zone handling utilities?
  • Where do you want to install the Micetro agent binaries?
  • BIND needs to be restarted. Would you like to restart it now?

Make sure the named-checkconf file is readable:

chmod a+s /usr/sbin/named-checkconf

Required named.conf statements

The Micetro DNS Agent requires specific settings within the named.conf file (including any files listed in include statements in named.conf). Make sure the following statements are present:

  • directory: The directory substatement of the options statement must be present and point to a directory that the installer can replace. It should not refer to /, /etc, the root of a chroot jail, or any partition mount point. If you need to add or change the directory statement, be prepared to move files or update paths used elsewhere in your named.conf.
  • key: For BIND, there must be an explicitly defined key in named.conf to enable control of named using rndc commands. Copy the contents of the key file, such as rnds.key, into named.conf if it's not explicitly defined.
    To generate a key, consider using the following command (adjust the path if needed):
    rndc-confgen > /etc/rndc.conf

    This creates the rndc.conf file, which contains configuration for local use, and key and controls statements that can be copied into named.conf.

  • controls: The Micetro DNS Agent uses a controls statement for BIND. There must be a controls statement with an inet substatement that references an explicitly defined key (as mentioned above). The inet statement should allow connections from the loopback address 127.0.0.1. If no controls statement is defined, the installer will prompt you to create one manually.

Changes in named.conf

Upon installation, the Micetro DNS Agent rearranges the named configuration data, which includes rewriting named.conf and reorganizing the data directory. The new configuration is functionally equivalent to the old one, except that the logging statement may be added or modified to include new channels. Before making these modifications, a backup is made of the named configuration data.

It's possible to skip the rearrangement of named.conf. For instructions, refer to Skipping the named.conf arrangement.

Common files

The file layout differs slightly between instances with and without BIND views, but there are a few common items:

Description File(s) or directory
Micetro DNS Agent daemon mmremoted, usually in /usr/sbin or /usr/local/sbin
Micetro external static zone handling utilities mmedit and mmlock, usually in /usr/bin or /usr/local/bin
Data directory for Micetro DNS Agent Usually /var/named, /etc/namedb, /var/lib/named, or something within a chroot jail; the same location as before the DNS Agent was installed
Backup of original data directory Same as above, with ".bak" appended to the path
New starting configuration file Usually either /etc/named.conf or /etc/namedb/named.conf; possibly located within a chroot jail
Backup of original starting configuration file Same as above, with ".bak" appended to the path
Logging statement from named.conf conf/logging, relative to the data directory
Key and acl statements from named.conf conf/user_before, relative to the data directory
Options statement from named.conf conf/options, relative to the data directory
Controls, server, and trusted-keys statements from named.conf 1 conf/user_after, relative to the data directory
Preferences file mmsuite/preferences.cfg, located in the data directory
init script 2 /etc/init.d/mmremote
Settings file used by the init script (Ubuntu Linux only) /etc/default/mmremote
With views

If views are defined, the following files are created inside the data directory:

Description File(s) or directory
View statements, not including zone statements within each view conf/zones
List of include statements for a particular view, one for each zone statement file conf/zones_viewname
Directory of zone statement files for a particular view conf/zo_viewname
A sample zone statement file, for the zone localhost. in the view internal conf/zo_internal/localhost.opt
Directory of primary master zone files for a particular view hosts/view_viewname/masters
Directory of secondary zone files for a particular view hosts/view_viewname/slaves
A sample zone file, for the primary master zone localhost. In the view internal hosts/view_internal/masters/localhost-hosts
Without views

If views are not defined, the following files are created inside the data directory:

Description File(s) or directory
List of include statements, one for each zone statement file conf/zones
Directory of zone statement files conf/zoneopt
A sample zone statement file, for the zone localhost conf/zoneopt/localhost.opt
Directory of primary master zone files hosts/masters
Directory of secondary zone files hosts/slaves
A sample zone file, for the primary master zone localhost. hosts/masters/localhost-hosts

Skipping the named.conf arrangement

By default, the DNS Agent installer script rearranges the BIND DNS named.conf file into a Micetro-specific file structure. To skip the named.conf arrangment, you can use the following parameter:

./install --skip-arrange

This starts the installer in a minimally invasive installation mode, i.e., it does not try to rearrange named.conf.

Important: Before starting the installation, it's important to back up the configuration.

