[Cialug] The systemd Init System
Jeffrey Ollie
jeff at ocjtech.us
Wed Dec 9 14:00:53 CST 2015
"service named status" and similar commands worked because the "service"
command was a thin layer over the /etc/rc.d scripts and those scripts could
do all sorts of crazy things. The "correct" command to check the status of
named is:
# rndc status
version: BIND 9.10.3-RedHat-9.10.3-2.fc23 <id:2799933>
boot time: Fri, 04 Dec 2015 20:52:48 GMT
last configured: Fri, 04 Dec 2015 20:52:49 GMT
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 107
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
On Wed, Dec 9, 2015 at 1:30 PM, David Champion <dchamp1337 at gmail.com> wrote:
> Question: I'm used to being able to type "service named status" for
> instance, and it give you some useful information back, like the number of
> zones you have, the number of clients connected etc. On a newer box (CentOS
> 7) using systemd, I haven't found a good way to get the same type of info
> back.
>
> Any pointers on that?
>
> -dc
>
> On Wed, Dec 9, 2015 at 1:12 PM, Todd E Thomas <todd.dsm at gmail.com> wrote:
>
> > I'll keep the sharing going; spirit of the season and all...
> >
> > This writeup <https://fedoramagazine.org/what-is-an-init-system/> on
> > systemd came though not long ago; short, solid bursts of intro info. The
> > one on Journal > metadata really shows the power of asking for something
> > specific and getting it on a per/host basis. Just fantastic. systemd also
> > allows for the user to write compliant messages to the journal
> > <http://www.freedesktop.org/software/systemd/python-systemd/index.html>.
> >
> > Something I'm thankful for on a daily basis is the reordering of the
> > command to turn service start/stop/restart/etc. Example, the old way:
> > (example)
> > service named start
> > service dhcpd start
> > service svc-name action
> >
> > The systemd way:
> > systemctl action svc1 svc2 svc3
> > systemctl restart named dhcpd firewalld
> >
> > 3 lines reduced to a single command; carpal tunnel threat: neutralized -
> > automation becomes simpler as well.
> > ---
> >
> > I found one writeup
> > <https://major.io/2014/11/24/trust-ip-address-firewallds-rich-rules/>
> > particularly interesting on firewalld
> > <https://fedoraproject.org/wiki/FirewallD>; it's unrelated to systemd
> > but seems to follow it in design/implementation while demonstrating
> > increased simplicity *and* security. Since firewalld manages multiple
> > firewall "zones" per connection, in a break-glass situation a given
> > set/subset of hosts can go shields-up in moments - and in very granular
> way
> > by blocking:
> >
> > - an entire zone (possible; seems excessive)
> > - range of IPs (potentially useful)
> > - single IP (a more surgical strike)
> >
> > With a little authentication and automation security can be increased
> > within
> > moments <https://www.madboa.com/blog/2014/09/01/firewalld-block-host/>
> on
> > a
> > "public" zone for example without having to disturb the "internal" zone;
> > providing time analyze a security breach without disturbing business.
> Easy
> > looks like this:
> >
> > firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source
> > address="a.b.c.d" reject'
> >
> > family= allows for even more specificity.
> >
> > Rewind to before systemd/firewalld days - all options were far more
> > complex, required service restarts and tons of testing. A good intro here
> > <http://www.certdepot.net/rhel7-get-started-firewalld/>.
> > ---
> >
> > So, systemd <http://www.freedesktop.org/wiki/Software/systemd/>; tastes
> > great, costs less, makes life easier <https://youtu.be/kFwRNp7NQ-Y> and
> > its
> > answers are far more specific. Since it also appears to be highly
> > influential we're more likely to see more implementations like it. The
> fact
> > that it's the anointed solution for all major distros makes it
> unavoidable.
> >
> > The upside, it's been in use for years, is stable and is accessible via
> > Bash and Python. This could be a LUG mini-presentation all by itself.
> >
> > --
> > Merry whatever-you-celebrate-mas,
> >
> > Todd E Thomas
> >
> > *"It's a frail music knits the world together."-Robert Dana*
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
--
Jeff Ollie
More information about the Cialug
mailing list