Limitation:

However, the --skip-arrange parameter cannot be used on BIND running in a named-chroot on RedHat Enterprise Linux (RHEL). RHEL allows Linux administrators to run BIND DNS in either a chroot or non-chroot environment, without changing the base DNS configuration. This makes it possible to start a standard named service or the chroot-enabled service with named-chroot.

To do so, the systemd service script, which starts the named-chroot service, uses a mount --bind to mount the BIND/etc/named.conf and other files/directories located under /var/named into var/named/chroot.

For more information, refer to the RHEL documentation.

When installing the DNS Agent with the --skip-arrange parameter, the installer attempts to make the BIND configuration readable and writable for the named user. Because the etc/named.conf file is read-only and gets mounted into the chroot directory, this modification fails. Micetro requires the option to manipulate the named.conf, e.g., to add new zone statements or zone files, so an installation with --skip-arrange would not result in a writable BIND configuration.

In this case, BlueCat only supports the standard installation, which rearranges the BIND configuration.

Removing the DNS Agent and reverting to the original configuration

Follow these instructions if you want to remove the DNS Agent and revert to your original DNS configuration and data:

  1. Stop the service

    Use the init script to stop the DNS Agent service. To do so, provide the stop argument to the init script. For example:

    sudo /etc/init.d/dns-controller stop

    or

    sudo systemctl stop dns-controller

    Replace /etc/init.d/dns-controller and dns-controller with the appropriate paths and service names for your system.

  2. Remove agent files

    Once the service is stopped, you can proceed to remove the DNS Agent files:

    • Delete the daemon binary file associated with the DNS Agent.
    • Delete the init script used to start the DNS Agent service.
    • If the init script was registered as part of the boot system, remove any references to it. This may involve using system-specific tools or manually editing boot configuration files.
  3. Revert to your original configuration

    If you want to revert to your original DNS configuration and data, follow these additional steps:

    1. Stop the BIND or named service, which might have been managed by the DNS Agent, using its respective init script. For example:
      sudo /etc/init.d/named stop

      or

      sudo systemctl stop named
    2. With the BIND or named service stopped, you can proceed to restore your original DNS configuration and data:
      • Delete the initial configuration file (named.conf) created by the DNS Agent.
      • Delete the data directory created by the DNS Agent.
      • If you created backup files by renaming the originals with a ".bak" extension, restore the original files by removing the ".bak" extension from their names.

These steps will effectively remove the DNS Agent and revert your DNS setup to its original state.

Warning: Be cautious when performing these actions, as they may impact your DNS service.

Adjusting SELinux

Note: The following commands apply to Linux distributions based on RedHat EL 8 or higher. Your distribution may differ.

After installing the DNS Agent, run the following commands as root:

semanage fcontext -a -t named_cache_t --ftype f "/var/named(/.*)?"
semanage fcontext -a -t named_cache_t --ftype d "/var/named(/.*)?"
semanage fcontext -a -t named_conf_t --ftype f "/var/named/conf(/.*)?"
semanage fcontext -a -t named_conf_t --ftype d "/var/named/conf(/.*)?"
semanage fcontext -a -t named_zone_t --ftype f "/var/named/hosts(/.*)?"
semanage fcontext -a -t named_zone_t --ftype d "/var/named/hosts(/.*)?"
restorecon -rv /var/named

These will adjust the SELinux security label for the BIND 9 configuration and zone files.

Note: Due to the complexity of and variation between SELinux configuration files, we are currently unable to officially support SELinux configuration, as SELinux settings can interfere with the normal operation of named after its configuration has been rewritten by the installer for Micetro DNS Agent. It is possible to make named, Micetro, and SELinux all work together, but we cannot currently offer official support for this.

The $INCLUDE and $GENERATE directives

For information about how to use the BIND directives $INCLUDE and $GENERATE with Micetro, refer to Micetro and BIND directives.

Installing with dynamic zones

Micetro expects dynamic zones to be made dynamic by allowing signed updates. Any dynamic zone must have an allow-update statement whose ACL contains a key. If you do not otherwise have a need for signed updates, add the rndc key (or any other key) to the list.

Furthermore, after installation, make sure your server allows zone transfers of dynamic zones to the loopback address, 127.0.0.1, or users will be unable to open dynamic zones from this server. Zone transfer restrictions can be set or changed in the server's Edit server options dialog on the Admin page and in each zone's Edit zone options dialog on the DNS page in Micetro.

Verifying the DNS Agent is running

Verify the agent application is running:

systemctl status mmremote
1 If present and not using view, the root hints zone statement.
2 The shell script, which is used by init during system startup, that can be used to control the service.